An article appeared recently on vdoo.com explaining how an attack called “Typosquatting” works. This is not a new concept, but the implementation is interesting.
The way this works is that an attacker crafts a malware, then this malware itself (or a code that downloads and activates it) is then implanted in an innocent-looking code library.
The trick is to make a copy of a commonly used component or code library, name this copy with a name similar to original name but with a slight variation in the spelling which can result from a common typo. The malware is included in the fake copy explicitly or in a obfuscated manner to make it harder to get detected.
An well-intentioned developer writing code that uses that library writes an include statement that mistakenly references the malware-infused library, and that’s it. The bad library should function just like the original one, with some added (undesired) functionalities.
I could imaging this happening in a different way, given the current broad and expansive use of open source components, and the complexity of dependencies.
E.g. In the context of an open source project, the maintainers rely on other open source projects, and they trust the maintainers of those projects to provide well-maintained code. The 2nd level maintainers also depend on other projects, and the chain goes on. Many, if not all, of these open source projects rely on communal support and code enhancements. Eventually someone somewhere will go rouge and intentionally push an update that references IibraryO instead of library0, which the project maintainers might overlook because the two words look similar, but this action will have an effect which cascades over tens of dependent projects causing them all to become vulnerable on the next compilation.
I think the solution to this problem is to implement a black-listing system maintained by the same open-source communities; this system would include a way to submit suspicious projects, and a scoring mechanism to indicate the reputation of a specific component.
مدونة يسران 