Reflected File Download (RFD)Let’s see how Reflected File Download (RFD) and this worm works:Anti virus proofChrome.exeDemo at Black Hat Conference

This attack technique has been discovered by Oren Hafif, a Trustwave SpiderLabs security researcher.  Worse news is that he has also developed a worm to take advantage of RFD technique.

Let’s see how Reflected File Download (RFD) and this worm works:

A user accesses a popular website, say Google for example. When u click on the link you think is legitimate, this worm will cause a download to begin automatically. This file, if executed by the target, would open a Google Chrome connection to the attacker’s website, bypassing the Same Origin Policy (SOP) protection that should ideally stop bad code passing between tabs. Scripts from the hacker’s website could then grab information from that domain, such as emails from Gmail, banking details from your bank website and pass it on to the attacker’s own server.

Anti virus proof

Hafif has even generated a way in the malware to prevent system warnings and other pop-ups from appearing, so the user won’t even know what hit him till after its too late. Current security measures like firewalls and anti-viruses are futile against this worm. The sad news is that Anti-virus engines won’t even detect the hack. And once the file has been executed, there is no security mechanism as of yet to stop it.

Chrome.exe

In his disclosure to Google, Hafif showed how an attacker could send a link from the trusted Google.com domain that would download an exploit file called “ChromeSetup.bat”. This file, if executed by the target, would open a Google Chrome connection to the attacker’s website, bypassing the Same Origin Policy protection that should stop bad code passing between sites and tabs. Once executed, the scripts from the hacker’s website could then grab information from that domain, such as emails from Gmail, banking credentials from a bank website etc. and pass it on to the attacker’s own server.

Demo at Black Hat Conference

Oren Hafif is a renowned researcher, earning plenty of rewards and bounties from Google for figuring out bugs and errors in their software. He has christened this technique Reflected File Download (RFD). He intends to demonstrate this new technique at the Black hat Europe conference taking place in the next week in Amsterdam, Netherlands. Hafif will show how he created code for a worm that could easily spread malicious links containing RFD attack code across the world’s biggest social networks. Anyone who clicked the links he created risked handing over their cookies, though real criminals could craft attacks that would do much worse. There are very few solutions to an RFD attack as of now. User prudence may be the only key defence against this worm. However this is just a proof of concept developed by Hafif, as yet, there has not been any known instance of RFD being used as an attack method so far. Lets see how the demonstration presented by Hafif goes!