Claimed to be most secure and most efficient web browser
A way to extend Firefox to customize or add more functionality to it
Most of the popular websites (Google, Stumbleupon, Facebook etc.) provide their toolbar in form of extension
Popular functionalities like FTP, CHMReader, Flashblock, Adblock etc are available in form extensions
Malware – How it works
A look at existing vulnerabilities
How malware can find its way on to victim’s Firefox
Lets meet john Uses internet for social networking. For example Facebook, orkut, myspace etc. Uses Email for professional as well as personal communication. For ex. Gmail, Yahoo or Corporate webemail Uses internet for his credit card transactions. For ex. Citibank, ICICI bank, HSBC etc Uses internet banking for managing his day to day finance activity Blogs on internet for professional as well as personal purpose.
John’s online world Problem Statement How to retrieve values of elements like username, password, credit card number, IPIN etc for a particular web resource (Gmail /Yahoo/Banking website etc)
Malware -Architecture Our Malware is nothing but a malicious Firefox extension Target List Secret List Secret Collector Engine Communicator Module
Intercept http requests being made by the browser
Malware - Secret Collector -I Normal http request process Parse http request And Retrieve user typed Web secrets
Malware - Secret Collector - II
Different Components within the Firefox can register to send/receive notifications.
Some standard notifications --
Domwindowopened / domwindowclosed
http-on-modify-request / http-on-examine-response
How to intercept http request “ Notifications” mechanism in Firefox ???
Malware -Target List Set of websites we want to steal secrets for URL: https://www.google.com/Auth Number of attributes: 2 Attribute Names: Email, Passwd
Malware - Secret List Set of collected secrets URL: https://www.google.com/Auth Number of attributes: 2 Name: Email, Value:firstname.lastname@example.org Name: Passwd Value :helloworld
Communicator Module Target List Secret List Internet
How it can find its way to john’s Firefox - I
Installing malicious extension
Command line silent install (firefox.exe –install –silent …XXX)
Using Firefox’s extension installation wizard
Copy malicious extension’s file in extension directory of Firefox
Exploit FireFox’s vulnerability (For ex. Extension upgrade vulnerability, quicktime RSTP vulnerability) to push the extension
Installing the malicious extension exploiting vulnerability in some other existing application
Bundle it in some other popular extension and redistribute
Host malicious extension on a webserver and craft a webpage to drive user to install the hosted extension
How it can find its way to john’s FireFox - II
Firefox extension upgrade vulnerability
Firefox upgrade mechanism
enabling the extensions to poll an Internet server for updates
If an update is available, the extension will typically ask the user if they wish to upgrade, and then will download and install the new code.
Extensions fetching update from a http ://www.xxx.com (non-SSL webserver) instead of https: //www.xxx.com (SSL enabled webserver) are vulnerable to DNS based man in the middle attack.
Facebook is a very popular social network site. It provides a FF toolbar as an FF extension.
Any FF with facebook toolbar (v 1.1) is vulnerable to update vulnerability.
Package our malicious extension in existing facebook toolbar (v1.6) and will push it through the update vulnerability
Once malicious extension is installed in FF. The victim’s FF is compromised.
Attack Flow Facebook extension update Server Attacker’s update Server Hosting malicious extension John’s FF running Facebook extension Hacker running Master Server X Y Untrusted public network What is IP of update server Update server is at Y Fetches Target Lists Sends collected Secrets
Do not use public computer for important information exchange
Install Firefox extensions from authentic sources (https://addons.mozilla.org) only
Regularly check list of installed extensions
Observe Firefox’s performance. Anomaly in performance may be due to an unwanted extension