Unchecked blogs a boon to hackers

Blogging sites that fail to check software stored by users are proving useful to hackers, according to web monitoring firm Websense.

The company claims to have identified hundreds of cases of hackers using blogs to store Trojan software and other malicious code, because blogging firms seldom check to see what code they are hosting.

"Blogs allow you anonymously and freely to gather and create accounts," said Dan Hubbard, senior director of security and technology research at Websense.

"Most have quite a bit of hosting space available too. Some blog site hosters allow you to post attachments, but most do not check the code that is posted so it could be anything."

Hubbard explained that hackers exploit blogs in a number of ways. In March a hacker placed key-logging software onto a blog site. The URL was then spammed out purporting to be a message from a popular messaging service.

The message offered a new version of an instant messaging program, but when users clicked on the link the key-logging software was installed.

A more advanced technique is to use a blog page to store malicious code updates. Many so-called zombie PCs update the Trojan software regularly, and a blogging site offers an anonymous and free website that can be used to store the update software.

Both methods use browser attacks, which experts warn are becoming increasingly popular. These attacks bypass firewall and intrusion detection software by entering systems through improperly patched browsers.