Saturday, February 17, 2007

Blog Droppers & Gator Spam: RSS as a Vector

RSS (Really Simple Syndication) cross-scripting hacks have been around a while - but until quite recently, RSS feed readers were not on enough desktops, and "gators" (RSS feed-aggregating web sites) were not well-visited enough to make either destination an appealing target for criminals. That is changing fast.

How fast? At the last Black Hat conference last October, Bob Auger of SPI Dynamics presented on how RSS feed hacking could potentially become more ubiquitous than spam - and potentially more harmful, because RSS feeds made up of blogs and "spiced comments" (i.e. comments laced with malicious script) can quite easily be used to deliver malware and other problems right to the desktop, especially when blogs or gators are created and managed by non-sophisticated admins.

Think for a moment about how many blogs enable unmoderated comments to be posted by their readers. Think about how many RSS readers are being downloaded every day, in the form of desktop widgets, or browser tool bars. Think about how many web sites there are out there that aggregate and publish every RSS feed they come across. The answer is: millions. How many of these sites and desktop technologies are wired to filter out scripts from these comments using human intervention or anti-malware engines before they reach the reader base?

Like many bloggers, when I see something I want to quote in someone else's blog, or in their RSS feed, or their comments, I copy and paste it, and write around it. Regardless if there are links or tags or images involved, or just text, I always make it a habit to take a peek into the html source before sending it on. But how many other bloggers check these web objects and links before they publish?

Inserting malicious code into the blogosphere is *way* easy if you're a hacker. Here's one way we're seeing it done - let's say I have Comments enabled on my blog site, and my RSS feed is set up to deliver those comments to you via a popular feed mechanism and a reader widget.

Now, let's assume that someone wants to use this feed to deliver a piece of malicious piece of script designed to download a keylogger or some other piece of malware onto my reader's PCs. All the person inserting the comments needs to do is to write a comment, drop some script in it behind an innoculous-looking URL, and voila - out goes the malicious script with my feed to every desktop reader and gator signed up for it.

Now, if your anti-malware engine is up to date, and your browser settings are well-tuned, you might catch it before it does any harm - assuming you choose the right button on the alert. But most likely, this is going to be a brand-new threat, not a repurposed piece of malware. In which case you'd better hope your zero day malware filtering technology is working, otherwise, you're going to end up hosed - probably by a dropper or a keylogger if you're a desktop user, or, if you're a gator, by a half-ton of pharmaspam.

Although some developers appear to be making strides in this direction (Bloglines is one of them), most RSS feeders and readers were not built with security foremost in mind - they were built to achieve ubiquity with one eye on style and efficiency. Many desktop readers are little more than extremely simple XML parsers wrapped in widget (or phidget) clothing, and many aggregation sites are worse - they use literally hundreds of technologies, many home-cooked.

This cannot stand - developers of RSS feeders, aggregators and readers need to start thinking seriously about establishing a certification standard for security, and feed injection prevention. In the meantime, popular feeders should consider pushing their RSS feeds through antimalware engines - the same way Yahoo and Hotmail started checking mail for viruses and spam post the tipping point of email adoption. This is not an expensive proposition - and would provide at least a starting point for protecting folks downstream.

1 comment:

Chris H said...


Good post. I agree RSS is going to become more of an issue. I covered a couple of other potential vectors in a post originally from 2005:

Keep up the good work.