Web-browsers. They’re all around you, on every PC across the length and breadth of the planet, yet you probably don’t stop to think about them too much. Why would you? They’re just there, and that’s all that matters, like the mouse or the keyboard – a tool you just plug in to do something else, without worrying about what they happen to be doing internally.
Your gateway to the online world, we have a voracious appetite for the latest hot new browser, the Firefox killer, the latest features and functionality. We give up our trust to these browsers wholeheartedly; let them save our passwords, keep hold of our browsing habits and much more besides. For all the new features, bells and whistles, there used to be one thing you could be guaranteed when using a browser: Type in a URL, and that’s the page you’ll see. Right?
In April 2006, a new web-browser that came bundled with Zango Adware was launched, to little or no fanfare. Sure, it came with Adware but there was no hijack, disclosure was good and you had to go to their website to download the software. So far, so good – especially as the browser installed with no problems and a minimum of fuss.
Imagine the look on your face then, when you decided to try out Yapbrowser, installed it, agreed to the Zango Adware, opened up the browser and typed in a URL – any URL – and hit the green “Go” button; only to be immediately redirected to hardcore child pornography. Regardless of what you typed into the browser, you were taken to go-to-jail inducing material completely out of the blue with no warning.
How many times have you downloaded an application and installed it without thinking beforehand, hey, I wonder if this will lead me to illegal porn? Probably never. But with the advent of Yapbrowser (which, thinking about it, probably stood for Young Adult Porn), everything changed. Here was an application which in my opinion was far worse than any random piece of Malware that turns off your security settings, or a random Myspace phish. You can recover from those – imagine running Yapbrowser on your business network, or on your home PC which breaks the day after and you’re faced with the choice of taking it in for repairs, or throwing it off a cliff. Think those PC repair guys will believe you? What’s that, a kiddy porn browser? Yeah right, buddy. Pull the other one. Now wait right there while we call the police…
Previously, I don’t think anyone had considered the humble web browser as an offensive weapon but over the course of 2006 everything has changed. Alongside Yapbrowser, we’ve had the wonderfully named “Safety Browser” (which installs itself without permission as part of an Instant Messaging Hijack, and Browsezilla (which made secret calls to pornography websites). There’s probably more still flying under the radar, ready to be discovered in the worst possible circumstances. The question is, what can we do about it?
As this is a relatively new area of web-based depravity, all I can do is give you my oft-repeated advice to spend a few minutes Googling the name of any new browser you happen to come across. Considering the kind of trouble you could avoid by doing so, it’s well worth the time and effort.
The possibilities for attack are almost endless in this brave new world of Malware making. For one thing, you have ease of distribution – it’s not like you have to hack servers and hide your dubious infection files from public view. The very nature of a web browser is that it’s universally trusted and geared towards many kinds of distribution, be it viral, word of mouth or flashy ad campaigns. As long as the bad guys can keep the real intention behind their program hidden until the last moment, that’s all that matters so openly pushing it to all and sundry is really no big deal for them. If the bad guys didn’t want to go down the route of incendiary illegal content redirection, Yapbrowser style, they could always take a more subtle approach. How about accepting money for rogue banner ads built into the browser? There are plenty of rogue applications out there that would be all too happy to pay for such a deal. Maybe they could come up with a twisted version of the password storing features so commonplace in modern browsers, where they steal the stored information instead of keeping it safe.
Now that I’ve terrified you with the frankly dismal promise of what could be coming down the “new developments in web-based awfulness” pipeline, I think I’ll close this cautionary tale with something vaguely approaching a happy ending. Let’s face it; you’re dying to know what happened to Yapbrowser, yes? Well, within a day of revealing what this program did, Zango cut off their distribution with the Russian based application and shortly after that, the company behind it collapsed, the browser itself was killed off and the site hosting the images that caused all the fury was finally taken offline.
Sure, a few months later Yapbrowser returned with the bizarre claim that it could guarantee 100% “that no malicious system infection will occur when using the software”, but I guess you can’t have everything. At the very least, the connection to the dubious pornography websites was severed and the browser was bought out by search portal Searchwebme, which was intended to add a little respectability to what must be the most unfortunate web browser in living memory. Sadly(!) things don’t appear to have worked out quite as the creators of Yapbrowser would have liked, because I recently saw the Yap domain on sale for the low, low price of……ten thousand dollars.
FaceTime Communication Europe Limited is exhibiting at Infosecurity Europe 2007, Europe’s number one dedicated Information security event