[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Upcoming SlideShare
Loading in...5
×
 

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

on

  • 3,500 views

 

Statistics

Views

Total Views
3,500
Views on SlideShare
3,500
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Hi everyoneHow many of you use online banking? Come on!!! How many of you use online banking or bitcoin trading site? Hands upHow many of you use browser extensions in the same browser?Last question: how many of you are willing to install my extension into your browser?Today I’m going to talk about dangerous browser extensions and client side protection attempts
  • This is my name
  • This is where I work
  • This iswhat I’m paid for
  • This is the work most of the people think consultants are paid for
  • And this is what I’m proud aboutand I’m also a proud member of the gula.sh team, we scored as second runner up on the Global Cyberlympics competition last year.
  • These are my contacts
  • This is what I do 24 by 7
  • This is what I watch after hacking
  • And this is what I browse when I’m not hacking or watching hacker movies
  • In the beginning of my presentation I will talk about the malicius browser extensions, what they are capable of. And after that I will show you what kind of client side protections I was analysing against malicious browser extensions, like internet security suites.
  • If you are later interested, you can watch a lot of demos about this at the following youtube link, and you can also watch my previous presentations about this topic on slideshare, or download the source code from github.
  • Most of you remember how an average internet explorer 6 looked like in 2004. I bet all of you would go crazy of those crappy extensions. Do you remember that irritating purple monkey dancing in the corner of your browser? it is one of the first malicous browser extensions which spied on users browsing activity.
  • How does it work in practice? After the browser is infected, the extension polls the attacker webserver for new commands. If there is a new command, the client browser will execute it, like upload files from the victim to attacker, and so on.
  • Butdon’tforgetthatFirefox is alsosupportedon OSX, Linux, Windows, and evenonAndroid. ...
  • YoumightthinkthatChrome is safe, badnewsit’snot. MyzombieextensionwillhackyourChromeorSafariaswell.
  • After I had developed my malicious browser extensions against Firefox, Chrome, and Safari, I sent this code to 15 different AV vendors, so they could put it into their signature list and block it.
  • Which means that currently 10 AV vendor blocks my Firefox extension, to 5 out of 10 my code has not been sent. After doing the basic math, this means there are 10 AV vendors I have sent my code, but they are not blocking it.
  • And 5 AV vendors do detect my Chrome extension. I don’t have any good explanation about that.
  • I have two lessons to draw from this case:Firstly dont send encrypted ZIP files to the Antivirus vendors, because it might happen that they might be unable to process it, even if the email contains the password. Secondly if you send a ZIP file containing more than 10 files, it might be rejected by the AV vendors. The problem is that browser extensions are basically ZIP files, containing files of any amount. So if I create a browser extension containing 100 files, the users wont be able to send the samples to the antivirus vendors.
  • And I published my malicious browser extensions on Github, it has been blocked in Firefox after 25 minutes .
  • But unfortunately, it took me less time to circumvent this blocking. You can see two differences on the two source codes. The first one is that the extension has a different ID, and the second difference is that the first one is blocked by Firefox, but the second one is not.If you check this link, you can see that this problem is also exploited by the bad guys.
  • And evenin the official Google chrome extension store you might find malicious browser extensions sometimes. So if you downloaded this bad piggies extension, instead of hunting for bad piggies you had to hunt for malicious browser extensions on your computer.1.5 months ago Google announced that they will scan for malicious extensions more effectively, it still has to prove itself.
  • And there will always be people who want to change the colour of their facebook page, and they download some extension having very powerful privileges just to change their facebook colour. For example look at this one. Why should a facebook colour changer extension need to access all your websites and all your browsing information?
  • Beforeall of youfallasleep, here is a littlequizforyou.The first correct answer will be honored by two bottle of hacker beer.And thequestion is: whichcompanydevelopedthefirst Netscape pluginin 1995?
  • Here is a littleclueforyou
  • That’s right, Adobe. Funnything is thattheyarestillunabletodevelopsecureextensionswith 17 years of experiencebehindthem.
  • There is a rootkit in the wild since 2007 called mebroot, which installs its malicious chrome extension after the computer is infected, and manipulates in the background the online financial transactions. I believe the bad guys had been unable to manipulate the transactions in chrome via traditional attacks, so they created malicious browser extensions to do that job.After I saw there wer eso many problems with malicious browser extensions,
  • There I went, me, the brave hacker, grabbed my only faithful mate, my computer, to find the elixir against zombie browsers in the deep and dark forest of the Kingdom of Internet
  • There I went, me, the brave hacker, grabbed my only faithful mate, my computer, to find the elixir against zombie browsers in the deep and dark forest of the Kingdom of Internet
  • There I went, me, the brave hacker, grabbed my only faithful mate, my computer, to find the elixir against zombie browsers in the deep and dark forest of the Kingdom of Internet
  • There I went, me, the brave hacker, grabbed my only faithful mate, my computer, to find the elixir against zombie browsers in the deep and dark forest of the Kingdom of Internet
  • During my quest I bumped into two axioms. The first axiom warned me when an evil program code is running on my computer, my computer will perish. The second one drew my attention to the fact that if the system protects me against 300 different attack methods, it wont protect me against the 301st one.
  • So then I plucked up all my courage and set out for the realm of extensions and sandboxing technologies to see how they would protect my computer against my malicious extension - all those evil things like password stealing or webcam spying etc.
  • Noscript does what it promises. But it never promised to protect the users against malicious browser extensions. And dont forget that the settings of the firefox extensions are like a big happy family picnick, everybody can do whatever they want. Which means every extension can change the setting of another extension. This means that my browser extension can change the settings of Noscript as well.
  • The browserprotect extension is basically the same from this point of view, it does what it promises, but it cant protect the users against malicious browser extensions, and my extension can change the browserprotect settings as well.
  • The sandoxie program was a big surprise for me, or rather a big disappointment. To tell the truth, I would not recommend sandboxie to protect the average home users. Because by default it does nothing but prevents modifications outside of the sandbox.
  • This means that I can steal passwords, cookies, and even spy on the users webcam, steal confidential user files.
  • I’ll show how sandboxing technology works in the next demo. Just for clarification, when you see the „Hack the planet”, it is me, the attacker. And when you see unicorns and rainbows, it is the victim browser.
  • Our next topic is the internet security suites, how they can or cannot protect you against malicious browser extensions.
  • I wont mention any vendor names, but I promise you, the conclusion will be the same. These are the biggest and most popular internet security suites. Think about vendors with their names starting letter S or K.
  • The first vendor detects and removes my extension on a signature basis (because I have sent my code to them). But if I insert an extra space character in one of the lines in my source code, the extension wont be detected any more. And this Internet security suite also installs its own extensions into Firefox, which are always two versions behind the current Firefox version. So they never run on my computer, because it was always blocked by firefox.
  • So my extension was able to circumvent the protection of this internet security suite.
  • The next vendor promises a safe browser, which is merely a new clear default Firefox profile. The problem with this approach is that I can install my extension into this safe browser at least 2 different ways. One of these ways is to modify the user registry settings, which will install the extension into this safe browser. The second approach is to modify the SQLite database of this safe browser. I alreadycontacted the vendor, but they have not fixed this yet.
  • The next vendor is my favourite one. A user on an internet forum asked the vendor, whether their product can protect him against Xenotix keylogx. This is a proof of concept malicious browser extension, created by Ajin Abraham, who was planned to do his presentation.
  • The vendors response is so beautiful that it’s worth to be analyzed word by word, just like a poem. The poet starts with an in medias res beginning, „no it doesnt at thats by design”, so it states it won protect the user. What the poet meant about by design, I have no idea. It is also for sure that in Firefox there is nothing like sandboxing. And by suggesting to remove the extension the vendor implies that the extension is not to be hid from the user. And why the heck should I buy their product, if I have to detect and remove the extension by myself????
  • And I looked at other safe browser solutions in internet security suites, but they all proved to be useless, and I was a very very sad panda
  • I almost gave up, when I found the Avast Internet Security Suite. I was not able to install my extension into their safe browser, so I had to find other ways to hack it. In the next demo, I’m going to show you how I can circumvent the protection of Avast safe browser.
  • My suggestions to the vendors who promise safe browser solutions are the followings:Do not trust the local root certificate lists. Protect the settings and the files of the safe browser.Do not use old, outdated, vulnerable browsers.And my suggestions to the users are:Do not use browser extensions to protect against malicious browser extensions. And last but not least install and update your antivirus solution, because it will protect you in 90% of the cases.
  • As I failed to find the elixir, my next challenge had to be to move on. So I went on and left the forest of internet security suites and entered the promising field of the Endpoint Financial Fraud Prevention and Anti-Keylogging applications
  • In case you did not know what these are, these applications are usually recommended by big financial institutions, saying „if you use this, you will be safe”. And again, I wont mention the vendors names, but the conclusion will be the same
  • Usually these applications will protect you against the so called „API hooking” attack. In the next demo, I’m going to show you this attack.First, I’ll show how Zemana protection will protect you against this API hooking attack, which is used by financial malwares like Zeus or Spyeye, and how Zemana wont protect you against malicious browser extensions.
  • Vendor nr 2. promises an awful lot of things, lets see this in practice.
  • In the Internet Explorer every extension was disabled, but not in Firefox. I contacted the vendor, and they sent me a new version in less than a week, where every firefox extension was disabled. I was very excited, but then I asked whether this version will be the next public version, however their answer made me sad. It turned out that it was not a public version, it was only sent to me. They have a plan to detect and block the malicious browser extensions individually.
  • And I think this is OK, they are the experts, they know what they are talking about. I hope, they do.....
  • Vendor number 3. When I tested this vendor, they were using an old, vulnerable Firefox version. And I was also able to install my extension into their safe browser. I contacted the vendor, and they fixed their product in less than a week, so right now there is no way to hack this safe browser that I know of. But to tell you the truth, I did not waste my time trying to find other ways to hack it.
  • Vendor number four was also a great fun to test. First, the application indicated that it has found a malware on my computer, but it turned out that it was only the Symantec it detected as a malicious software.
  • It promises a lot of things, but it can not protect you against malicious browser extensions.
  • At the end of my journey I had to realize that the axioms are really true, and that I have been looking for the elixir in the wrong place, because the client side protections are deemed to fall. On these links you can find the source code to my malicious browser extensions, my previous presentations about malicious browser extension

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Presentation Transcript

  • The Quest for the Client-Side Elixir Against Zombie Browsers a.k.a Zombie Browsers Reloaded Legal disclaimer: Every point of views and thoughts are mine. The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future. What you will hear can be only used in test labs, and only for the good.
  • root@bt:~# whoami Zoltán Balázs
  • Deloitte
  • Senior IT security consultant
  • Deloitte Senior IT security consultant
  • I’m OSCP, C|HFI, CPTS, MCP, CISSP I’m NOT a CEH CyberLympics@2012 CTF 2nd runner up – gula.sh root@bt:~# whoami
  • zbalazs@deloittece.com https://hu.linkedin.com/in/zbalazs Twitter – zh4ck root@bt:~# whoami
  • I Love Hacking
  • I Love Hacker Movies
  • I Love Memes
  • The quest for the client-side elixir against zombie browsers Zombie browsers Is there a solution? – Common defensive solutions – Internet security suites – Online banking – client side solutions
  • The quest for the client-side elixir against zombie browsers http://is.gd/kiwidi http://is.gd/umusap Github: http://is.gd/safeno
  • History of malicious Firefox extensions Malicious extensions – Facebook spamming – ad injection – search toolbars *Data from mozilla.org 0 20 40 60 80 2004 2006 2008 2010 2012
  • ©f-secure
  • My zombie browser extension Command and Control Stealing cookies, passwords Uploading/downloading files (Firefox only) Binary execution (only on Firefox - Windows) Webcam, geolocation Forging financial transactions Modifying content of the web page More on YouTube
  • Hacmebank demo Now it is just password But real site with OTP login or smart-card login will fail also this attack Transaction authorization can block this attack!
  • Code publication October 30, 2012 Mozilla blocked my extension in Firefox in 25 minutes
  • Advanced Mozilla 133t 3v4s10n 2013 https://bugzilla.mozilla.org/show_bug.cgi?id=841791
  • June 20, 2013 Chrome: Advanced scanning of extensions
  • Which company developed the first Netscape plugin in 1995 ? *****
  • Which company developed the first Netscape plugin in 1995 ? A***e
  • Which company developed the first Netscape plugin in 1995 ? Adobe
  • Axiom If a bad guy can persuade you to run his program on your computer, it's not your computer anymore. ©Microsoft If a system can protect you against 300 different attack methods, this means it won’t protect you against the 301st. ©Zoli
  • Password stealing Cookie stealing Webcam spy Reading user files Writing user files NoScript Browserprotect Sandboxie
  • NoScript „Allows executable web content such as JavaScript, Java, Flash, Silverlight, and other plugins ... NoScript also offers specific countermeasures against security exploits.”  won’t protect you against malware, another extension
  • Browserprotect „To protect your browser against malware hijacking your browser settings like home page, search providers and address bar search.”
  • „Runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.” Protect (by default): writing files to disk (only to sandbox)
  • „Runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.” Protect (by default): writing files to disk (only to sandbox) Won’t protect: – Password stealing – Cookie stealing – Webcam spying – Reading files
  • Attacker Victim
  • Internet security suites
  • Internet security suites Vendor 1 Vendor 2 Vendor 3 Vendor 4 Vendor 5 The conclusion will be the same ...
  • Internet security suites Vendor 1 Vendor 2 Vendor 3 Vendor 4 Vendor 5 The conclusion will be the same ...
  • Vendor Nr. 1 Detects and removes my Firefox extension based on signatures Über 133t signature 3v4s10n 2k13 One additional space in a line „Improved security” Firefox extensions Always two versions behind the actual Firefox version
  • Vendor Nr. 1 Detects and removes my Firefox extension based on signatures Über 133t signature 3v4s10n 2k13 One additional space in a line „Improved security” Firefox extensions Always two versions behind the actual Firefox version
  • Vendor Nr. 2 „Safe browser” solution – Creating a new, „clean” Firefox profile Extensions installed via registry (HKCU) Modifying „Safe browser” SQLite Vendor contacted, no solution yet
  • Vendor Nr. 2 „Safe browser” solution – Creating a new, „clean” Firefox profil Extensions installed via registry (HKCU) Modifying „Safe browser” SQLite Vendor contacted, no solution yet
  • Vendor Nr. 3 User question on a forum: „Does XYZ detect/block Xenotix KeylogX?
  • Vendor Nr. 3 User question on a forum: „Does XYZ detect/block Xenotix KeylogX? Vendor official response: „No it doesn't, and that's by design. Browser add-ons are subject to the same sandboxing that the browser itself runs through and therefore can be managed by the user directly. ... If you're suspicious of any add-ons, you should definitely just remove them, or, open your browser in safemode which avoids loading any add-ons.”
  • Vendor Nr. 3 User question on a forum: „Does XYZ detect/block Xenotix KeylogX? Vendor official response: „No it doesn't, and that's by design. Browser add-ons are subject to the same sandboxing that the browser itself runs through and therefore can be managed by the user directly. ... If you're suspicious of any add-ons, you should definitely just remove them, or, open your browser in safemode which avoids loading any add-ons.”
  • Vendor Nr. 4,5,... „Safe” browser solution
  • Avast Internet Security Suite Browser extension protection in safe browser DEMO P
  • To the vendors: Don’t trust the local root CA! Protect proxy settings, browser files, browser settings! Do not use old, outdated browser! Disable every browser extension! To the users: Do not use browser extensions to protect against browser extension! Install and update AV!
  • „Endpoint Financial Fraud Prevention” and „Anti-Keylogging Applications”
  • „Endpoint Financial Fraud Prevention” and „Anti-Keylogging Applications” What??? – Recommended by big financial institutions, „download it and you will be safe” Vendor 1 (Zemana) Vendor 2 Vendor 3 Vendor 4 Conclusion ... ;-)
  • Firefox + Zemana + api hooking + extension DEMO
  • Vendor Nr. 2 Protects end-user endpoints against financial malware and phishing attacks. By preventing attacks such as Man-in-the-Browser and Man-in-the-Middle, it secures credentials and personal information and stops financial fraud and account takeover. And, it keeps endpoints malware-free by blocking malware installation and removing existing infections.
  • Vendor Nr. 2 Every extension disabled in Internet Explorer  But not in Firefox  They sent me a new version  Every Firefox extension is disabled  But it is not public ...  Plan for the future: They will detect if there is a malicious extension and that specific extension will be disabled in Firefox
  • Vendor Nr. 2 Every extension disabled in Internet Explorer  But not in Firefox  They sent me a new version  Every Firefox extension is disabled  But it is not public ...  Plan for the future: They will detect if there is a malicious extension and that specific extension will be disabled in Firefox
  • Vendor Nr. 3 January, 2013: Firefox 13.01 (June, 2012) Install via registry (HKCU) Vendor contacted, problem solved  SSL MITM attack not working either, it protects it’s settings GREAT SUCCESS 
  • Vendor Nr. 4
  • Vendor Nr. 4 Protects You From: Information stealing malware and spyware 0-hour malware and targeted attacks Sophisticated financial malware like ZeuS and SpyEye Key loggers, screen grabbers, microphone and webcam hijackers, SSL banker Trojans, spying rootkits and many more
  • Protects You From: Information stealing malware and spyware 0-hour malware and targeted attacks Sophisticated financial malware like ZeuS and SpyEye Key loggers, screen grabbers, microphone and webcam hijackers, SSL banker Trojans, spying rootkits and many more Vendor Nr. 4
  • Moral lesson: I was searching for the elixir in the wrong forest The client side only solutions are doomed to fail Elixir should be looked for at the server side protection forest YouTube: http://is.gd/kiwidi SlideShare: http://is.gd/umusap GitHub: http://is.gd/safeno