SlideShare a Scribd company logo
1 of 63
Download to read offline
The Quest for the Client-Side Elixir
Against Zombie Browsers
a.k.a
Zombie Browsers Reloaded
Legal disclaimer:
Every point of views and thoughts are mine.
The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future.
What you will hear can be only used in test labs, and only for the good.
root@bt:~# whoami
Zoltán Balázs
Deloitte
Senior IT security consultant
Deloitte
Senior IT security consultant
I’m OSCP, C|HFI, CPTS, MCP, CISSP
I’m NOT a CEH
CyberLympics@2012 CTF
2nd runner up – gula.sh
root@bt:~# whoami
zbalazs@deloittece.com
https://hu.linkedin.com/in/zbalazs
Twitter – zh4ck
root@bt:~# whoami
I Love Hacking
I Love Hacker Movies
I Love Memes
The quest for the client-side elixir
against zombie browsers
Zombie browsers
Is there a solution?
– Common defensive solutions
– Internet security suites
– Online banking – client side solutions
The quest for the client-side elixir
against zombie browsers
http://is.gd/kiwidi
http://is.gd/umusap
Github: http://is.gd/safeno
History of malicious Firefox extensions
Malicious extensions
– Facebook spamming
– ad injection
– search toolbars
*Data from mozilla.org
0
20
40
60
80
2004 2006 2008 2010 2012
©f-secure
My zombie browser extension
Command and Control
Stealing cookies, passwords
Uploading/downloading files (Firefox only)
Binary execution (only on Firefox - Windows)
Webcam, geolocation
Forging financial transactions
Modifying content of the web page
More on YouTube
Hacmebank demo
Now it is just password
But real site with OTP login or smart-card login will
fail also this attack
Transaction authorization can block this attack!
Code publication
October 30, 2012
Mozilla blocked my extension in Firefox in 25 minutes
Advanced Mozilla 133t 3v4s10n 2013
https://bugzilla.mozilla.org/show_bug.cgi?id=841791
June 20, 2013
Chrome: Advanced scanning of extensions
Which company
developed the first
Netscape plugin in
1995 ?
*****
Which company
developed the first
Netscape plugin in
1995 ?
A***e
Which company
developed the first
Netscape plugin in
1995 ?
Adobe
Axiom
If a bad guy can persuade you to run his program
on your computer, it's not your computer
anymore. ©Microsoft
If a system can protect you against 300 different
attack methods, this means it won’t protect you
against the 301st. ©Zoli
Password stealing
Cookie stealing
Webcam spy
Reading user files
Writing user files
NoScript
Browserprotect
Sandboxie
NoScript
„Allows executable web content such as
JavaScript, Java, Flash, Silverlight, and other plugins ... NoScript also
offers specific countermeasures against security exploits.”
 won’t protect you against malware, another
extension
Browserprotect
„To protect your browser against malware
hijacking your browser settings like home
page, search providers and address bar search.”
„Runs your programs in an isolated space which prevents them from making permanent
changes to other programs and data in your computer.”
Protect (by default): writing files to disk (only to sandbox)
„Runs your programs in an isolated space which prevents them from making permanent
changes to other programs and data in your computer.”
Protect (by default): writing files to disk (only to sandbox)
Won’t protect:
– Password stealing
– Cookie stealing
– Webcam spying
– Reading files
Attacker
Victim
Internet security suites
Internet security suites
Vendor 1
Vendor 2
Vendor 3
Vendor 4
Vendor 5
The conclusion will be the same ...
Internet security suites
Vendor 1
Vendor 2
Vendor 3
Vendor 4
Vendor 5
The conclusion will be the same ...
Vendor Nr. 1
Detects and removes my Firefox
extension based on signatures
Über 133t signature 3v4s10n 2k13
One additional space in a line
„Improved security” Firefox extensions
Always two versions behind the actual
Firefox version
Vendor Nr. 1
Detects and removes my Firefox
extension based on signatures
Über 133t signature 3v4s10n 2k13
One additional space in a line
„Improved security” Firefox extensions
Always two versions behind the actual
Firefox version
Vendor Nr. 2
„Safe browser” solution
– Creating a new, „clean” Firefox profile
Extensions installed via registry (HKCU)
Modifying „Safe browser” SQLite
Vendor contacted, no solution yet
Vendor Nr. 2
„Safe browser” solution
– Creating a new, „clean” Firefox profil
Extensions installed via registry (HKCU)
Modifying „Safe browser” SQLite
Vendor contacted, no solution yet
Vendor Nr. 3
User question on a forum:
„Does XYZ detect/block Xenotix KeylogX?
Vendor Nr. 3
User question on a forum:
„Does XYZ detect/block Xenotix KeylogX?
Vendor official response:
„No it doesn't, and that's by design. Browser add-ons are
subject to the same sandboxing that the browser itself
runs through and therefore can be managed by the user
directly. ...
If you're suspicious of any add-ons, you should definitely
just remove them, or, open your browser in safemode
which avoids loading any add-ons.”
Vendor Nr. 3
User question on a forum:
„Does XYZ detect/block Xenotix KeylogX?
Vendor official response:
„No it doesn't, and that's by design. Browser add-ons are
subject to the same sandboxing that the browser itself
runs through and therefore can be managed by the user
directly. ...
If you're suspicious of any add-ons, you should definitely
just remove them, or, open your browser in safemode
which avoids loading any add-ons.”
Vendor Nr. 4,5,...
„Safe” browser solution
Avast Internet Security Suite
Browser extension protection in
safe browser
DEMO
P
To the vendors:
Don’t trust the local root CA!
Protect proxy settings, browser files, browser settings!
Do not use old, outdated browser!
Disable every browser extension!
To the users:
Do not use browser extensions to protect against browser extension!
Install and update AV!
„Endpoint Financial Fraud Prevention” and
„Anti-Keylogging Applications”
„Endpoint Financial Fraud Prevention” and
„Anti-Keylogging Applications”
What???
– Recommended by big financial
institutions, „download it and you will be safe”
Vendor 1 (Zemana)
Vendor 2
Vendor 3
Vendor 4
Conclusion ... ;-)
Firefox + Zemana +
api hooking + extension
DEMO
Vendor Nr. 2
Protects end-user endpoints against
financial malware and phishing attacks.
By preventing attacks such as
Man-in-the-Browser and Man-in-the-Middle, it
secures credentials and personal information and
stops financial fraud and account takeover.
And, it keeps endpoints malware-free by blocking
malware installation and removing existing
infections.
Vendor Nr. 2
Every extension disabled in Internet Explorer 
But not in Firefox 
They sent me a new version 
Every Firefox extension is disabled 
But it is not public ... 
Plan for the future:
They will detect if there is a
malicious extension and that specific
extension will be disabled in Firefox
Vendor Nr. 2
Every extension disabled in Internet Explorer 
But not in Firefox 
They sent me a new version 
Every Firefox extension is disabled 
But it is not public ... 
Plan for the future:
They will detect if there is a
malicious extension and that specific
extension will be disabled in Firefox
Vendor Nr. 3
January, 2013: Firefox 13.01 (June, 2012)
Install via registry (HKCU)
Vendor contacted, problem solved 
SSL MITM attack not working either, it protects
it’s settings
GREAT SUCCESS 
Vendor Nr. 4
Vendor Nr. 4
Protects You From:
Information stealing malware and spyware
0-hour malware and targeted attacks
Sophisticated financial malware like ZeuS and
SpyEye
Key loggers, screen grabbers, microphone and
webcam hijackers, SSL banker Trojans, spying
rootkits and many more
Protects You From:
Information stealing malware and spyware
0-hour malware and targeted attacks
Sophisticated financial malware like ZeuS and
SpyEye
Key loggers, screen grabbers, microphone and
webcam hijackers, SSL banker Trojans, spying
rootkits and many more
Vendor Nr. 4
Moral lesson: I was searching for the elixir in the wrong forest
The client side only solutions are doomed to fail
Elixir should be looked for at the server side protection forest
YouTube: http://is.gd/kiwidi
SlideShare: http://is.gd/umusap
GitHub: http://is.gd/safeno

More Related Content

What's hot

Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco GrassiShakacon
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometPich Pra Tna
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE testBalazs Bucsay
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 

What's hot (19)

Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
Kali net hunter
Kali net hunterKali net hunter
Kali net hunter
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
Fuzzing
FuzzingFuzzing
Fuzzing
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Nginx warhead
Nginx warheadNginx warhead
Nginx warhead
 
Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkComet
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test
 
MIPS-X
MIPS-XMIPS-X
MIPS-X
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 

Similar to The Quest for Client-Side Protection Against Zombie Browsers

Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your BrowserAchim D. Brucker
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)Avansa Mid- en Zuidwest
 
Internet security
Internet securityInternet security
Internet securityrfukunaga
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...CiNPA Security SIG
 
New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)msz
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfxererenhosdominaram
 
BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Operations security (OPSEC) in IT
Operations security (OPSEC) in ITOperations security (OPSEC) in IT
Operations security (OPSEC) in ITMichal Špaček
 
How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost coldfire007
 

Similar to The Quest for Client-Side Protection Against Zombie Browsers (20)

Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
App locker
App lockerApp locker
App locker
 
NWSLTR_Volume8_Issue2
NWSLTR_Volume8_Issue2NWSLTR_Volume8_Issue2
NWSLTR_Volume8_Issue2
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
 
Secure client
Secure clientSecure client
Secure client
 
Internet security
Internet securityInternet security
Internet security
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
 
New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)
 
Sql securitytesting
Sql  securitytestingSql  securitytesting
Sql securitytesting
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
 
BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Operations security (OPSEC) in IT
Operations security (OPSEC) in ITOperations security (OPSEC) in IT
Operations security (OPSEC) in IT
 
How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost
 
10 security enhancements
10 security enhancements10 security enhancements
10 security enhancements
 

More from Zoltan Balazs

[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchainZoltan Balazs
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a matchZoltan Balazs
 
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveZoltan Balazs
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitlandZoltan Balazs
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking Zoltan Balazs
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012Zoltan Balazs
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitőZoltan Balazs
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’sZoltan Balazs
 

More from Zoltan Balazs (15)

[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain
 
MLSEC 2020
MLSEC 2020MLSEC 2020
MLSEC 2020
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a match
 
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a five
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Sandboxes
SandboxesSandboxes
Sandboxes
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
 

Recently uploaded

Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 

Recently uploaded (20)

Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 

The Quest for Client-Side Protection Against Zombie Browsers

  • 1.
  • 2. The Quest for the Client-Side Elixir Against Zombie Browsers a.k.a Zombie Browsers Reloaded Legal disclaimer: Every point of views and thoughts are mine. The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future. What you will hear can be only used in test labs, and only for the good.
  • 5. Senior IT security consultant
  • 7. I’m OSCP, C|HFI, CPTS, MCP, CISSP I’m NOT a CEH CyberLympics@2012 CTF 2nd runner up – gula.sh root@bt:~# whoami
  • 10. I Love Hacker Movies
  • 12. The quest for the client-side elixir against zombie browsers Zombie browsers Is there a solution? – Common defensive solutions – Internet security suites – Online banking – client side solutions
  • 13. The quest for the client-side elixir against zombie browsers http://is.gd/kiwidi http://is.gd/umusap Github: http://is.gd/safeno
  • 14.
  • 15. History of malicious Firefox extensions Malicious extensions – Facebook spamming – ad injection – search toolbars *Data from mozilla.org 0 20 40 60 80 2004 2006 2008 2010 2012
  • 17. My zombie browser extension Command and Control Stealing cookies, passwords Uploading/downloading files (Firefox only) Binary execution (only on Firefox - Windows) Webcam, geolocation Forging financial transactions Modifying content of the web page More on YouTube
  • 18.
  • 19.
  • 20.
  • 21. Hacmebank demo Now it is just password But real site with OTP login or smart-card login will fail also this attack Transaction authorization can block this attack!
  • 22. Code publication October 30, 2012 Mozilla blocked my extension in Firefox in 25 minutes
  • 23. Advanced Mozilla 133t 3v4s10n 2013 https://bugzilla.mozilla.org/show_bug.cgi?id=841791
  • 24. June 20, 2013 Chrome: Advanced scanning of extensions
  • 25. Which company developed the first Netscape plugin in 1995 ? *****
  • 26. Which company developed the first Netscape plugin in 1995 ? A***e
  • 27. Which company developed the first Netscape plugin in 1995 ? Adobe
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33. Axiom If a bad guy can persuade you to run his program on your computer, it's not your computer anymore. ©Microsoft If a system can protect you against 300 different attack methods, this means it won’t protect you against the 301st. ©Zoli
  • 34. Password stealing Cookie stealing Webcam spy Reading user files Writing user files NoScript Browserprotect Sandboxie
  • 35. NoScript „Allows executable web content such as JavaScript, Java, Flash, Silverlight, and other plugins ... NoScript also offers specific countermeasures against security exploits.”  won’t protect you against malware, another extension
  • 36. Browserprotect „To protect your browser against malware hijacking your browser settings like home page, search providers and address bar search.”
  • 37. „Runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.” Protect (by default): writing files to disk (only to sandbox)
  • 38. „Runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.” Protect (by default): writing files to disk (only to sandbox) Won’t protect: – Password stealing – Cookie stealing – Webcam spying – Reading files
  • 41. Internet security suites Vendor 1 Vendor 2 Vendor 3 Vendor 4 Vendor 5 The conclusion will be the same ...
  • 42. Internet security suites Vendor 1 Vendor 2 Vendor 3 Vendor 4 Vendor 5 The conclusion will be the same ...
  • 43. Vendor Nr. 1 Detects and removes my Firefox extension based on signatures Über 133t signature 3v4s10n 2k13 One additional space in a line „Improved security” Firefox extensions Always two versions behind the actual Firefox version
  • 44. Vendor Nr. 1 Detects and removes my Firefox extension based on signatures Über 133t signature 3v4s10n 2k13 One additional space in a line „Improved security” Firefox extensions Always two versions behind the actual Firefox version
  • 45. Vendor Nr. 2 „Safe browser” solution – Creating a new, „clean” Firefox profile Extensions installed via registry (HKCU) Modifying „Safe browser” SQLite Vendor contacted, no solution yet
  • 46. Vendor Nr. 2 „Safe browser” solution – Creating a new, „clean” Firefox profil Extensions installed via registry (HKCU) Modifying „Safe browser” SQLite Vendor contacted, no solution yet
  • 47. Vendor Nr. 3 User question on a forum: „Does XYZ detect/block Xenotix KeylogX?
  • 48. Vendor Nr. 3 User question on a forum: „Does XYZ detect/block Xenotix KeylogX? Vendor official response: „No it doesn't, and that's by design. Browser add-ons are subject to the same sandboxing that the browser itself runs through and therefore can be managed by the user directly. ... If you're suspicious of any add-ons, you should definitely just remove them, or, open your browser in safemode which avoids loading any add-ons.”
  • 49. Vendor Nr. 3 User question on a forum: „Does XYZ detect/block Xenotix KeylogX? Vendor official response: „No it doesn't, and that's by design. Browser add-ons are subject to the same sandboxing that the browser itself runs through and therefore can be managed by the user directly. ... If you're suspicious of any add-ons, you should definitely just remove them, or, open your browser in safemode which avoids loading any add-ons.”
  • 50. Vendor Nr. 4,5,... „Safe” browser solution
  • 51. Avast Internet Security Suite Browser extension protection in safe browser DEMO P
  • 52. To the vendors: Don’t trust the local root CA! Protect proxy settings, browser files, browser settings! Do not use old, outdated browser! Disable every browser extension! To the users: Do not use browser extensions to protect against browser extension! Install and update AV!
  • 53. „Endpoint Financial Fraud Prevention” and „Anti-Keylogging Applications”
  • 54. „Endpoint Financial Fraud Prevention” and „Anti-Keylogging Applications” What??? – Recommended by big financial institutions, „download it and you will be safe” Vendor 1 (Zemana) Vendor 2 Vendor 3 Vendor 4 Conclusion ... ;-)
  • 55. Firefox + Zemana + api hooking + extension DEMO
  • 56. Vendor Nr. 2 Protects end-user endpoints against financial malware and phishing attacks. By preventing attacks such as Man-in-the-Browser and Man-in-the-Middle, it secures credentials and personal information and stops financial fraud and account takeover. And, it keeps endpoints malware-free by blocking malware installation and removing existing infections.
  • 57. Vendor Nr. 2 Every extension disabled in Internet Explorer  But not in Firefox  They sent me a new version  Every Firefox extension is disabled  But it is not public ...  Plan for the future: They will detect if there is a malicious extension and that specific extension will be disabled in Firefox
  • 58. Vendor Nr. 2 Every extension disabled in Internet Explorer  But not in Firefox  They sent me a new version  Every Firefox extension is disabled  But it is not public ...  Plan for the future: They will detect if there is a malicious extension and that specific extension will be disabled in Firefox
  • 59. Vendor Nr. 3 January, 2013: Firefox 13.01 (June, 2012) Install via registry (HKCU) Vendor contacted, problem solved  SSL MITM attack not working either, it protects it’s settings GREAT SUCCESS 
  • 61. Vendor Nr. 4 Protects You From: Information stealing malware and spyware 0-hour malware and targeted attacks Sophisticated financial malware like ZeuS and SpyEye Key loggers, screen grabbers, microphone and webcam hijackers, SSL banker Trojans, spying rootkits and many more
  • 62. Protects You From: Information stealing malware and spyware 0-hour malware and targeted attacks Sophisticated financial malware like ZeuS and SpyEye Key loggers, screen grabbers, microphone and webcam hijackers, SSL banker Trojans, spying rootkits and many more Vendor Nr. 4
  • 63. Moral lesson: I was searching for the elixir in the wrong forest The client side only solutions are doomed to fail Elixir should be looked for at the server side protection forest YouTube: http://is.gd/kiwidi SlideShare: http://is.gd/umusap GitHub: http://is.gd/safeno

Editor's Notes

  1. Hi everyoneHow many of you use online banking? Come on!!! How many of you use online banking or bitcoin trading site? Hands upHow many of you use browser extensions in the same browser?Last question: how many of you are willing to install my extension into your browser?Today I’m going to talk about dangerous browser extensions and client side protection attempts
  2. This is my name
  3. This is where I work
  4. This iswhat I’m paid for
  5. This is the work most of the people think consultants are paid for
  6. And this is what I’m proud aboutand I’m also a proud member of the gula.sh team, we scored as second runner up on the Global Cyberlympics competition last year.
  7. These are my contacts
  8. This is what I do 24 by 7
  9. This is what I watch after hacking
  10. And this is what I browse when I’m not hacking or watching hacker movies
  11. In the beginning of my presentation I will talk about the malicius browser extensions, what they are capable of. And after that I will show you what kind of client side protections I was analysing against malicious browser extensions, like internet security suites.
  12. If you are later interested, you can watch a lot of demos about this at the following youtube link, and you can also watch my previous presentations about this topic on slideshare, or download the source code from github.
  13. Most of you remember how an average internet explorer 6 looked like in 2004. I bet all of you would go crazy of those crappy extensions. Do you remember that irritating purple monkey dancing in the corner of your browser? it is one of the first malicous browser extensions which spied on users browsing activity.
  14. How does it work in practice? After the browser is infected, the extension polls the attacker webserver for new commands. If there is a new command, the client browser will execute it, like upload files from the victim to attacker, and so on.
  15. Butdon’tforgetthatFirefox is alsosupportedon OSX, Linux, Windows, and evenonAndroid. ...
  16. YoumightthinkthatChrome is safe, badnewsit’snot. MyzombieextensionwillhackyourChromeorSafariaswell.
  17. After I had developed my malicious browser extensions against Firefox, Chrome, and Safari, I sent this code to 15 different AV vendors, so they could put it into their signature list and block it.
  18. Which means that currently 10 AV vendor blocks my Firefox extension, to 5 out of 10 my code has not been sent. After doing the basic math, this means there are 10 AV vendors I have sent my code, but they are not blocking it.
  19. And 5 AV vendors do detect my Chrome extension. I don’t have any good explanation about that.
  20. I have two lessons to draw from this case:Firstly dont send encrypted ZIP files to the Antivirus vendors, because it might happen that they might be unable to process it, even if the email contains the password. Secondly if you send a ZIP file containing more than 10 files, it might be rejected by the AV vendors. The problem is that browser extensions are basically ZIP files, containing files of any amount. So if I create a browser extension containing 100 files, the users wont be able to send the samples to the antivirus vendors.
  21. And I published my malicious browser extensions on Github, it has been blocked in Firefox after 25 minutes .
  22. But unfortunately, it took me less time to circumvent this blocking. You can see two differences on the two source codes. The first one is that the extension has a different ID, and the second difference is that the first one is blocked by Firefox, but the second one is not.If you check this link, you can see that this problem is also exploited by the bad guys.
  23. And evenin the official Google chrome extension store you might find malicious browser extensions sometimes. So if you downloaded this bad piggies extension, instead of hunting for bad piggies you had to hunt for malicious browser extensions on your computer.1.5 months ago Google announced that they will scan for malicious extensions more effectively, it still has to prove itself.
  24. And there will always be people who want to change the colour of their facebook page, and they download some extension having very powerful privileges just to change their facebook colour. For example look at this one. Why should a facebook colour changer extension need to access all your websites and all your browsing information?
  25. Beforeall of youfallasleep, here is a littlequizforyou.The first correct answer will be honored by two bottle of hacker beer.And thequestion is: whichcompanydevelopedthefirst Netscape pluginin 1995?
  26. Here is a littleclueforyou
  27. That’s right, Adobe. Funnything is thattheyarestillunabletodevelopsecureextensionswith 17 years of experiencebehindthem.
  28. There is a rootkit in the wild since 2007 called mebroot, which installs its malicious chrome extension after the computer is infected, and manipulates in the background the online financial transactions. I believe the bad guys had been unable to manipulate the transactions in chrome via traditional attacks, so they created malicious browser extensions to do that job.After I saw there wer eso many problems with malicious browser extensions,
  29. There I went, me, the brave hacker, grabbed my only faithful mate, my computer, to find the elixir against zombie browsers in the deep and dark forest of the Kingdom of Internet
  30. There I went, me, the brave hacker, grabbed my only faithful mate, my computer, to find the elixir against zombie browsers in the deep and dark forest of the Kingdom of Internet
  31. There I went, me, the brave hacker, grabbed my only faithful mate, my computer, to find the elixir against zombie browsers in the deep and dark forest of the Kingdom of Internet
  32. There I went, me, the brave hacker, grabbed my only faithful mate, my computer, to find the elixir against zombie browsers in the deep and dark forest of the Kingdom of Internet
  33. During my quest I bumped into two axioms. The first axiom warned me when an evil program code is running on my computer, my computer will perish. The second one drew my attention to the fact that if the system protects me against 300 different attack methods, it wont protect me against the 301st one.
  34. So then I plucked up all my courage and set out for the realm of extensions and sandboxing technologies to see how they would protect my computer against my malicious extension - all those evil things like password stealing or webcam spying etc.
  35. Noscript does what it promises. But it never promised to protect the users against malicious browser extensions. And dont forget that the settings of the firefox extensions are like a big happy family picnick, everybody can do whatever they want. Which means every extension can change the setting of another extension. This means that my browser extension can change the settings of Noscript as well.
  36. The browserprotect extension is basically the same from this point of view, it does what it promises, but it cant protect the users against malicious browser extensions, and my extension can change the browserprotect settings as well.
  37. The sandoxie program was a big surprise for me, or rather a big disappointment. To tell the truth, I would not recommend sandboxie to protect the average home users. Because by default it does nothing but prevents modifications outside of the sandbox.
  38. This means that I can steal passwords, cookies, and even spy on the users webcam, steal confidential user files.
  39. I’ll show how sandboxing technology works in the next demo. Just for clarification, when you see the „Hack the planet”, it is me, the attacker. And when you see unicorns and rainbows, it is the victim browser.
  40. Our next topic is the internet security suites, how they can or cannot protect you against malicious browser extensions.
  41. I wont mention any vendor names, but I promise you, the conclusion will be the same. These are the biggest and most popular internet security suites. Think about vendors with their names starting letter S or K.
  42. The first vendor detects and removes my extension on a signature basis (because I have sent my code to them). But if I insert an extra space character in one of the lines in my source code, the extension wont be detected any more. And this Internet security suite also installs its own extensions into Firefox, which are always two versions behind the current Firefox version. So they never run on my computer, because it was always blocked by firefox.
  43. So my extension was able to circumvent the protection of this internet security suite.
  44. The next vendor promises a safe browser, which is merely a new clear default Firefox profile. The problem with this approach is that I can install my extension into this safe browser at least 2 different ways. One of these ways is to modify the user registry settings, which will install the extension into this safe browser. The second approach is to modify the SQLite database of this safe browser. I alreadycontacted the vendor, but they have not fixed this yet.
  45. The next vendor is my favourite one. A user on an internet forum asked the vendor, whether their product can protect him against Xenotix keylogx. This is a proof of concept malicious browser extension, created by Ajin Abraham, who was planned to do his presentation.
  46. The vendors response is so beautiful that it’s worth to be analyzed word by word, just like a poem. The poet starts with an in medias res beginning, „no it doesnt at thats by design”, so it states it won protect the user. What the poet meant about by design, I have no idea. It is also for sure that in Firefox there is nothing like sandboxing. And by suggesting to remove the extension the vendor implies that the extension is not to be hid from the user. And why the heck should I buy their product, if I have to detect and remove the extension by myself????
  47. And I looked at other safe browser solutions in internet security suites, but they all proved to be useless, and I was a very very sad panda
  48. I almost gave up, when I found the Avast Internet Security Suite. I was not able to install my extension into their safe browser, so I had to find other ways to hack it. In the next demo, I’m going to show you how I can circumvent the protection of Avast safe browser.
  49. My suggestions to the vendors who promise safe browser solutions are the followings:Do not trust the local root certificate lists. Protect the settings and the files of the safe browser.Do not use old, outdated, vulnerable browsers.And my suggestions to the users are:Do not use browser extensions to protect against malicious browser extensions. And last but not least install and update your antivirus solution, because it will protect you in 90% of the cases.
  50. As I failed to find the elixir, my next challenge had to be to move on. So I went on and left the forest of internet security suites and entered the promising field of the Endpoint Financial Fraud Prevention and Anti-Keylogging applications
  51. In case you did not know what these are, these applications are usually recommended by big financial institutions, saying „if you use this, you will be safe”. And again, I wont mention the vendors names, but the conclusion will be the same
  52. Usually these applications will protect you against the so called „API hooking” attack. In the next demo, I’m going to show you this attack.First, I’ll show how Zemana protection will protect you against this API hooking attack, which is used by financial malwares like Zeus or Spyeye, and how Zemana wont protect you against malicious browser extensions.
  53. Vendor nr 2. promises an awful lot of things, lets see this in practice.
  54. In the Internet Explorer every extension was disabled, but not in Firefox. I contacted the vendor, and they sent me a new version in less than a week, where every firefox extension was disabled. I was very excited, but then I asked whether this version will be the next public version, however their answer made me sad. It turned out that it was not a public version, it was only sent to me. They have a plan to detect and block the malicious browser extensions individually.
  55. And I think this is OK, they are the experts, they know what they are talking about. I hope, they do.....
  56. Vendor number 3. When I tested this vendor, they were using an old, vulnerable Firefox version. And I was also able to install my extension into their safe browser. I contacted the vendor, and they fixed their product in less than a week, so right now there is no way to hack this safe browser that I know of. But to tell you the truth, I did not waste my time trying to find other ways to hack it.
  57. Vendor number four was also a great fun to test. First, the application indicated that it has found a malware on my computer, but it turned out that it was only the Symantec it detected as a malicious software.
  58. It promises a lot of things, but it can not protect you against malicious browser extensions.
  59. At the end of my journey I had to realize that the axioms are really true, and that I have been looking for the elixir in the wrong place, because the client side protections are deemed to fall. On these links you can find the source code to my malicious browser extensions, my previous presentations about malicious browser extension