Is there a way to detect if the HTML DOM is being modified by malware on the end user's system? I have a HTTPS protected website and recently encountered a support call where the user was seeing advertisements in my website. I have no ads in my website and we ended up running an anti virus scan on the end user's system which found and cleaned many infections after which the ads disappeared. I am unfortunately unable to provide any code samples because I don't even know where to start.
Asked
Active
Viewed 813 times
0
-
1No there is no way to do this. You can attempt it but you will fail. Also this is not your problem. – PeeHaa Nov 10 '14 at 17:30
-
@PeeHaa - That was my assumption too. However, I have seen some articles talk about change detection using javascript and so I thought I'd check with the stack overflow community. https://www.usenix.org/legacy/events/nsdi08/tech/full_papers/reis/reis_html/index.html – Nov 10 '14 at 17:32
-
Yes you can observe changes in the DOM. That doesn't tell you anything about malware, user action, browser plugin / whatever though – PeeHaa Nov 10 '14 at 17:33
-
Do not allow users to input HTML or JavaScript into any kind of input fields on your site without encoding it first. – Brett Nov 10 '14 at 17:37
-
the virus probably affected the browser and/or incoming DNS lookups; your site is probably safe and the same as ever. – dandavis Nov 10 '14 at 17:44
-
@Brett, you probably mean 'do not include user data in your web ui output without encoding it first.' It's awful hard to get between the keyboard and the browser :-) And, while that's good advice, it's a little out of scope here. – atk Nov 10 '14 at 17:58
-
1The user may not know what they have installed intentionally as well. Take Skype for example; if you have the plug in installed, it will highlight phone numbers, etc., and give you options. While this is not necessarily what you are referring to, the user may not know or understand the nature of plug-ins and how they affect the DOM. – Sablefoste Nov 10 '14 at 19:03
2 Answers
2
It is possible to detect DOM modifications using MutationObservers (supported by all major vendors).
It might be hard to detect which modification are malicious and which are not, though.
Perhaps something to look into: depending on how the malware works, you might be able to prevent the insertion (or at least execution) of script tags. This might stop naive malware but it's a cat and mouse game.
Halcyon
- 57,230
- 10
- 89
- 128
-
I think I will use the observer on the login page and disable the form if I detect any changes. The login page is simple enough that I can employ mutation observers. – Nov 10 '14 at 17:42
-
accepted in 10 mins? i don't have a better answer, but 10min is a little hasty... – dandavis Nov 10 '14 at 17:45
-
@dandavis - The answer provided gives me a good place to start and then tweak my script as needed. My login page is literally two fields with a few lines of javascript used for very basic validation. I should easily be able to detect DOM changes on this page. – Nov 10 '14 at 17:49
0
When it comes down to it, you cannot control what happens on a computer you don't control. Sufficiently advanced malware will detect your attempt to detect it and will lie to you about the results.
that said, there are some techniques you can apply to try and make it harder for the attacker.
write your own code that knows what the that knows what your dom is supposed to look like. attacker will stop your code from running.
update the code so that interacts with your application server every so many seconds. attacker will duplicate this piece of the code and stop the original check from running.
update your code to perform a complex operation that requires a minimum known amount of time. the attacker will respond same as above
intermingle your checking code with your business logic and obfuscate everything. the attacker can create their own UI that interacts with your server and show that instead of your ui
now, just because you're on the losing side of the battle, that doesn't mean it is useless. it really depends upon who might be attacking your server, and how many resources they want to spend on the arms race with you compared to how many resources you want to spend against them
atk
- 9,244
- 3
- 32
- 32