Blogs
aren't just for blabbing
to friends and family, said
a security and content filtering
firm Wednesday, but increasingly
are being used as a safe
haven by hackers for storing
and distributing malicious
code, including identity-stealing
keyloggers.
"We're
seeing that more and more of
the locations where malicious
code is stored is on blog sites," said
Dan Hubbard, the senior director
of security and technology
research for San Diego-based
Websense. So far this year,
Hubbard said, his lab has discovered
hundreds of blogs involved
in the storage and delivery
of harmful code.
"In
particular, keyloggers and
other Trojan downloaders
and droppers are being stored
and updated from blog sites," Hubbard
added. A keylogger is the
term for a type of spyware
that watches for, records,
then transmits to the hacker
identities surreptitiously
hijacked from PCs.
Malware
and spyware writers are
turning to blogs -- and away
from traditional hosting
and/or e-mail services --
because they offer large
amounts of free storage space,
they don't require any identity
authentication to post, and
most blog hosting services
don't scan posted files for
viruses, worms, or spyware.
"It's
partly the storage, partly
the ease of use [of blogs],
and partly a stability issue.
Hacked machines, for instance,
can easily go down if the actual
owner discovers his computer's
being used, but the blogs are
always there," said Hubbard.
Different
hackers use blogs different
ways. Some may create
a blog on a legitimate service,
then post viral or keylogging
code on the page, and entice
users to visit the page --
where they're infected --
using spam or spim. Others
may use the blog only as
storage for malware which
previously-planted Trojan
horses access to update themselves
or install a keylogger onto
the infected PC.
"In
those cases, victims don't
even see the blog or the blog
site," said Hubbard. "Hackers
are using the storage space
on the blog site because, unlike
personal storage and mail hosting
facilities, most blogs aren't
running anti-virus software
on posted files."
The
use of blogs further disguises the
true identity of the hacker,
and adds another route in
the labyrinth-like path that
attackers use to disseminate
their code.
In
late March, for instance,
Websense issued an alert
that outlined how a spoofed
e-mail tried to redirect
recipients to a blog which
in turn hosted a Trojan horse
designed to steal online
banking passwords.
"The
blogs are being used as the
first step of a multi-layered
attack that could also involve
a spoofed e-mail, Trojan horse,
or a keylogger," explained
Hubbard.
While
end-users can do little beyond
keep safe and smart practices
in mind -- don't open attachments,
don't travel to questionable
links within e-mail or instant
messages -- Hubbard said
there was plenty blog hosting
services could do.
"They
need to add some type of security
on top," he urged. "Anti-virus
is a good start. And limit
the type of files that can
be uploaded, by, for example,
restricting executables."
About
the Author: By Gregg Keizer
