Security Experts:

Reflected File Download: New Attack Vector Enables File Downloads Without Upload

In most Web attacks, malware is downloaded to victims' machines from a malicious or a compromised server. However, a researcher has uncovered a new attack vector where the malicious file is downloaded without actually being uploaded anywhere.

Trustwave researcher Oren Hafif will present the new Web attack vector, which he calls Reflected File Download (RFD), at the Black Hat Europe security conference that takes place later this week in Amsterdam, the Netherlands.

RFD, which according to the researcher can be exploited even by less skilled hackers, targets both Web applications and Web-based APIs that don't deal correctly with user input and don't set content types correctly in the response. An attacker only needs to find an API that accepts user controlled input and reflects it into the response. The attack is called Reflected File Download because the malicious file is not actually hosted on the targeted website, but instead it's reflected from it.

Similar to other types of Web attacks, such as cross-site scripting (XSS), RFD requires that the victim clicks on a maliciously crafted link, an action which results in a piece of malware being downloaded to the targeted computer.

According to the researcher, this type of attack is dangerous because the URL created by the attacker points to trusted websites, such as Google.com and Bing.com. Hafif says he has identified at least 20 high-profile websites that are vulnerable to RFD attacks.

When the victims click on the maliciously crafted link, the Web browser sends a request to the vulnerable website, which in turn sends back a response that's saved by the browser on the victim's computer as a file. The attacker can set the name of the malicious file in the URL that he sends to the victim.

Hafif told SecurityWeek in an interview that cybercriminals could trick users into clicking on the link by making it look like an update for a popular application, such as Google Chrome. Since the URL, which looks something like "www.google.com/s;/ChromeSetup.bat;", points to a legitimate Google domain, the victim doesn't suspect that the file they are downloading and executing is not actually an update, but a piece of malware.

"The attacker is getting the equivalent access as if he could upload malicious files to the server, but without uploading those files," the researcher said.

On more recent versions of Windows, when users try to execute a file from an unknown publisher, they are presented with a security warning message. However, the researcher has found a way to bypass this security mechanism so there isn't any warning when the victim executes the downloaded file. The secret to getting Windows not to display the security warning lies in the file name, Hafif said.

Once the malware is installed on the system, it can perform a wide range of tasks with administrator privileges, on the operating system level. For example, an attacker can execute OS commands that allow him to install other malware, steal data from the victim's browsing session, or gain complete control over the targeted device. An attacker can also execute malicious OS scripts, and exploit vulnerabilities in other software installed on the compromised machine.

To demonstrate the seriousness of such an attack, the researcher developed a worm that spreads through social media networks such as, Facebook, Google+, Twitter and LinkedIn. The worm hooks itself into the browser and controls it with the aid of command line flags that can completely disable Web security features. The malware can then access any website and impersonate the user on it. This allows it to spread the malicious link on all the social networks and email accounts the victim is connected to.

Google and Bing were informed of the existence of the vulnerability in late March. Bing fixed the issue on the same day, but it took Google approximately three months to address the flaw on most of its domains. The researcher said the flaw can be addressed by using secure coding practices and secure configurations.

Hafif told SecurityWeek that while this isn't a JSON-specific attack, JSON technologies are highly vulnerable. The researcher says websites utilizing JSON or JSONP APIs are very likely to be vulnerable to RFD attacks.

While he hasn't seen or heard of any attacks leveraging the method, the researcher says it's likely to happen considering that RFD is under everyone's radar.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.