New type of malware: website links (the links themselves, not the websites they lead to)

We all know what URLs (Uniform Resource Locator) are; put in popular jargon, a URL is the address to a web page. URIs (Uniform Resource Identifier) are similar to URLs but are one level above; URIs point to a resource and are less strict than URLs. While a URL must started in http://, a URI can be ftp://, in URN format, or even relative. Think of a URI as a URL but more; every URL is a URI but every URI is not a URL. One thing that separates URIs from URLs is URIs can hold data in and of themselves — a “data URI”. While a URL must resolve with a server for you to get any data, a data URI can load in your browser and make no outside connection because all the data needed is stored in the URI. Why is this important? Because, according to a study by Henning Klevjer of University of Oslo in Norway, URIs themselves can be malicious.

Now you must be thinking “Ashraf is talking about a malicious link which means a link that takes you to a malicious website with malicious content”. No, I’m not. As I just mentioned URIs have a unique characteristic of being able to hold data. Klevjer asserts this characteristic makes it possible for URIs to be malicious in and of themselves.

According to Klevjer, it is possible to create a phishing website — using images, text, etc. — then use Base64 to encode the content and store it in a URI. When someone visits the URI in their browser, the URI decodes and loads the phishing “website” and the end user likely doesn’t even know he or she isn’t at a real website. The difference here between a phishing URI and a phishing URL is a phishing URI makes no outside Internet connection; all data for the phishing “website” is stored locally in the URI. Since no outside Internet connection is made, many anti-phishing security tools will not block the “website” because, as far as the security tool is concerned, the user never loaded any website. In other words, website-less phishing.

In his paper Klevjer provides a proof-of-concept by developing a URI that loads a fake Wikipedia login page:

As another security researcher Johannes Ullrich points out, scumbags using URIs for website-less phishing still need some sort of way to get data attained from phishing targets out to their servers. But, as Ullrich says, this shouldn’t be too hard with clever hackers using DNS requests to transport the data into log files of remote servers.

While Klevjer focuses on website-less phishing with URIs, his colleague Per Thorsheim points out that URIs can contain small malware, too, such as infected Java applets. In other words, not only can URIs be used for website-less phishing but they can, literally, be malware on their own.

The one thing working against URIs is length. Any URI containing an encoded website or file will be huge in length. The above-mentioned proof-of-concept Wikipedia URI is 24,682 characters long. The length, and weird formatting of data URIs, is likely to scare potential targets away from clicking. However, as Klevjer points out, the rise of URL shorteners (e.g. bit.ly) makes this a mute issue: throw a data URI into a URL shortened and a long, scary data URI turns into a short, pretty URL. In the case of Klevjer, he turned his 24,682 character URI into a 26 character URL.

While the thought of having links being malicious in and of themselves is a scary thought, there is a bright side.

The bright side is some modern browsers either limit the length of URIs or don’t load them at all. For example, Klevjer says in his tests Internet Explorer 9 refused to load his 24,682 character URI because of its length while Chrome blocked the redirection to a data URI. Firefox and Opera, however, loaded the data URI without so much as a hiccup

Moral of the story? If you see an ugly, long string of text don’t click on it, and think twice before clicking on a shortened URL.

[via Sophos]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

8 comments

  1. Jenny

    @Ashraf:

    I should probably try LongURLPlease again – last time was about 6 months ago, and I was shocked at the range of shortened url’s that it didn’t address. Can’t remember which ones they were unfortunately. I hope they lengthen many more now – they were my favourite because I could put a button on my toolbar in Opera, most of the alternatives I have to go to their websites.

  2. Ashraf
    Author/Mr. Boss

    @Jenny: This actually isn’t new. A study in 2007 looked at data URI usage in IE6/7.
    @AFPhys: You are welcome!
    @Mike: Check out http://dottech.org/freeware-reviews/10128/dont-get-rick-rolled-use-long-url-please-to-un-shorten-shortened-links/.
    @Jenny: I was going to say Long URL Please but you seem to already know about it.
    @Sharna: Are there add-ons that will preview data URIs? I don’t know. Plus, I don’t think seeing a preview of a website will help because you won’t know if it is real or not. In fact, it may be counter-effective — a preview shows a seemingly real page when it is fake.

  3. Jenny

    @Mike: Exactly Mike, which is why from time to time I check out any url lengtheners I can find – some work for most shortened links, some only work for a few :)

    Anyone else got favourites? Sadly the LongURLPlease browser button only does a few :(

  4. AFPhys

    Thanks very much for this article. I understand it very well, and am more than ever convinced to avoid huge URL/URI’s

    I hope (and trust) FireFox and other browsers address this vulnerability very very soon.