Unfortunately, the latest version, 0.2.14 (October 2007), is still in alpha status and somehow not very active.ĭefinitely, we need more tools like this one in order to enforce advanced security policies at the Web browser level (not talking about Web privacy or anti-phising toolbars). The tool is based on rules (similar to Snort), although it only implements a small set at this point. However, the existence of this server does not directly mean malicious content, as in this case.Īlthough the signature is too generic, the idea behind the Firekeeper tool ( we mentioned it a year ago) is great, as it provides IDS/IPS capabilities where they are required today, at the browser level, after decompression and decryption (https) have been applied. This server string corresponds to the Engine X small Web server, widely used for malware distribution and the Storm Worm. The alert is generated because there is a Firekeeper experimental rule that matches if any of the HTTP headers contain the string "nginx/0.5.17". If the user click on these links, he can reach to the final ad content after five HTTP redirections (302 Found responses). The script simply loads an ad and includes links to the company being announced.
Unfortunately (from a research perspective), it was a false positive and there was no malicious content loaded from peakclick. After browsing to the site, the main page contained an ads-related script tag loading ads contents from "", specifically from "res.php" with some additional parameters like the subscriber id, keyword, and referrer: hxxp:///res.php?pin=d0.67&id=1&keyword=isc&num=3Īt this point is when the user could get suspicious if he is using the Firekeeper Firefox extension, as it generates an alert:Īlthough Web-based malware is extremely common nowadays, as the alert signature referenced us (the ISC) directly, I decided to research it in-depth.
Everybody runs at least an operating system, a mail reader (except for Web mail, so even this one is optional) and a Web browser conclusion: the attackers are focused on breaking into computers through out the latter.Ī few days after the conference, Jesus (who attended the meeting) wrote me in commenting about a specific case he saw when browsing what seemed to be a legitimate site. I tried to emphasize one of the (if not THE) biggest security threats nowadays: Web-based attacks. A couple of weeks ago I was presenting at the III OWASP Spain Chapter Meeting about "Web security threats and incidents" (presentation in Spanish).
0 kommentar(er)
