Syndicated Malware

Syndicated content, from blogs, news sites and the like is a popular way to track these websites, but also provides a vector for malware. Really Simple Syndication (RSS) and Atom are the two formats used to provide syndicated content and there are a variety of web-based and standalone clients that can read RSS/Atom feeds and display them to users. These clients often do not have proper filtering of the content provided and can be susceptible to various attacks.

Both RSS and Atom are XML-based formats that contain various elements of the content that is being syndicated -- title, description, story link, etc. A client program, often known as an 'aggregator' allows the user to subscribe to various feeds and will check periodically for new content. The aggregator then displays that information and the user can choose content items to look at more closely. Because much of the content is from websites, aggregators typically interpret HTML content in the feed data for display. This provides the means for attacks.

Malicious content, for cross-site scripting (XSS) or cross-site request forgery (XSRF) can be inserted into one of the textual portions of the feed data. If the aggregator does not sufficiently filter the received data, it may expose the user to the malware. Web-based aggregators are particularly susceptible as they run in a browser with all of the normal browser capabilities, but standalone clients often include browser-like rendering or will start a browser to follow feed links.

While it is certainly possible, it is probably unlikely that feed providers will directly put malware in their feeds; it is too easy to track them down. A much more likely scenario is feeds that syndicate user generated content, like comment feeds on blogs or sites like LWN (syndication information here). Depending on the filtering that the site does, it may be able to propagate malware within its syndication content. A malicious user could, anonymously at many sites, post a comment that contained malware and effectively co-opt that site into spreading it. A popular site could potentially spread this malware very widely, even if only a small percentage of its users' aggregators were affected.

In addition, many popular sites are 're-syndicated', their feeds are included in the feeds of aggregation sites. A security site, for instance, might display the feeds of several other security sites and include that content in their own feed. This provides for a virus-like propagation where a malicious user can inject content once and have it start showing up in multiple feeds. Some sites will also collect up mailing list entries or descriptions of new content available on peer-to-peer networks and add them to their syndication feed. This provides even more ways for someone to anonymously inject malware.

Bob Auger presented his findings (PDF) on this subject at Black Hat 2006 conference. He provides several examples of plausible malware attack scenarios as well as examples of RSS and Atom data that demonstrate these techniques.

The potential for malicious content in any data that originates from elsewhere really cannot be overstated. The tools we use on a day to day basis need to be aware of this potential and act appropriately. It may seem like security articles tediously repeat the same 'filter input data' mantra over and over, but, here is yet another place where proper filtering has been overlooked.

---

(Log in to post comments)