This document summarizes a presentation about creating a backdoor in the Thunderbird email client using extensions. It describes how the backdoor would check for encrypted commands in images attached to emails, execute commands on the system by hiding output in email replies, and avoid detection through techniques like modifying existing trusted extensions and hiding the backdoor's updates. The presentation demonstrates capabilities of the backdoor like retrieving PGP keys and proposes ways to improve and expand its capabilities.
Ведущий: Макс Мороз
Обзор системы ClusterFuzz, позволяющей осуществить проверку браузера Chrome на наличие уязвимостей в режиме реального времени и получить воспроизводимые результаты исследования каждого конкретного сбоя. Будут продемонстрированы преимущества использования различных санитайзеров и LibFuzzer, библиотеки для направленного фаззинга. Будет приведена подробная статистика видов уязвимостей, найденных в Chrome. Слушатели узнают о подводных камнях распределенного фаззинга; о том, как можно запустить свои собственные фаззеры в инфраструктуре Google и получить вознаграждение за найденные уязвимости.
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들GangSeok Lee
2010 CodeEngn Conference 04
각종 논문 데이터나 기타 연구자료들을 살펴보면 키보드보안의 한계점에 대해 지목하고 그것에 대한 보완 대책을 논의하고 있는 내용이 많다. 물론 그러한 학문적인 접근도 중요하지만, 실제 키로깅을 하고 있는 해커의 입장에서는 어떤 식으로 키입력과 계정을 가져가는지 해커의 접근 방법을 살펴보는 것도 필요하다. 일반적으로 해커들은 커널 레벨이나 하드웨어 지식 베이스에 입각한 난해한 기법보다는, 보다 간편하며 실용적인 방법을 통해 계정을 가져간다. 그리고 그 같은 행위는 현재 키보드보안의 커버 범위를 뛰어넘는 새로운 기법을 보여주는 경우가 대다수이다. 이런 상황을 배경으로 실제 기업에서 발생하고 있는 사례나, 유저의 감염케이스를 리버스 엔지니어링으로 살펴보는 시간을 마련했다. 바이너리 해킹의 예술을 맛볼 수 있는 Art of Keylogging 발표에서 키 입력 탈취에 대한 새로운 트렌드를 소개한다.
http://codeengn.com/conference/04
Ведущий: Макс Мороз
Обзор системы ClusterFuzz, позволяющей осуществить проверку браузера Chrome на наличие уязвимостей в режиме реального времени и получить воспроизводимые результаты исследования каждого конкретного сбоя. Будут продемонстрированы преимущества использования различных санитайзеров и LibFuzzer, библиотеки для направленного фаззинга. Будет приведена подробная статистика видов уязвимостей, найденных в Chrome. Слушатели узнают о подводных камнях распределенного фаззинга; о том, как можно запустить свои собственные фаззеры в инфраструктуре Google и получить вознаграждение за найденные уязвимости.
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들GangSeok Lee
2010 CodeEngn Conference 04
각종 논문 데이터나 기타 연구자료들을 살펴보면 키보드보안의 한계점에 대해 지목하고 그것에 대한 보완 대책을 논의하고 있는 내용이 많다. 물론 그러한 학문적인 접근도 중요하지만, 실제 키로깅을 하고 있는 해커의 입장에서는 어떤 식으로 키입력과 계정을 가져가는지 해커의 접근 방법을 살펴보는 것도 필요하다. 일반적으로 해커들은 커널 레벨이나 하드웨어 지식 베이스에 입각한 난해한 기법보다는, 보다 간편하며 실용적인 방법을 통해 계정을 가져간다. 그리고 그 같은 행위는 현재 키보드보안의 커버 범위를 뛰어넘는 새로운 기법을 보여주는 경우가 대다수이다. 이런 상황을 배경으로 실제 기업에서 발생하고 있는 사례나, 유저의 감염케이스를 리버스 엔지니어링으로 살펴보는 시간을 마련했다. 바이너리 해킹의 예술을 맛볼 수 있는 Art of Keylogging 발표에서 키 입력 탈취에 대한 새로운 트렌드를 소개한다.
http://codeengn.com/conference/04
One Year of Porting - Post-mortem of two Linux/SteamOS launchesLeszek Godlewski
2013 was the year in which Linux finally got the attention of game developers; it was also the year in which my first two Linux/SteamOS ports were released. This talk will cover the learnings of one year of porting work from a programmer's point of view: DOs and DON'Ts and issues both expected and unexpected.
Ведущий: Артем Шишкин
Доклад описывает разработку средства отладки при помощи виртуализации: как применить существующие средства виртуализации для отладки, как обеспечить целостность отлаживаемой среды, как сделать отладку интерактивной и как обуздать низкоуровневую специфику аппаратной виртуализации. Докладчик расскажет об интеграции железа с операционной системой и о том, как встроить отладчик прямо в прошивку. Будут рассмотрены несколько жизненных примеров динамического анализа.
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
GNOME desktop environment stores user’s credentials in process memory, which poses an obvious danger and needs to be fixed. The competitive advantage of the proposed security tool (MimiDove) includes its ability to quickly detect and remove passwords containing both ASCII characters and Unicode characters.
Linux commonly connotes with open-source zealots and a small PC market
share, not blockbuster video games. However, the arrival of Steam on
the platform might change the outlook quite dramatically, and Linux
support may soon become a must-have feature for your game. Setting the
open-source ideology aside, this lecture is an overview of the
technical challenges a game developer may face while porting their
game to this platform, along with solutions.
Presenter notes: https://www.dropbox.com/s/lq6oxuw1s3bhoun/Advanced%20Linux%20Game%20Programming%20%E2%80%93%20Presenter%20Notes.pdf
Ever since the advent of SteamOS, interest in game development for Linux has seen an increase. This lecture aims to address some more advanced issues encountered by programmers on this platform, beyond the very basic Linux setup, and drawing from over a year and two and a half games of experience in the subject. The areas discussed will be:
• Executable build improvements
• Crash handling and reporting
• Memory debugging
• OpenGL instrumentation and debugging
• Various caveats, tips and tricks.
Egress-Assess and Owning Data ExfiltrationCTruncer
This talk discusses how Egress-Assess can be used to help attackers and defenders learn how to exfiltrate data outside of their network over a variety of protocols, describes how data is exfiltrated over different supported protocols, and demonstrates the weaponization of the tool!
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
Second presentation of my research into reverse engineering a TomTom Runner GPS watch. In this I explain how I got running code inside an unfamiliar device and proceeded to bypass its security measures and extract firmware keys and code from the device.
More details on my personal blog, at http://grangeia.io
Presented in October 2015 at "Confraria de Segurança da Informação" in Lisbon
Windows Systems & Code Signing Protection by Paul RascagneresShakacon
This presentation explains the code signing mechanism (authenticode) developed by Microsoft on Windows systems. The presentation will first explain the kernel implication and the impact on driver development. This protection firstly annoyed rootkit developers but they found several ways to bypass it. Well-known rootkits such as Derusbi, Uroburos or GrayFish use tricks to bypass driver signature. These techniques will be described during the presentation. Finally, the user-land will be discussed with the new library injection protection based on code signing implemented in Windows 10 TH2 and especially for the Edge process.
This talk is about why I believe having the ability to write tools and/or scripts can help elevate a Pen Testers game to the next level.
The talk is case study driven by the different scenarios I've encountered on assessments and the scripts or tools that have been developed as a result.
One Year of Porting - Post-mortem of two Linux/SteamOS launchesLeszek Godlewski
2013 was the year in which Linux finally got the attention of game developers; it was also the year in which my first two Linux/SteamOS ports were released. This talk will cover the learnings of one year of porting work from a programmer's point of view: DOs and DON'Ts and issues both expected and unexpected.
Ведущий: Артем Шишкин
Доклад описывает разработку средства отладки при помощи виртуализации: как применить существующие средства виртуализации для отладки, как обеспечить целостность отлаживаемой среды, как сделать отладку интерактивной и как обуздать низкоуровневую специфику аппаратной виртуализации. Докладчик расскажет об интеграции железа с операционной системой и о том, как встроить отладчик прямо в прошивку. Будут рассмотрены несколько жизненных примеров динамического анализа.
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
GNOME desktop environment stores user’s credentials in process memory, which poses an obvious danger and needs to be fixed. The competitive advantage of the proposed security tool (MimiDove) includes its ability to quickly detect and remove passwords containing both ASCII characters and Unicode characters.
Linux commonly connotes with open-source zealots and a small PC market
share, not blockbuster video games. However, the arrival of Steam on
the platform might change the outlook quite dramatically, and Linux
support may soon become a must-have feature for your game. Setting the
open-source ideology aside, this lecture is an overview of the
technical challenges a game developer may face while porting their
game to this platform, along with solutions.
Presenter notes: https://www.dropbox.com/s/lq6oxuw1s3bhoun/Advanced%20Linux%20Game%20Programming%20%E2%80%93%20Presenter%20Notes.pdf
Ever since the advent of SteamOS, interest in game development for Linux has seen an increase. This lecture aims to address some more advanced issues encountered by programmers on this platform, beyond the very basic Linux setup, and drawing from over a year and two and a half games of experience in the subject. The areas discussed will be:
• Executable build improvements
• Crash handling and reporting
• Memory debugging
• OpenGL instrumentation and debugging
• Various caveats, tips and tricks.
Egress-Assess and Owning Data ExfiltrationCTruncer
This talk discusses how Egress-Assess can be used to help attackers and defenders learn how to exfiltrate data outside of their network over a variety of protocols, describes how data is exfiltrated over different supported protocols, and demonstrates the weaponization of the tool!
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
Second presentation of my research into reverse engineering a TomTom Runner GPS watch. In this I explain how I got running code inside an unfamiliar device and proceeded to bypass its security measures and extract firmware keys and code from the device.
More details on my personal blog, at http://grangeia.io
Presented in October 2015 at "Confraria de Segurança da Informação" in Lisbon
Windows Systems & Code Signing Protection by Paul RascagneresShakacon
This presentation explains the code signing mechanism (authenticode) developed by Microsoft on Windows systems. The presentation will first explain the kernel implication and the impact on driver development. This protection firstly annoyed rootkit developers but they found several ways to bypass it. Well-known rootkits such as Derusbi, Uroburos or GrayFish use tricks to bypass driver signature. These techniques will be described during the presentation. Finally, the user-land will be discussed with the new library injection protection based on code signing implemented in Windows 10 TH2 and especially for the Edge process.
This talk is about why I believe having the ability to write tools and/or scripts can help elevate a Pen Testers game to the next level.
The talk is case study driven by the different scenarios I've encountered on assessments and the scripts or tools that have been developed as a result.
Introductory presentation by Gavin King (Red Hat) on the Ceylon Project, given at QCon Beijing on 9 April 2011. Original Source: http://www.qconbeijing.com/download/Gavin%20keynote.pdf
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet
"Safely Storing Secrets and Credentials in Git for use by
Puppet: The BlackBox Project" presented by Thomas A. Limoncelli, Stack Exchange at Puppet Camp NYC 2014
Docker Security - Secure Container Deployment on LinuxMichael Boelen
How to securely deploy your containers, by the author of rkhunter and auditing tool Lynis.
Many introductory talks about Docker and its container technology, have been given. This attention to the subject is not surprising, seeing the amount of people "doing DevOps" now.
With container technology being fairly new on the Linux platform, the security aspects of containers are often being overlooked. While Linux containers do still not fully contain from a security point of view, we can definitely improve the security level of them.
In this talk, we have a look at the underlying Linux security measures, followed by the features Docker itself has to offer. The goal is to get an understanding how we can deploy containers in a secure way. After all, Docker is no longer just a toy, and our precious data is involved.
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...Tom Limoncelli
A presentation given at PuppetCamp NYC 2014 about why Puppet users should stop storing secrets in Git/Hg and encrypt them instead. TLDR: It enables collaboration.
Presentation from the 4th Athens Gophers Meetup.
At a glance we present:
- why we introduced a new language in the organization and why that
was Go
- how we approached the transition
- some of the projects we built in Go
- the challenges we faced and the lessons we learned in the process
The Magic of Headless Browser + Puppeteer: Using DevTools Without opening DevTools & GitKraken as a legendary Git GUI Client
1. The power of "Headless Browser". Your invincible genie.
2. Extending the power of headless even more - amazing things we can do with "Puppeteer".
3. "GitKraken" - an intuitive Git GUI client that 1.7 Million+ Devs Rely on.
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...Nico Meisenzahl
Cloud native environments are a double edged sword - used right, the benefits are immense. However, it also introduces multiple entry points for example security breaches.
In this session, Nico will show how application vulnerabilities make it easy to hijack a Kubernetes cluster. He will also talk about why it's important to implement zero-trust to prevent data leaks and malicious workloads from being executed on a hijacked cluster.
In addition, you will learn how GitLab can protect you from being hijacked. Nico will talk about how to create more secure applications by using Static Application Security Testing (SAST) as well as how to secure your Kubernetes cluster with Container Host Security, Container Network Security or a Web Application Firewall.
Integrating Puppet and Gitolite for sysadmins cooperationsLuca Mazzaferro
In this slides is presented a light solution based on the integration between Puppet-Foreman and Gitolite to the problem: How to enable many sysadmins to work together on one work environment without interfering with each other?
HKG15-407: EME implementation in Chromium: Linaro Clear Key Linaro
HKG15-407: EME implementation in Chromium: Linaro Clear Key
---------------------------------------------------
Speaker: Matt Snoby
Date: February 12, 2015
---------------------------------------------------
★ Session Summary ★
An example of a key system from a Clear Key point of view. Linaro implemented a sample CDM plugin for Chromium capable to exercise the EME implementation of the browser. The presentation gives an insight to the EME/CDM implementation in Chromium and the guidelines to integrating various DRM systems. We will present call flows with example classes, experiences learned, and example of things to watch out for.
--------------------------------------------------
★ Resources ★
Pathable: https://hkg15.pathable.com/meetings/250835
Video: https://www.youtube.com/watch?v=dJqCbTfKrMk
Etherpad: http://pad.linaro.org/p/hkg15-407
Also see: http://www.slideshare.net/linaroorg/hkg15407-eme-implementation-in-chromium-linaro-clear-key
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2015 - #HKG15
February 9-13th, 2015
Regal Airport Hotel Hong Kong Airport
---------------------------------------------------
http://www.linaro.org
http://connect.linaro.org
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Accelerate your Kubernetes clusters with Varnish Caching
The Listening: Email Client Backdoor
1. The Listening
Email Client Backdoor
Esteban Guillardoy
esteban@immunityinc.com
1
2. Introduction
● This presentation will focus on a backdoor
implementation based on Thunderbird 3.x
● Different approach taking advantage of the
addon/extension features
● How to make it persistant and hide the C&C by
using steganography
2
3. Demo
How cool is this presentation?
It is starting with a demo :)
3
4. How all this started
● Never leave the office without locking
your session - FAIL!
● Malicious Brainstorming...
4
5. Adapting the idea
● Web Browsers are
commonly targeted
● But Email Clients are not
● Why not using this as a
real backdoor?
5
6. The challenge
● Targets go on and off
● Covertness without losing reliability
● Routing the data
● Stealthiness
● Resistance to traffic analysis
● No suspicious open ports
● Avoid antiviruses & scanners
● Thinking of future trojans
6
7. Why an email client
Don't you use one? Is it Thunderbird?
7
8. Email Client Extensions
● Only Thunderbird 3.x for now
● multiplatform backdoor out of the box
● Trusted code
● Full access to all client functions
● Program execution
● Easy development
● Solve us part of the challenge
8
10. Features
● Doesn't require user interaction
● Hidden C&C using steganography on images
● Encryption using public & private key
● Processes every email that arrives to the client
● Predefined Actions
● Command execution with output retrieval
10
15. Email Check
● Listener on notification service
Components.classes["@mozilla.org/messenger/msgnotificationservice;1"];
notificationService.addListener(this, notificationService.msgsClassified);
● Our method gets called with each new email
● Filter messages by checking attachments
“attachment.contentType.match(/image/png/) != null”
15
16. Encryption
● Private & Public key algorithm (PGP)
● Used to send commands & output
● Implementation in Javascript
● Wrapper around gnupg in Python
16
17. Hiding Information
● Steganography on images to hide the info
● Who applies steganalysis on every image
attached on an email?
● Common approach is to avoid external images
from loading
Message: “INFILTRATE 2011”
Original Modified
17
18. Hiding Information
● Least Significant Bit (LSB) algorithm
0 1 1
0 1 1 0 0 0 0 1 = “a”
● We need 3 pixels per byte to hide
● If image is greyscale we could use more than
1 bit per pixel
18
19. Hiding Information
● Python Implementation
● Using Python Imaging Library (PIL)
● Some bitwise operations and we are ready
● Javascript Implementation
● Hidden iframe to create a HTML5 canvas element
● Retrieve pixel info with:
var context = canvas.getContext('2d');
var data = context.getImageData(0,0,canvas.width,canvas.height);
19
20. Execution
● Using XPCOM interfaces nsIProcess or nsIProcess2
● Fix arguments to redirect output to temp file
● Read temp file and then delete it
20
21. Getting Output
1) XMLHttpRequest
2) Sending an email
● New email:
Components.classes["@mozilla.org/messengercompose;1"]
Components.classes["@mozilla.org/messenger/account-manager;1"]
● Send it:
Components.classes["@mozilla.org/messengercompose/compose;1"]
● Delete it from Sent folder
21
22. Deployment
● Discover profiles by reading profiles.ini:
● Windows, usually in %AppData% Thunderbird
● Linux, usually in ~/.thunderbird/ or
~/.mozilla-thunderbird/
● Mac OS X, usually in ~/Library/Thunderbird/
22
23. Deployment - Injecting
Existing Addon
1) Installed addons in %profile-dir%/extensions.ini
2) Copy backdoor into %selected-addon%/content/
3) Edit chrome.manifest
overlay chrome://messenger/content/messenger.xul
chrome://selected-addon/content/backdoorOverlay.xul
● Hard to detect
● User trusts installed addons
● Addon updates are a problem
23
24. Deployment - New Addon
1) Copy backdoor into TB extensions folder
2) Create a file with random name (an uuid)
3) write the path to backdoor folder
● May be easily detected by looking a the
Extensions Manager
● But we can use a trick to hide it
24
26. Deployment alternatives
● Install Manifest (install.rdf)
<em:updateURL>
<em:updateKey>
● Mozilla Addons Updates
1) Update manifest retrieved in a secure fashion
Through SSL
Signed Update Manifests
2) Update package retrieved matches
Through SSL
File Hashes
● Publishing on Mozilla Addon Site (AMO)
Policies & Review Process
Sandbox then public
Blocklist 26
27. Deployment alternatives
● MITM to deliver fake updates
● (P)Owning widely used addon sites (?)
● Become a reviewer for a long time (?)
● Using Mozilla cert to sign updates #comodogate :P
● Zamboni project (new AMO site)
Source code available
● https://github.com/jbalogh/zamboni
● https://github.com/mozilla/zamboni
Audit the code and test you said?
Master visible on https://preview.addons.mozilla.org
Next branch visible on https://next.addons.mozilla.org
27
28. Avoiding detection
● <em:hidden> deprecated since Gecko 1.9.2
● Hooking Extensions Manager
● Overlay for
chrome://mozapps/content/extensions/extensions.xul
● Some javascript code to filter our extension
chrome://mozapps/content/extensions/extensions.js
28
29. Avoiding detection
● Skip updates by editing install.rdf file:
<em:updateURL>FAKE URL HERE</em:updateURL>
This url could also be used to update our backdoor
● Disabling extensions updates globaly:
● extensions.update.enabled
● extensions.update.interval
● extensions.update.url
29
31. Getting PGP Information
● Enigmail Addon commonly used
● Hook “enigMessageDecrypt”
● Prompt for passphrase twice
● EnigGetSecretKeys &
enigmailSvc.extractKey FTW
● Match passphrase with ID
31
32. Improvements
● Better steganography algorithms
● Unicode steganography
● Inject all addons
● More methods to get output
32
34. Conclusion
● Complete SDK to develop
● Global scope useful for us
● Multiplatform backdoor
● Hijacked extensions are hard to detect
● Execution with common user but..
● Further research on other email clients
34
35. Reference & Similar work
● Mozilla Develper Network
● mozillaZine KB & Forum
● StackOverflow questions
● Immunity PINK Framework
● Abusing Firefox Addons at Defcon17
● Digninja twitter botnet (unicode steg)
● IronGeek steg botnet
35
36. The End
Thank you for your time
Questions?
Esteban Guillardoy
esteban@immunityinc.com
@sagar38
36