I got the infection from my ISP’s website. I have to login into my ISP’s website in order to connect to internet. For quite a few days I had been experiencing a huge delay in login. Sometimes even after successful login I couldn’t browse any page while other applications like mail client & messenger worked normally. Luckily this time I got my eyes on browser’s status bar while waiting for successful login confirmation. I noticed a request to an external URL http://mk.cxaaaa.cn. It was weird for two reasons. First it makes no sense to communicate with an external server while engaging in login process with ISP’s server. Second which makes it more suspicious is the server you are communicating with is outside the country when the actual server responsible for authentication & login is a part of local network. After this I began the dissection of login page. The page was designed using IFRAMES, Yuck! But the more strange thing was nested IFRAMES. In one of the nested IFRAME’s content I got the following javascript code in header section.
The first thing I did after this was to directly access this javascript source. I know it is risky & stupidity to access such resources. But it didn’t come to my mind at that moment. Luckily I was using Firefox and it blocked access to it. This is a security feature in modern browsers to default block the blacklisted resources. In case of Mozilla it refers to the data maintained by Google and StopBasware.org. After this I did some googling with this URL and it confirmed the XSS attack.
Solution
********
1) Use firewall
2) Firefox has two great add-ons NoScript and RequestPolicy to address such XSS threats.
0 comments:
Post a Comment