Feeds

Child porn case highlights browser hijack risks

Cautionary tales

  • alert
  • submit to reddit

Top three mobile application threats

Browser hijacking programs can redirect users to pornographic websites. But could these malicious programs also lead to false accusations of possession of child pornography?

Malware such as CoolWebSearch (AKA CWS) can change browser start-up and search pages and generate pop-up pages - often punting illegal pornographic websites - on infected PCs. The program exploits IE vulnerabilities to slither onto unpatched PCs. Users would normally have to visit dodgy websites to get infected but it's easy to see how xxx rated spam email received and auto-executed through unpatched versions of Outlook could result in unwitting infection.

The end result would be the URL of borderline-criminal websites appearing in the history file of Net users. And how are spouses or employers to interpret this?

Wired this week carried an illuminating article, quoting several people who claimed their good reputation was threatened because browser hijacking programs had left indications of visits for porn websites on their PCs.

In one case, a Russian-born US resident called 'Jack' (not his real name) said he was forced to confess to child pornography offences on the basis of material he claims may have been deposited on his PC by a browser-hijacking program.

Jack may well have been railroaded in the case and there are issues about how evidence was handled. The chain of custody of the suspect PC, for example, is one area of particular concern. Wired quotes the conclusion of Brian Rothery, a former IBM systems engineer who researched Jack's claims, that "evidence wasn't handled properly".

However, the browser hijack explanation fails to adequately explain how some of the images appeared in locations not used for normal browsing sessions, Wired reports. The location of material and access times of content gives vital clues for investigators. If material is accessed after it is downloaded, especially at a time when a PC is offline, then this points towards a suspect's guilt.

It is straightforward to determine if the possession of illegal content is caused by browser hijacking, according to Neil Barrett, technical director of security consultancy IRM, and a veteran expert witness in numerous computer crime cases.

"Unless there is an exploit, material would only appear within the browser context. If illicit material was found on a PC a prosecution could be initiated but analysis is straightforward. It would leap up at a computer forensics expert that a pop-up was responsible for the content found," he said.

Police won't be blindsided

Some child pornography cases have been dismissed after suspects testified that a Trojan horse infection on their PCs could have downloaded without their knowledge (example here and here). According to Barrett, police were unable to counter defence arguments that a Trojan was responsible for the dodgy content found on a PC in these cases because they didn't know enough about what it did. This won't happen again in future. he said.

UK police now routinely check for Trojans on seized computers. In future, police will take virus infection into account in preparing evidence for court. Just because a virus is found on a PC doesn't mean someone is innocent of a computer crime and doesn't necessarily undermine the value of any other evidence recovered. "Police won't be blindsided by any Trojan defence in future," Barrett said.

So skilled and ethical investigators can determine if malicious code - and not salacious urges - explains the presence of dodgy content on PCs. Relying on this safety net is hardly sensible, though. The best approach for Joe Punter is to prevent such content getting onto his PC in the first place. This is yet another reason to use an updated version or IE and Outlook or (easier) to consider using alternative browsers and email clients. ®

Related link

Jack's story

Related stories

Trojan hijacks web browsers
Trojan serves porn off home PCs, not many dead
Trojan defence clears man on child porn charges
Suspected paedophile cleared by computer forensics

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.