Feeds

Child porn case highlights browser hijack risks

Cautionary tales

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Browser hijacking programs can redirect users to pornographic websites. But could these malicious programs also lead to false accusations of possession of child pornography?

Malware such as CoolWebSearch (AKA CWS) can change browser start-up and search pages and generate pop-up pages - often punting illegal pornographic websites - on infected PCs. The program exploits IE vulnerabilities to slither onto unpatched PCs. Users would normally have to visit dodgy websites to get infected but it's easy to see how xxx rated spam email received and auto-executed through unpatched versions of Outlook could result in unwitting infection.

The end result would be the URL of borderline-criminal websites appearing in the history file of Net users. And how are spouses or employers to interpret this?

Wired this week carried an illuminating article, quoting several people who claimed their good reputation was threatened because browser hijacking programs had left indications of visits for porn websites on their PCs.

In one case, a Russian-born US resident called 'Jack' (not his real name) said he was forced to confess to child pornography offences on the basis of material he claims may have been deposited on his PC by a browser-hijacking program.

Jack may well have been railroaded in the case and there are issues about how evidence was handled. The chain of custody of the suspect PC, for example, is one area of particular concern. Wired quotes the conclusion of Brian Rothery, a former IBM systems engineer who researched Jack's claims, that "evidence wasn't handled properly".

However, the browser hijack explanation fails to adequately explain how some of the images appeared in locations not used for normal browsing sessions, Wired reports. The location of material and access times of content gives vital clues for investigators. If material is accessed after it is downloaded, especially at a time when a PC is offline, then this points towards a suspect's guilt.

It is straightforward to determine if the possession of illegal content is caused by browser hijacking, according to Neil Barrett, technical director of security consultancy IRM, and a veteran expert witness in numerous computer crime cases.

"Unless there is an exploit, material would only appear within the browser context. If illicit material was found on a PC a prosecution could be initiated but analysis is straightforward. It would leap up at a computer forensics expert that a pop-up was responsible for the content found," he said.

Police won't be blindsided

Some child pornography cases have been dismissed after suspects testified that a Trojan horse infection on their PCs could have downloaded without their knowledge (example here and here). According to Barrett, police were unable to counter defence arguments that a Trojan was responsible for the dodgy content found on a PC in these cases because they didn't know enough about what it did. This won't happen again in future. he said.

UK police now routinely check for Trojans on seized computers. In future, police will take virus infection into account in preparing evidence for court. Just because a virus is found on a PC doesn't mean someone is innocent of a computer crime and doesn't necessarily undermine the value of any other evidence recovered. "Police won't be blindsided by any Trojan defence in future," Barrett said.

So skilled and ethical investigators can determine if malicious code - and not salacious urges - explains the presence of dodgy content on PCs. Relying on this safety net is hardly sensible, though. The best approach for Joe Punter is to prevent such content getting onto his PC in the first place. This is yet another reason to use an updated version or IE and Outlook or (easier) to consider using alternative browsers and email clients. ®

Related link

Jack's story

Related stories

Trojan hijacks web browsers
Trojan serves porn off home PCs, not many dead
Trojan defence clears man on child porn charges
Suspected paedophile cleared by computer forensics

Remote control for virtualized desktops

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.