A little while ago
I posted about a new message I received upon visiting my bank's website. Upon contacting them for further information I was informed that they were very sorry, but my machine had been infected with spyware. Until I rid my machine of this infestation I should avoid using any secure website, and should change all my secure passwords through an alternate path (e.g. a phone call) immediately.
I knew this was a load of bull, I have two anti-spyware packages installed locally, I run them with some regularity, and the attack vectors spyware vendors can use to attack me are far smaller than average (I don't download much/at all, and I use a niche browser). Additionally, the amount of information available to a website about the visitor is actually very small, even when coupled with client side scripting like JavaScript and Flash (both of which are sandboxed) they simply don't have enough information to make an informed decision about the state of my machine.
I had a hunch that they were examining the User-Agent HTTP header, and comparing that value against a white list of 'supported'& clean browsers. Some types of spyware (referred to by the industry as browser plugins, and as hijackers by the rest of the world) modify your User-Agent header to advertise their presence. So this seemed like a good place to start. Visiting the TD Canada Trust website with each the three web browsers I had installed seemed to back this up, the message was raised in Opera but not in FireFox or Internet Explorer. The wording of the message reads "spyware was detected on your system", all three web browsers are installed on the same system, so the message is either misleading, or the searching algorithm is flawed.
In order to test my User-Agent hypothesis I would first need to obtain the full set of headers used by my three web browsers (Opera, FireFox, and Internet Explorer) so during testing I could imitate each of them to determine under which circumstances the image would appear. The headers I used for my investigations are as follows:
Opera:User-Agent: Opera/8.51 (Windows NT 5.1; U; en)
Accept: application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/
html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/
css,*/;q=0.1
Accept-Language: en
Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, ;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0
Connection: Keep-Alive, TE TE: deflate, gzip, chunked, identity, trailersFireFoxUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/
png,*/;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cacheInternet ExplorerAccept: /
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Proxy-Connection: Keep-Alive
Next, I would need to determine what code was being used to raise the warning image when appropriate. After some examination I determined that the line of code responsible for raising the warning image was:
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://blog.preinheimer.com/servlet/com.td.banner.servlet.LoginValidationServlet?LOC=en_CA"></SCRIPT>
So, with the aid of
PHP and
cURL I set out to request the document available at that URL, with the three different browser request headers.
With the Opera fingerprint I obtained:
document.write('<img src=/servlet/com.td.banner.servlet.LoginValidationServlet?image=3 border="0"> ');
With the FireFox fingerprint I obtained:
document.write('<IMG SRC=/servlet/com.td.banner.servlet.LoginValidationServlet?image=0');
With the IE fingerprint I obtained:
document.write('<IMG SRC=/servlet/com.td.banner.servlet.LoginValidationServlet?image=0');
Obtaining the .gif image available at that URL confirmed hypothesis, the image directed to Opera users was in fact the warning image, while the image directed to FireFox and IE users was a blank placeholder.
At this point, I had only proven that the HTTP Headers were responsible for determining which URI was returned, not the User-Agent header specifically. To confirm it was in fact the User-Agent header, I swapped the User-Agent around between the three different header sets (using the Opera User-Agent header with the FireFox headers, then the IE Headers, as well as vice-versa) and confirmed that the warning image was only returned when the Opera User-Agent header was included.
Conclusions
TD Canada Trust is using User-Agent matching against a local whitelist in an attempt to determine if the user requesting the login page is infected with spyware. Users who present a User-Agent header not present in their whitelist are presented with an image informing them that their machine is infected with spyware, and that they should remove it before continuing.
This whitelist matching combines an in-effective test that not only raises false positives for users not using a browser in the list, but is also unable to detect a wide range of malicious programs (including hijackers that do not modify the User-Agent header, and malware that operates independently of the browser). In short, they are needlessly scaring the crap out of people not infected with anything, while doing nothing to warn people who are (infected).
Caveats:
TD Canada Trust does provide a list of "Supported Browsers" at
https://www.tdcanadatrust.com/ebanking/sup-br.jsp, though the concept of purposefully supporting only a subset of the browsers able to effectively communicate with your site is laughable and outdated.
Within an hour of concluding my tests I was contacted by a staff member at
Brandimensions Inc. informing me that my website was being used to conduct a phishing attack against TD Canada Trust and it's customers. While the in-effective malware test disappoints me, the speed of their response with this alleged phishing attack is encouraging.
