Edit: It seems that the blog post and the thesis caused quite some interest. Please contact me under the following mail address: admin [|[at]|] incolumitas [[|dot|]] com
In this blog post, it is demonstrated how
- 17000 computers were forced to execute arbitrary code by typosquatting programming language packages/libraries
- 50% of these installations were conducted with administrative rights
- Even highly security aware institutions (.gov and .mil hosts) fell victim to this attack
- a typosquatting attack becomes wormable by mining the command history data of hosts
- some good defenses against typosquatting package managers might look like
The complete thesis can be downloaded as a PDF.
In the second part of 2015 and the early months of 2016, I worked on my bachelors thesis. In this thesis, I tried to attack programming language package managers such as Pythons PyPi, NodeJS Npmsjs.com and Rubys rubygems.org. The attack does not exploit a new technical vulnerability, it rather tries to trick people into installing packages that they not intended to run on their systems.
In the domain name system, typosquatting is a well known problem. Typosquatting is the malicious registering of a domain that is lexically similar to another, often highly …