Feeds

Child porn case highlights browser hijack risks

Cautionary tales

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Browser hijacking programs can redirect users to pornographic websites. But could these malicious programs also lead to false accusations of possession of child pornography?

Malware such as CoolWebSearch (AKA CWS) can change browser start-up and search pages and generate pop-up pages - often punting illegal pornographic websites - on infected PCs. The program exploits IE vulnerabilities to slither onto unpatched PCs. Users would normally have to visit dodgy websites to get infected but it's easy to see how xxx rated spam email received and auto-executed through unpatched versions of Outlook could result in unwitting infection.

The end result would be the URL of borderline-criminal websites appearing in the history file of Net users. And how are spouses or employers to interpret this?

Wired this week carried an illuminating article, quoting several people who claimed their good reputation was threatened because browser hijacking programs had left indications of visits for porn websites on their PCs.

In one case, a Russian-born US resident called 'Jack' (not his real name) said he was forced to confess to child pornography offences on the basis of material he claims may have been deposited on his PC by a browser-hijacking program.

Jack may well have been railroaded in the case and there are issues about how evidence was handled. The chain of custody of the suspect PC, for example, is one area of particular concern. Wired quotes the conclusion of Brian Rothery, a former IBM systems engineer who researched Jack's claims, that "evidence wasn't handled properly".

However, the browser hijack explanation fails to adequately explain how some of the images appeared in locations not used for normal browsing sessions, Wired reports. The location of material and access times of content gives vital clues for investigators. If material is accessed after it is downloaded, especially at a time when a PC is offline, then this points towards a suspect's guilt.

It is straightforward to determine if the possession of illegal content is caused by browser hijacking, according to Neil Barrett, technical director of security consultancy IRM, and a veteran expert witness in numerous computer crime cases.

"Unless there is an exploit, material would only appear within the browser context. If illicit material was found on a PC a prosecution could be initiated but analysis is straightforward. It would leap up at a computer forensics expert that a pop-up was responsible for the content found," he said.

Police won't be blindsided

Some child pornography cases have been dismissed after suspects testified that a Trojan horse infection on their PCs could have downloaded without their knowledge (example here and here). According to Barrett, police were unable to counter defence arguments that a Trojan was responsible for the dodgy content found on a PC in these cases because they didn't know enough about what it did. This won't happen again in future. he said.

UK police now routinely check for Trojans on seized computers. In future, police will take virus infection into account in preparing evidence for court. Just because a virus is found on a PC doesn't mean someone is innocent of a computer crime and doesn't necessarily undermine the value of any other evidence recovered. "Police won't be blindsided by any Trojan defence in future," Barrett said.

So skilled and ethical investigators can determine if malicious code - and not salacious urges - explains the presence of dodgy content on PCs. Relying on this safety net is hardly sensible, though. The best approach for Joe Punter is to prevent such content getting onto his PC in the first place. This is yet another reason to use an updated version or IE and Outlook or (easier) to consider using alternative browsers and email clients. ®

Related link

Jack's story

Related stories

Trojan hijacks web browsers
Trojan serves porn off home PCs, not many dead
Trojan defence clears man on child porn charges
Suspected paedophile cleared by computer forensics

The smart choice: opportunity from uncertainty

More from The Register

next story
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.