[C#] Non direct URLs and malware

Discussion in 'Mixed Languages' started by QuantumBug, Aug 26, 2015.

  1. QuantumBug

    QuantumBug MDL Developer

    Mar 7, 2012
    #1 QuantumBug, Aug 26, 2015
    Last edited by a moderator: Apr 20, 2017
    I'm in the process of writing a downloader for set applications, where in some places a static URL is not used and you have take the link given from a redirect, this is where the below code comes in...

    public string strReturn = null;
            public string returnLink(string url)
                HttpWebRequest req = (HttpWebRequest)HttpWebRequest.Create(url);
                req.AllowAutoRedirect = true;
                HttpWebResponse res = (HttpWebResponse)req.GetResponse ();
                return res.ResponseUri.AbsoluteUri;
    string url = returnLink("https://downloads.malwarebytes.org/file/mbam_sem/");
              strReturn = (url);
    This code will turn (1) "https://downloads.malwarebytes.org/file/mbam_sem/" into (2) "https://mbam-sem-dl.malwarebytes.org/mbam-setup-sem-" by fetching the redirect link

    Now lets say, for example only... Someone injected malicious code into say website to specifically change (2) for "http://luertcbtlrcubgenuinewebsite4dowloawdzjajaja.com/trojan.exe"? This means the code will now fetch the malicious URL and possibly download malware.

    My question: A good way to combat malicious redirects. My initial though was to make a check on the returned URL for identifiers, but I'm not thinking it might now be good enough.

    Regards, The Dev.
  2. Michaela Joy

    Michaela Joy MDL Crazy Lady

    Jul 26, 2012
    @Dev: Any "static" identifiers can be spoofed. If an algorithm can be derived from the url, a software "device" can be created to execute a variant of the "Man in the middle" attack.

    The best type of protection is one where a human is forced to interact, because a computer can not use an algorithm to decipher the question.

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...