SlideShare a Scribd company logo

Zombie browsers spiced with rootkit extensions - DefCamp 2012

DefCamp
DefCamp

This document discusses the risks of malicious browser extensions and demonstrates a proof of concept homemade Firefox extension created by the author that is capable of command and control, stealing cookies and passwords, uploading and downloading files, executing binary code, bypassing geolocation restrictions, and remaining undetected by antivirus software. The author argues that browser extensions pose serious risks and outlines recommendations for browser developers, website developers, antivirus companies, companies, and users to help mitigate these risks.

1 of 45
Download to read offline
Introduction Zoltán Balázs ITSEC consultant Deloitte Hungary Instructor @NetAkademia.hu OSCP, CISSP, C|HFI, CPTS, MCP http://www.slideshare.net/bz98 Cyberlympics finals 2012 - 2nd runner up
I love Hacking
I love Zombie movies
I love LOLcats
Zombies + Hacking + LOLcats = I R ZOMBIE
Zombie browsers, spiced with rootkit extensions DefCamp 2012 • Legal disclaimer: • Every point of views and thoughts are mine. • The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future. • What you will hear can be only used in test labs, and only for the good.
About:presentation • History of malicious extensions (add-on, plug-in, extension, BHO) • Focus on Firefox, Chrome, Safari • Advantages – disadvantages • Browser extension rootkits • Live demo – home made extension
History of malicious Firefox extensions • 90% of malicious extensions were created for Facebook spamming • 2004-2010: 5 • 2011: 5 • Jan 01, 2012 – Oct 23, 2012: 49* *Data from mozilla.org
More examples on Facecrook Text ©f-secure
My zombie extension • Command and Control • Stealing cookies, passwords • Uploading/downloading files (Firefox, Chrome NPAPI on todo list) • Binary execution (Firefox - Windows, Chrome NPAPI on todo list) • Geolocation
Safari demo
Installing the extension Physical access Social Engineering Remote code execution – without user interaction
Firefox rootkit 1 • Hook into other extension (even signed ones)
Firefox rootkit 2 •visible = false
Firefox rootkit 3 •seen in the wild
Risks of a Zombie Browser •Eats your brain while you are asleep
Risks of a Zombie Browser
Risks of a Zombie Browser •Firewall/proxy  •Local firewall  •Application whitelisting  •Web-filtering 
Risks of a Zombie Browser • Cross-platform  • Cross-domain Universal XSS  • Every secret is available  • Password input method does not matter (password safe, virtual keyboard, etc.) • Before SSL (+JS obfuscation) • Malicious source codes are available  • Advantage against meterpreter  • exe/dll is not needed for persistence
Risks of a zombie browser • Low AV signature based detection rate  • Sample from January 2011. – October 2012. 0/40 • Extension vs. behavioral based detection 
Risks of a zombie browser • Low AV signature based detection rate  • Sample from January 2011. – October 2012. 0/40 • Extension vs. behavioral based detection 
Friendly message to AV developers: try harder… Code snippets from undetected malicious browser extension var _0x39fe=["x73x63x72x69x70x74","x63x72x65x61x7 4x65x45x6Cx65x6Dx65x6E x74","x74x79x70x65","x74x65x78x74… _0xaed4=[_0x39fe[0],_0x39fe[1],_0x39fe[2],_0x39fe[3],_0x39fe[4], _0x39fe[5],_0x39fe[6],_0x39fe[7],_0x39fe[8],_0x39fe[9]]; keylogger_namespace.keylogger… for(var x in mothership){if (mothership[x].command == "eval")
Profit ...
Firefox
Disadvantages (for the Hacker) • Not a real rootkit • Browser limitations (eg. portscan) • Platform limitations (eg. Execute binary code only on Windows) • Runs in user space • Runs only when browser is open • Extensions are not yet supported in: • Chrome on Android/iOS • Safari on iOS
Gmail demo • defeat 2 step verification • Why Google? • Hacking “the others” is boring • clear text cookies • missing 2 step verification • no concurrent session detection
Gmail demo •defeat 2 step verification
One to rule them all • Cookie + password stealing – defeat Google 2-step verification • Use password reset on other sites linked to G-mail (Paypal, etc.) • Install any app from Google Play to victim’s Android phone • Access Android WIFI passwords • Access to Google+, Docs, Picasa, Blogger, Contacts, Web history, Checkout, Apps, OpenID • Backdooring Google account • Adding application specific password • Stealing backup codes • G-mail mail forward rule
Chrome - rootkit
Chrome - distributed password hash cracking • Idea and coding by my friend and colleague, WoFF • Password hash cracking performance • Javascript: 82,000 hash/sec • Chrome native client: 840,000 hash/sec • Native code (john): 11,400,000 hash/sec
Zombie Android •Android SQLite Journal Information Disclosure (CVE-2011-3901) •Android 2.3.7
Firefox webcam
Browser extensions might be bad • @antivirus developers • Be reactive • The browser is the new OS • @browser developers (Mozilla) • Default deny installing extensions from 3rd-party sites • Chrome-level security • Require permissions • Extension components – separate privileges • @browser developers (Google) – keep on the good job • but disable NPAPI :)
Browser extensions might be bad • @website developers • There is no prevention against password stealing • Cookie-stealing • Restrict session to IP (by default) • @users • Beware of malicious browser extensions • Use separated OS for e-banking and other sensitive stuff • Removing malicious extensions - create new clean profile in clean OS • @companies • Control which browsers users can use • Restrict extensions via GPO
One more thing ...
References • Grégoire Gentil: Hack any website, 2003 • Christophe Devaux, Julien Lenoir: Browser rootkits, 2008 • Duarte Silva: Firefox FFSpy PoC, 2008 • Andreas Grech: Stealing login details with a Google Chrome extension, 2010 • Matt Johansen, Kyle Osborn: Hacking Google ChromeOS, 2011 • Nicolas Paglieri: Attacking Web Browsers, 2012
Browser extensions might be bad, Mmmkay??? zbalazs@deloittece.com zbalazs4 hu.linkedin.com/in/zbalazs Code released under GPL http://github.com/Z6543/ ZombieBrowserPack Greetz to @hekkcamp

Recommended

[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012Zoltan Balazs
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
DEFCON 23 - jeremy dorrough - usb attack to decrypt wifi communicationsn
DEFCON 23 - jeremy dorrough - usb attack to decrypt wifi communicationsnDEFCON 23 - jeremy dorrough - usb attack to decrypt wifi communicationsn
DEFCON 23 - jeremy dorrough - usb attack to decrypt wifi communicationsnFelipe Prado
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareMichael Hendrickx
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 

Recommended

[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012Zoltan Balazs
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
DEFCON 23 - jeremy dorrough - usb attack to decrypt wifi communicationsn
DEFCON 23 - jeremy dorrough - usb attack to decrypt wifi communicationsnDEFCON 23 - jeremy dorrough - usb attack to decrypt wifi communicationsn
DEFCON 23 - jeremy dorrough - usb attack to decrypt wifi communicationsnFelipe Prado
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareMichael Hendrickx
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Mohammed Adam
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and virusesUltraUploader
 
Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineeringMichael Hendrickx
 
Dark alleys-2015
Dark alleys-2015Dark alleys-2015
Dark alleys-2015Greg Parmer
 
Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folksn|u - The Open Security Community
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)Sri Prasanna
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super BaitJeremiah Grossman
 
Phd final
Phd finalPhd final
Phd finalPositive Hack Days
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecorePINT Inc
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Browser security — ROOTS
Browser security — ROOTSBrowser security — ROOTS
Browser security — ROOTSAndre N. Klingsheim
 
Advanced data mining in my sql injections using subqueries and custom variables
Advanced data mining in my sql injections using subqueries and custom variablesAdvanced data mining in my sql injections using subqueries and custom variables
Advanced data mining in my sql injections using subqueries and custom variablesDefCamp
 
Securitatea in secolul 21
Securitatea in secolul 21Securitatea in secolul 21
Securitatea in secolul 21DefCamp
 
Atac asupra Sim Toolkit
Atac asupra Sim ToolkitAtac asupra Sim Toolkit
Atac asupra Sim ToolkitDefCamp
 
The importance of logs - DefCamp 2012
The importance of logs - DefCamp 2012The importance of logs - DefCamp 2012
The importance of logs - DefCamp 2012DefCamp
 

More Related Content

What's hot

Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Mohammed Adam
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and virusesUltraUploader
 
Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineeringMichael Hendrickx
 
Dark alleys-2015
Dark alleys-2015Dark alleys-2015
Dark alleys-2015Greg Parmer
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Jeremiah Grossman
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)Sri Prasanna
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecorePINT Inc
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 

What's hot (18)

Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for Developers
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
Analysis of web application worms and viruses
Analysis of web application worms and virusesAnalysis of web application worms and viruses
Analysis of web application worms and viruses
 
Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineering
 
Dark alleys-2015
Dark alleys-2015Dark alleys-2015
Dark alleys-2015
 
Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folks
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed Adam
 
Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)Top Ten Web Hacking Techniques (2008)
Top Ten Web Hacking Techniques (2008)
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
 
Phd final
Phd finalPhd final
Phd final
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for Sitecore
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Browser security — ROOTS
Browser security — ROOTSBrowser security — ROOTS
Browser security — ROOTS
 

Viewers also liked

Advanced data mining in my sql injections using subqueries and custom variables
Advanced data mining in my sql injections using subqueries and custom variablesAdvanced data mining in my sql injections using subqueries and custom variables
Advanced data mining in my sql injections using subqueries and custom variablesDefCamp
 
Securitatea in secolul 21
Securitatea in secolul 21Securitatea in secolul 21
Securitatea in secolul 21DefCamp
 
Atac asupra Sim Toolkit
Atac asupra Sim ToolkitAtac asupra Sim Toolkit
Atac asupra Sim ToolkitDefCamp
 
The importance of logs - DefCamp 2012
The importance of logs - DefCamp 2012The importance of logs - DefCamp 2012
The importance of logs - DefCamp 2012DefCamp
 
DefCamp 2013 - DRM To Pown NSA in Few Easy Steps
DefCamp 2013 - DRM To Pown NSA in Few Easy StepsDefCamp 2013 - DRM To Pown NSA in Few Easy Steps
DefCamp 2013 - DRM To Pown NSA in Few Easy StepsDefCamp
 
DefCamp 2013 - Android hacking techniques
DefCamp 2013 - Android hacking techniquesDefCamp 2013 - Android hacking techniques
DefCamp 2013 - Android hacking techniquesDefCamp
 
High Security Web Server
High Security Web ServerHigh Security Web Server
High Security Web ServerDefCamp
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp
 
A methodology to detect and characterize kernel level rootkit exploits involv...
A methodology to detect and characterize kernel level rootkit exploits involv...A methodology to detect and characterize kernel level rootkit exploits involv...
A methodology to detect and characterize kernel level rootkit exploits involv...UltraUploader
 
Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009
Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009
Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009Tsukasa Oi
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionIgor Korkin
 
Eu te amo unçao de deus
Eu te amo unçao de deusEu te amo unçao de deus
Eu te amo unçao de deusPHABLO B
 
Meu tesouro pri cruz
Meu tesouro pri cruzMeu tesouro pri cruz
Meu tesouro pri cruzPHABLO B
 
Impact of le arrivals and departures on buffer
Impact of le arrivals and departures on bufferImpact of le arrivals and departures on buffer
Impact of le arrivals and departures on bufferingenioustech
 
Getting to Know Open Government Data: Who's done it, how did they do, and so ...
Getting to Know Open Government Data: Who's done it, how did they do, and so ...Getting to Know Open Government Data: Who's done it, how did they do, and so ...
Getting to Know Open Government Data: Who's done it, how did they do, and so ...jimduncan4
 
Salvador palau molins francolí
Salvador palau molins francolíSalvador palau molins francolí
Salvador palau molins francolíAntoni Aixalà
 

Viewers also liked (19)

Advanced data mining in my sql injections using subqueries and custom variables
Advanced data mining in my sql injections using subqueries and custom variablesAdvanced data mining in my sql injections using subqueries and custom variables
Advanced data mining in my sql injections using subqueries and custom variables
 
Securitatea in secolul 21
Securitatea in secolul 21Securitatea in secolul 21
Securitatea in secolul 21
 
Atac asupra Sim Toolkit
Atac asupra Sim ToolkitAtac asupra Sim Toolkit
Atac asupra Sim Toolkit
 
The importance of logs - DefCamp 2012
The importance of logs - DefCamp 2012The importance of logs - DefCamp 2012
The importance of logs - DefCamp 2012
 
DefCamp 2013 - DRM To Pown NSA in Few Easy Steps
DefCamp 2013 - DRM To Pown NSA in Few Easy StepsDefCamp 2013 - DRM To Pown NSA in Few Easy Steps
DefCamp 2013 - DRM To Pown NSA in Few Easy Steps
 
DefCamp 2013 - Android hacking techniques
DefCamp 2013 - Android hacking techniquesDefCamp 2013 - Android hacking techniques
DefCamp 2013 - Android hacking techniques
 
High Security Web Server
High Security Web ServerHigh Security Web Server
High Security Web Server
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm Hole
 
A methodology to detect and characterize kernel level rootkit exploits involv...
A methodology to detect and characterize kernel level rootkit exploits involv...A methodology to detect and characterize kernel level rootkit exploits involv...
A methodology to detect and characterize kernel level rootkit exploits involv...
 
Root kit
Root kitRoot kit
Root kit
 
Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009
Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009
Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit Detection
 
Spyware and rootkit
Spyware and rootkitSpyware and rootkit
Spyware and rootkit
 
Eu te amo unçao de deus
Eu te amo unçao de deusEu te amo unçao de deus
Eu te amo unçao de deus
 
Meu tesouro pri cruz
Meu tesouro pri cruzMeu tesouro pri cruz
Meu tesouro pri cruz
 
Impact of le arrivals and departures on buffer
Impact of le arrivals and departures on bufferImpact of le arrivals and departures on buffer
Impact of le arrivals and departures on buffer
 
Vimferri
VimferriVimferri
Vimferri
 
Getting to Know Open Government Data: Who's done it, how did they do, and so ...
Getting to Know Open Government Data: Who's done it, how did they do, and so ...Getting to Know Open Government Data: Who's done it, how did they do, and so ...
Getting to Know Open Government Data: Who's done it, how did they do, and so ...
 
Salvador palau molins francolí
Salvador palau molins francolíSalvador palau molins francolí
Salvador palau molins francolí
 

Similar to Zombie browsers spiced with rootkit extensions - DefCamp 2012

[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
A Brave New World
A Brave New WorldA Brave New World
A Brave New WorldSensePost
 
Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!InnoTech
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Juniper Networks
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesVolkan Özçelik
 
Phonegap for Engineers
Phonegap for EngineersPhonegap for Engineers
Phonegap for EngineersBrian LeRoux
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 

Similar to Zombie browsers spiced with rootkit extensions - DefCamp 2012 (20)

[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
 
Hacktivityonly 121013141039-phpapp02
Hacktivityonly 121013141039-phpapp02Hacktivityonly 121013141039-phpapp02
Hacktivityonly 121013141039-phpapp02
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
A Brave New World
A Brave New WorldA Brave New World
A Brave New World
 
Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!Social and Mobile and Cloud OH MY!
Social and Mobile and Cloud OH MY!
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Phonegap for Engineers
Phonegap for EngineersPhonegap for Engineers
Phonegap for Engineers
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
Privacy in private browsing mode
Privacy in private browsing modePrivacy in private browsing mode
Privacy in private browsing mode
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS Consolidated
 

More from DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 

More from DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

Zombie browsers spiced with rootkit extensions - DefCamp 2012

  • 1. Introduction Zoltán Balázs ITSEC consultant Deloitte Hungary Instructor @NetAkademia.hu OSCP, CISSP, C|HFI, CPTS, MCP http://www.slideshare.net/bz98 Cyberlympics finals 2012 - 2nd runner up
  • 3. I love Zombie movies
  • 5. Zombies + Hacking + LOLcats = I R ZOMBIE
  • 6. Zombie browsers, spiced with rootkit extensions DefCamp 2012 • Legal disclaimer: • Every point of views and thoughts are mine. • The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future. • What you will hear can be only used in test labs, and only for the good.
  • 7. About:presentation • History of malicious extensions (add-on, plug-in, extension, BHO) • Focus on Firefox, Chrome, Safari • Advantages – disadvantages • Browser extension rootkits • Live demo – home made extension
  • 8.
  • 9. History of malicious Firefox extensions • 90% of malicious extensions were created for Facebook spamming • 2004-2010: 5 • 2011: 5 • Jan 01, 2012 – Oct 23, 2012: 49* *Data from mozilla.org
  • 10. More examples on Facecrook Text ©f-secure
  • 11. My zombie extension • Command and Control • Stealing cookies, passwords • Uploading/downloading files (Firefox, Chrome NPAPI on todo list) • Binary execution (Firefox - Windows, Chrome NPAPI on todo list) • Geolocation
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 18. Installing the extension Physical access Social Engineering Remote code execution – without user interaction
  • 19. Firefox rootkit 1 • Hook into other extension (even signed ones)
  • 22. Risks of a Zombie Browser •Eats your brain while you are asleep
  • 23. Risks of a Zombie Browser
  • 24. Risks of a Zombie Browser •Firewall/proxy  •Local firewall  •Application whitelisting  •Web-filtering 
  • 25. Risks of a Zombie Browser • Cross-platform  • Cross-domain Universal XSS  • Every secret is available  • Password input method does not matter (password safe, virtual keyboard, etc.) • Before SSL (+JS obfuscation) • Malicious source codes are available  • Advantage against meterpreter  • exe/dll is not needed for persistence
  • 26. Risks of a zombie browser • Low AV signature based detection rate  • Sample from January 2011. – October 2012. 0/40 • Extension vs. behavioral based detection 
  • 27. Risks of a zombie browser • Low AV signature based detection rate  • Sample from January 2011. – October 2012. 0/40 • Extension vs. behavioral based detection 
  • 28. Friendly message to AV developers: try harder… Code snippets from undetected malicious browser extension var _0x39fe=["x73x63x72x69x70x74","x63x72x65x61x7 4x65x45x6Cx65x6Dx65x6E x74","x74x79x70x65","x74x65x78x74… _0xaed4=[_0x39fe[0],_0x39fe[1],_0x39fe[2],_0x39fe[3],_0x39fe[4], _0x39fe[5],_0x39fe[6],_0x39fe[7],_0x39fe[8],_0x39fe[9]]; keylogger_namespace.keylogger… for(var x in mothership){if (mothership[x].command == "eval")
  • 31. Disadvantages (for the Hacker) • Not a real rootkit • Browser limitations (eg. portscan) • Platform limitations (eg. Execute binary code only on Windows) • Runs in user space • Runs only when browser is open • Extensions are not yet supported in: • Chrome on Android/iOS • Safari on iOS
  • 32. Gmail demo • defeat 2 step verification • Why Google? • Hacking “the others” is boring • clear text cookies • missing 2 step verification • no concurrent session detection
  • 33. Gmail demo •defeat 2 step verification
  • 34. One to rule them all • Cookie + password stealing – defeat Google 2-step verification • Use password reset on other sites linked to G-mail (Paypal, etc.) • Install any app from Google Play to victim’s Android phone • Access Android WIFI passwords • Access to Google+, Docs, Picasa, Blogger, Contacts, Web history, Checkout, Apps, OpenID • Backdooring Google account • Adding application specific password • Stealing backup codes • G-mail mail forward rule
  • 36. Chrome - distributed password hash cracking • Idea and coding by my friend and colleague, WoFF • Password hash cracking performance • Javascript: 82,000 hash/sec • Chrome native client: 840,000 hash/sec • Native code (john): 11,400,000 hash/sec
  • 37. Zombie Android •Android SQLite Journal Information Disclosure (CVE-2011-3901) •Android 2.3.7
  • 38.
  • 40. Browser extensions might be bad • @antivirus developers • Be reactive • The browser is the new OS • @browser developers (Mozilla) • Default deny installing extensions from 3rd-party sites • Chrome-level security • Require permissions • Extension components – separate privileges • @browser developers (Google) – keep on the good job • but disable NPAPI :)
  • 41. Browser extensions might be bad • @website developers • There is no prevention against password stealing • Cookie-stealing • Restrict session to IP (by default) • @users • Beware of malicious browser extensions • Use separated OS for e-banking and other sensitive stuff • Removing malicious extensions - create new clean profile in clean OS • @companies • Control which browsers users can use • Restrict extensions via GPO
  • 43.
  • 44. References • Grégoire Gentil: Hack any website, 2003 • Christophe Devaux, Julien Lenoir: Browser rootkits, 2008 • Duarte Silva: Firefox FFSpy PoC, 2008 • Andreas Grech: Stealing login details with a Google Chrome extension, 2010 • Matt Johansen, Kyle Osborn: Hacking Google ChromeOS, 2011 • Nicolas Paglieri: Attacking Web Browsers, 2012
  • 45. Browser extensions might be bad, Mmmkay??? zbalazs@deloittece.com zbalazs4 hu.linkedin.com/in/zbalazs Code released under GPL http://github.com/Z6543/ ZombieBrowserPack Greetz to @hekkcamp