Continuing Business with Malware Infected Customers Whitepaper
Gunter Ollmann, November 2nd 2008

Last month I presented at the OWASP 2008 security conference up in New York. The talk was titled "Multidisciplinary Bank Attacks" (a video of the presentation can be found here) and covered the current state of advanced banking Trojans that utilize man-in-the-browser technologies. In the presentation I provided some advice on Web application design considerations that could help to reduce the threat.

The crux of the problem though is that the man-in-the-browser attack vector effectively bypasses almost all the current banking protection systems in use today. That said, the major problem going forward is how are organizations supposed to continue with their online businesses if a sizable percentage of their customers are likely to be infected - and probably infected with a piece of malware that performs man-in-the-browser attacks.

Since giving that presentation, I've been approached by dozens of financial organizations and security assessment companies for more detailed advice on mitigating the threat. So, over the weekend I set to work creating a whitepaper providing "best practices" advice for Web application developers and penetration testers.  This new whitepaper is now available online here.

I expect that the paper itself will undergo a few iterations over the next year or two based upon feedback from the security community - so treat this edition as "version 1.0"

Today’s media is full of statistics and stories detailing how the Internet has become an increasingly dangerous place for all concerned. Figures of tens of millions and hundreds of millions of bot-infected computers are regularly discussed, along with approximations that between one-quarter and one-third of all home computer systems are already infected with some form of malware. With a conservative estimate of 1.4 billion computers browsing the Internet on a daily basis (mid-2008 figures), that could equate to upwards of 420 million computers that can’t be trusted – and the numbers could be higher as criminals increasingly target Web browser technologies with malicious Web content – infecting hundreds of millions more along the way.

Despite these kinds of warnings and their backing statistics, online businesses have yet to fully grasp the significance of the threat. Most of the advice about dealing with the problem has focused on attempting to correct the client-side infection and yet, despite the education campaigns and ubiquity of desktop anti-virus solutions, the number of infected computers has continued to rise. The problem facing online businesses going forward is, if upwards of one-third of their customers are likely to be using computers infected with malware to conduct business transactions with them, how should they continue to do business with an infected customer base?

This paper discusses many of the best practices businesses can adopt for their Web application design and back-office support processes in order to minimize this growing threat, along with helping to reduce several of the risks posed with continuing to do business customers likely to be operating infected computers.

The paper can be found at


    Copyright 2001-2008 © Gunter Ollmann