SlideShare a Scribd company logo

The Quest for Client-Side Protection Against Zombie Browsers

Download as PPTX, PDF
Zoltan Balazs
Zoltan Balazs

The document discusses the challenges of protecting against malware on web browsers through client-side solutions alone. It describes how the author was able to bypass protections in various internet security suites and anti-malware products by creating malicious browser extensions. While some vendors were able to address the issues, the document argues that client-side only solutions are fundamentally limited. It suggests focusing on server-side protections instead of seeking a "client-side elixir" for fully preventing malware.

Technology
1 of 63
The Quest for the Client-Side Elixir Against Zombie Browsers a.k.a Zombie Browsers Reloaded Legal disclaimer: Every point of views and thoughts are mine. The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future. What you will hear can be only used in test labs, and only for the good.
root@bt:~# whoami Zoltán Balázs
Deloitte
Senior IT security consultant
Deloitte Senior IT security consultant
I’m OSCP, C|HFI, CPTS, MCP, CISSP I’m NOT a CEH CyberLympics@2012 CTF 2nd runner up – gula.sh root@bt:~# whoami
zbalazs@deloittece.com https://hu.linkedin.com/in/zbalazs Twitter – zh4ck root@bt:~# whoami
I Love Hacking
I Love Hacker Movies
I Love Memes
The quest for the client-side elixir against zombie browsers Zombie browsers Is there a solution? – Common defensive solutions – Internet security suites – Online banking – client side solutions
The quest for the client-side elixir against zombie browsers http://is.gd/kiwidi http://is.gd/umusap Github: http://is.gd/safeno
History of malicious Firefox extensions Malicious extensions – Facebook spamming – ad injection – search toolbars *Data from mozilla.org 0 20 40 60 80 2004 2006 2008 2010 2012
©f-secure
My zombie browser extension Command and Control Stealing cookies, passwords Uploading/downloading files (Firefox only) Binary execution (only on Firefox - Windows) Webcam, geolocation Forging financial transactions Modifying content of the web page More on YouTube
Hacmebank demo Now it is just password But real site with OTP login or smart-card login will fail also this attack Transaction authorization can block this attack!
Code publication October 30, 2012 Mozilla blocked my extension in Firefox in 25 minutes
Advanced Mozilla 133t 3v4s10n 2013 https://bugzilla.mozilla.org/show_bug.cgi?id=841791
June 20, 2013 Chrome: Advanced scanning of extensions
Which company developed the first Netscape plugin in 1995 ? *****
Which company developed the first Netscape plugin in 1995 ? A***e
Which company developed the first Netscape plugin in 1995 ? Adobe
Axiom If a bad guy can persuade you to run his program on your computer, it's not your computer anymore. ©Microsoft If a system can protect you against 300 different attack methods, this means it won’t protect you against the 301st. ©Zoli
Password stealing Cookie stealing Webcam spy Reading user files Writing user files NoScript Browserprotect Sandboxie
NoScript „Allows executable web content such as JavaScript, Java, Flash, Silverlight, and other plugins ... NoScript also offers specific countermeasures against security exploits.”  won’t protect you against malware, another extension
Browserprotect „To protect your browser against malware hijacking your browser settings like home page, search providers and address bar search.”
„Runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.” Protect (by default): writing files to disk (only to sandbox)
„Runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.” Protect (by default): writing files to disk (only to sandbox) Won’t protect: – Password stealing – Cookie stealing – Webcam spying – Reading files
Attacker Victim
Internet security suites
Internet security suites Vendor 1 Vendor 2 Vendor 3 Vendor 4 Vendor 5 The conclusion will be the same ...
Internet security suites Vendor 1 Vendor 2 Vendor 3 Vendor 4 Vendor 5 The conclusion will be the same ...
Vendor Nr. 1 Detects and removes my Firefox extension based on signatures Über 133t signature 3v4s10n 2k13 One additional space in a line „Improved security” Firefox extensions Always two versions behind the actual Firefox version
Vendor Nr. 1 Detects and removes my Firefox extension based on signatures Über 133t signature 3v4s10n 2k13 One additional space in a line „Improved security” Firefox extensions Always two versions behind the actual Firefox version
Vendor Nr. 2 „Safe browser” solution – Creating a new, „clean” Firefox profile Extensions installed via registry (HKCU) Modifying „Safe browser” SQLite Vendor contacted, no solution yet
Vendor Nr. 2 „Safe browser” solution – Creating a new, „clean” Firefox profil Extensions installed via registry (HKCU) Modifying „Safe browser” SQLite Vendor contacted, no solution yet
Vendor Nr. 3 User question on a forum: „Does XYZ detect/block Xenotix KeylogX?
Vendor Nr. 3 User question on a forum: „Does XYZ detect/block Xenotix KeylogX? Vendor official response: „No it doesn't, and that's by design. Browser add-ons are subject to the same sandboxing that the browser itself runs through and therefore can be managed by the user directly. ... If you're suspicious of any add-ons, you should definitely just remove them, or, open your browser in safemode which avoids loading any add-ons.”
Vendor Nr. 3 User question on a forum: „Does XYZ detect/block Xenotix KeylogX? Vendor official response: „No it doesn't, and that's by design. Browser add-ons are subject to the same sandboxing that the browser itself runs through and therefore can be managed by the user directly. ... If you're suspicious of any add-ons, you should definitely just remove them, or, open your browser in safemode which avoids loading any add-ons.”
Vendor Nr. 4,5,... „Safe” browser solution
Avast Internet Security Suite Browser extension protection in safe browser DEMO P
To the vendors: Don’t trust the local root CA! Protect proxy settings, browser files, browser settings! Do not use old, outdated browser! Disable every browser extension! To the users: Do not use browser extensions to protect against browser extension! Install and update AV!
„Endpoint Financial Fraud Prevention” and „Anti-Keylogging Applications”
„Endpoint Financial Fraud Prevention” and „Anti-Keylogging Applications” What??? – Recommended by big financial institutions, „download it and you will be safe” Vendor 1 (Zemana) Vendor 2 Vendor 3 Vendor 4 Conclusion ... ;-)
Firefox + Zemana + api hooking + extension DEMO
Vendor Nr. 2 Protects end-user endpoints against financial malware and phishing attacks. By preventing attacks such as Man-in-the-Browser and Man-in-the-Middle, it secures credentials and personal information and stops financial fraud and account takeover. And, it keeps endpoints malware-free by blocking malware installation and removing existing infections.
Vendor Nr. 2 Every extension disabled in Internet Explorer  But not in Firefox  They sent me a new version  Every Firefox extension is disabled  But it is not public ...  Plan for the future: They will detect if there is a malicious extension and that specific extension will be disabled in Firefox
Vendor Nr. 2 Every extension disabled in Internet Explorer  But not in Firefox  They sent me a new version  Every Firefox extension is disabled  But it is not public ...  Plan for the future: They will detect if there is a malicious extension and that specific extension will be disabled in Firefox
Vendor Nr. 3 January, 2013: Firefox 13.01 (June, 2012) Install via registry (HKCU) Vendor contacted, problem solved  SSL MITM attack not working either, it protects it’s settings GREAT SUCCESS 
Vendor Nr. 4
Vendor Nr. 4 Protects You From: Information stealing malware and spyware 0-hour malware and targeted attacks Sophisticated financial malware like ZeuS and SpyEye Key loggers, screen grabbers, microphone and webcam hijackers, SSL banker Trojans, spying rootkits and many more
Protects You From: Information stealing malware and spyware 0-hour malware and targeted attacks Sophisticated financial malware like ZeuS and SpyEye Key loggers, screen grabbers, microphone and webcam hijackers, SSL banker Trojans, spying rootkits and many more Vendor Nr. 4
Moral lesson: I was searching for the elixir in the wrong forest The client side only solutions are doomed to fail Elixir should be looked for at the server side protection forest YouTube: http://is.gd/kiwidi SlideShare: http://is.gd/umusap GitHub: http://is.gd/safeno

Recommended

DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Zoltan Balazs
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)Zoltan Balazs
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 

Recommended

DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Zoltan Balazs
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)Zoltan Balazs
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco GrassiShakacon
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
Kali net hunter
Kali net hunterKali net hunter
Kali net hunterPrashanth Sivarajan
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Nginx warhead
Nginx warheadNginx warhead
Nginx warheadSergey Belov
 
Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometPich Pra Tna
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE testBalazs Bucsay
 
MIPS-X
MIPS-XMIPS-X
MIPS-XZoltan Balazs
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
App locker
App lockerApp locker
App lockerConcentrated Technology
 
NWSLTR_Volume8_Issue2
NWSLTR_Volume8_Issue2NWSLTR_Volume8_Issue2
NWSLTR_Volume8_Issue2Charles Klondike
 

More Related Content

What's hot

Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco GrassiShakacon
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainPriyanka Aash
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometPich Pra Tna
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE testBalazs Bucsay
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 

What's hot (19)

Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
Kali net hunter
Kali net hunterKali net hunter
Kali net hunter
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
Fuzzing
FuzzingFuzzing
Fuzzing
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Nginx warhead
Nginx warheadNginx warhead
Nginx warhead
 
Step by Step on How to Setup DarkComet
Step by Step on How to Setup DarkCometStep by Step on How to Setup DarkComet
Step by Step on How to Setup DarkComet
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test0day hunting a.k.a. The story of a proper CPE test
0day hunting a.k.a. The story of a proper CPE test
 
MIPS-X
MIPS-XMIPS-X
MIPS-X
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 

Similar to The Quest for Client-Side Protection Against Zombie Browsers

Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your BrowserAchim D. Brucker
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)Avansa Mid- en Zuidwest
 
Internet security
Internet securityInternet security
Internet securityrfukunaga
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...CiNPA Security SIG
 
New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)msz
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfxererenhosdominaram
 
BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Operations security (OPSEC) in IT
Operations security (OPSEC) in ITOperations security (OPSEC) in IT
Operations security (OPSEC) in ITMichal Špaček
 
How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost coldfire007
 

Similar to The Quest for Client-Side Protection Against Zombie Browsers (20)

Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
App locker
App lockerApp locker
App locker
 
NWSLTR_Volume8_Issue2
NWSLTR_Volume8_Issue2NWSLTR_Volume8_Issue2
NWSLTR_Volume8_Issue2
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
 
Secure client
Secure clientSecure client
Secure client
 
Internet security
Internet securityInternet security
Internet security
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
 
New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
 
BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Operations security (OPSEC) in IT
Operations security (OPSEC) in ITOperations security (OPSEC) in IT
Operations security (OPSEC) in IT
 
How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost
 
10 security enhancements
10 security enhancements10 security enhancements
10 security enhancements
 

More from Zoltan Balazs

[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchainZoltan Balazs
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a matchZoltan Balazs
 
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveZoltan Balazs
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitlandZoltan Balazs
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking Zoltan Balazs
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensionsZoltan Balazs
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012Zoltan Balazs
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitőZoltan Balazs
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’sZoltan Balazs
 

More from Zoltan Balazs (15)

[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain
 
MLSEC 2020
MLSEC 2020MLSEC 2020
MLSEC 2020
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a match
 
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a five
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Sandboxes
SandboxesSandboxes
Sandboxes
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
 

Recently uploaded

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Recently uploaded (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

The Quest for Client-Side Protection Against Zombie Browsers

  • 1.
  • 2. The Quest for the Client-Side Elixir Against Zombie Browsers a.k.a Zombie Browsers Reloaded Legal disclaimer: Every point of views and thoughts are mine. The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future. What you will hear can be only used in test labs, and only for the good.
  • 5. Senior IT security consultant
  • 7. I’m OSCP, C|HFI, CPTS, MCP, CISSP I’m NOT a CEH CyberLympics@2012 CTF 2nd runner up – gula.sh root@bt:~# whoami
  • 10. I Love Hacker Movies
  • 12. The quest for the client-side elixir against zombie browsers Zombie browsers Is there a solution? – Common defensive solutions – Internet security suites – Online banking – client side solutions
  • 13. The quest for the client-side elixir against zombie browsers http://is.gd/kiwidi http://is.gd/umusap Github: http://is.gd/safeno
  • 14.
  • 15. History of malicious Firefox extensions Malicious extensions – Facebook spamming – ad injection – search toolbars *Data from mozilla.org 0 20 40 60 80 2004 2006 2008 2010 2012
  • 17. My zombie browser extension Command and Control Stealing cookies, passwords Uploading/downloading files (Firefox only) Binary execution (only on Firefox - Windows) Webcam, geolocation Forging financial transactions Modifying content of the web page More on YouTube
  • 18.
  • 19.
  • 20.
  • 21. Hacmebank demo Now it is just password But real site with OTP login or smart-card login will fail also this attack Transaction authorization can block this attack!
  • 22. Code publication October 30, 2012 Mozilla blocked my extension in Firefox in 25 minutes
  • 23. Advanced Mozilla 133t 3v4s10n 2013 https://bugzilla.mozilla.org/show_bug.cgi?id=841791
  • 24. June 20, 2013 Chrome: Advanced scanning of extensions
  • 25. Which company developed the first Netscape plugin in 1995 ? *****
  • 26. Which company developed the first Netscape plugin in 1995 ? A***e
  • 27. Which company developed the first Netscape plugin in 1995 ? Adobe
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33. Axiom If a bad guy can persuade you to run his program on your computer, it's not your computer anymore. ©Microsoft If a system can protect you against 300 different attack methods, this means it won’t protect you against the 301st. ©Zoli
  • 34. Password stealing Cookie stealing Webcam spy Reading user files Writing user files NoScript Browserprotect Sandboxie
  • 35. NoScript „Allows executable web content such as JavaScript, Java, Flash, Silverlight, and other plugins ... NoScript also offers specific countermeasures against security exploits.”  won’t protect you against malware, another extension
  • 36. Browserprotect „To protect your browser against malware hijacking your browser settings like home page, search providers and address bar search.”
  • 37. „Runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.” Protect (by default): writing files to disk (only to sandbox)
  • 38. „Runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.” Protect (by default): writing files to disk (only to sandbox) Won’t protect: – Password stealing – Cookie stealing – Webcam spying – Reading files
  • 41. Internet security suites Vendor 1 Vendor 2 Vendor 3 Vendor 4 Vendor 5 The conclusion will be the same ...
  • 42. Internet security suites Vendor 1 Vendor 2 Vendor 3 Vendor 4 Vendor 5 The conclusion will be the same ...
  • 43. Vendor Nr. 1 Detects and removes my Firefox extension based on signatures Über 133t signature 3v4s10n 2k13 One additional space in a line „Improved security” Firefox extensions Always two versions behind the actual Firefox version
  • 44. Vendor Nr. 1 Detects and removes my Firefox extension based on signatures Über 133t signature 3v4s10n 2k13 One additional space in a line „Improved security” Firefox extensions Always two versions behind the actual Firefox version
  • 45. Vendor Nr. 2 „Safe browser” solution – Creating a new, „clean” Firefox profile Extensions installed via registry (HKCU) Modifying „Safe browser” SQLite Vendor contacted, no solution yet
  • 46. Vendor Nr. 2 „Safe browser” solution – Creating a new, „clean” Firefox profil Extensions installed via registry (HKCU) Modifying „Safe browser” SQLite Vendor contacted, no solution yet
  • 47. Vendor Nr. 3 User question on a forum: „Does XYZ detect/block Xenotix KeylogX?
  • 48. Vendor Nr. 3 User question on a forum: „Does XYZ detect/block Xenotix KeylogX? Vendor official response: „No it doesn't, and that's by design. Browser add-ons are subject to the same sandboxing that the browser itself runs through and therefore can be managed by the user directly. ... If you're suspicious of any add-ons, you should definitely just remove them, or, open your browser in safemode which avoids loading any add-ons.”
  • 49. Vendor Nr. 3 User question on a forum: „Does XYZ detect/block Xenotix KeylogX? Vendor official response: „No it doesn't, and that's by design. Browser add-ons are subject to the same sandboxing that the browser itself runs through and therefore can be managed by the user directly. ... If you're suspicious of any add-ons, you should definitely just remove them, or, open your browser in safemode which avoids loading any add-ons.”
  • 50. Vendor Nr. 4,5,... „Safe” browser solution
  • 51. Avast Internet Security Suite Browser extension protection in safe browser DEMO P
  • 52. To the vendors: Don’t trust the local root CA! Protect proxy settings, browser files, browser settings! Do not use old, outdated browser! Disable every browser extension! To the users: Do not use browser extensions to protect against browser extension! Install and update AV!
  • 53. „Endpoint Financial Fraud Prevention” and „Anti-Keylogging Applications”
  • 54. „Endpoint Financial Fraud Prevention” and „Anti-Keylogging Applications” What??? – Recommended by big financial institutions, „download it and you will be safe” Vendor 1 (Zemana) Vendor 2 Vendor 3 Vendor 4 Conclusion ... ;-)
  • 55. Firefox + Zemana + api hooking + extension DEMO
  • 56. Vendor Nr. 2 Protects end-user endpoints against financial malware and phishing attacks. By preventing attacks such as Man-in-the-Browser and Man-in-the-Middle, it secures credentials and personal information and stops financial fraud and account takeover. And, it keeps endpoints malware-free by blocking malware installation and removing existing infections.
  • 57. Vendor Nr. 2 Every extension disabled in Internet Explorer  But not in Firefox  They sent me a new version  Every Firefox extension is disabled  But it is not public ...  Plan for the future: They will detect if there is a malicious extension and that specific extension will be disabled in Firefox
  • 58. Vendor Nr. 2 Every extension disabled in Internet Explorer  But not in Firefox  They sent me a new version  Every Firefox extension is disabled  But it is not public ...  Plan for the future: They will detect if there is a malicious extension and that specific extension will be disabled in Firefox
  • 59. Vendor Nr. 3 January, 2013: Firefox 13.01 (June, 2012) Install via registry (HKCU) Vendor contacted, problem solved  SSL MITM attack not working either, it protects it’s settings GREAT SUCCESS 
  • 61. Vendor Nr. 4 Protects You From: Information stealing malware and spyware 0-hour malware and targeted attacks Sophisticated financial malware like ZeuS and SpyEye Key loggers, screen grabbers, microphone and webcam hijackers, SSL banker Trojans, spying rootkits and many more
  • 62. Protects You From: Information stealing malware and spyware 0-hour malware and targeted attacks Sophisticated financial malware like ZeuS and SpyEye Key loggers, screen grabbers, microphone and webcam hijackers, SSL banker Trojans, spying rootkits and many more Vendor Nr. 4
  • 63. Moral lesson: I was searching for the elixir in the wrong forest The client side only solutions are doomed to fail Elixir should be looked for at the server side protection forest YouTube: http://is.gd/kiwidi SlideShare: http://is.gd/umusap GitHub: http://is.gd/safeno

Editor's Notes

  1. Hi everyoneHow many of you use online banking? Come on!!! How many of you use online banking or bitcoin trading site? Hands upHow many of you use browser extensions in the same browser?Last question: how many of you are willing to install my extension into your browser?Today I’m going to talk about dangerous browser extensions and client side protection attempts
  2. This is my name
  3. This is where I work
  4. This iswhat I’m paid for
  5. This is the work most of the people think consultants are paid for
  6. And this is what I’m proud aboutand I’m also a proud member of the gula.sh team, we scored as second runner up on the Global Cyberlympics competition last year.
  7. These are my contacts
  8. This is what I do 24 by 7
  9. This is what I watch after hacking
  10. And this is what I browse when I’m not hacking or watching hacker movies
  11. In the beginning of my presentation I will talk about the malicius browser extensions, what they are capable of. And after that I will show you what kind of client side protections I was analysing against malicious browser extensions, like internet security suites.
  12. If you are later interested, you can watch a lot of demos about this at the following youtube link, and you can also watch my previous presentations about this topic on slideshare, or download the source code from github.
  13. Most of you remember how an average internet explorer 6 looked like in 2004. I bet all of you would go crazy of those crappy extensions. Do you remember that irritating purple monkey dancing in the corner of your browser? it is one of the first malicous browser extensions which spied on users browsing activity.
  14. How does it work in practice? After the browser is infected, the extension polls the attacker webserver for new commands. If there is a new command, the client browser will execute it, like upload files from the victim to attacker, and so on.
  15. Butdon’tforgetthatFirefox is alsosupportedon OSX, Linux, Windows, and evenonAndroid. ...
  16. YoumightthinkthatChrome is safe, badnewsit’snot. MyzombieextensionwillhackyourChromeorSafariaswell.
  17. After I had developed my malicious browser extensions against Firefox, Chrome, and Safari, I sent this code to 15 different AV vendors, so they could put it into their signature list and block it.
  18. Which means that currently 10 AV vendor blocks my Firefox extension, to 5 out of 10 my code has not been sent. After doing the basic math, this means there are 10 AV vendors I have sent my code, but they are not blocking it.
  19. And 5 AV vendors do detect my Chrome extension. I don’t have any good explanation about that.
  20. I have two lessons to draw from this case:Firstly dont send encrypted ZIP files to the Antivirus vendors, because it might happen that they might be unable to process it, even if the email contains the password. Secondly if you send a ZIP file containing more than 10 files, it might be rejected by the AV vendors. The problem is that browser extensions are basically ZIP files, containing files of any amount. So if I create a browser extension containing 100 files, the users wont be able to send the samples to the antivirus vendors.
  21. And I published my malicious browser extensions on Github, it has been blocked in Firefox after 25 minutes .
  22. But unfortunately, it took me less time to circumvent this blocking. You can see two differences on the two source codes. The first one is that the extension has a different ID, and the second difference is that the first one is blocked by Firefox, but the second one is not.If you check this link, you can see that this problem is also exploited by the bad guys.
  23. And evenin the official Google chrome extension store you might find malicious browser extensions sometimes. So if you downloaded this bad piggies extension, instead of hunting for bad piggies you had to hunt for malicious browser extensions on your computer.1.5 months ago Google announced that they will scan for malicious extensions more effectively, it still has to prove itself.
  24. And there will always be people who want to change the colour of their facebook page, and they download some extension having very powerful privileges just to change their facebook colour. For example look at this one. Why should a facebook colour changer extension need to access all your websites and all your browsing information?
  25. Beforeall of youfallasleep, here is a littlequizforyou.The first correct answer will be honored by two bottle of hacker beer.And thequestion is: whichcompanydevelopedthefirst Netscape pluginin 1995?
  26. Here is a littleclueforyou
  27. That’s right, Adobe. Funnything is thattheyarestillunabletodevelopsecureextensionswith 17 years of experiencebehindthem.
  28. There is a rootkit in the wild since 2007 called mebroot, which installs its malicious chrome extension after the computer is infected, and manipulates in the background the online financial transactions. I believe the bad guys had been unable to manipulate the transactions in chrome via traditional attacks, so they created malicious browser extensions to do that job.After I saw there wer eso many problems with malicious browser extensions,
  29. There I went, me, the brave hacker, grabbed my only faithful mate, my computer, to find the elixir against zombie browsers in the deep and dark forest of the Kingdom of Internet
  30. There I went, me, the brave hacker, grabbed my only faithful mate, my computer, to find the elixir against zombie browsers in the deep and dark forest of the Kingdom of Internet
  31. There I went, me, the brave hacker, grabbed my only faithful mate, my computer, to find the elixir against zombie browsers in the deep and dark forest of the Kingdom of Internet
  32. There I went, me, the brave hacker, grabbed my only faithful mate, my computer, to find the elixir against zombie browsers in the deep and dark forest of the Kingdom of Internet
  33. During my quest I bumped into two axioms. The first axiom warned me when an evil program code is running on my computer, my computer will perish. The second one drew my attention to the fact that if the system protects me against 300 different attack methods, it wont protect me against the 301st one.
  34. So then I plucked up all my courage and set out for the realm of extensions and sandboxing technologies to see how they would protect my computer against my malicious extension - all those evil things like password stealing or webcam spying etc.
  35. Noscript does what it promises. But it never promised to protect the users against malicious browser extensions. And dont forget that the settings of the firefox extensions are like a big happy family picnick, everybody can do whatever they want. Which means every extension can change the setting of another extension. This means that my browser extension can change the settings of Noscript as well.
  36. The browserprotect extension is basically the same from this point of view, it does what it promises, but it cant protect the users against malicious browser extensions, and my extension can change the browserprotect settings as well.
  37. The sandoxie program was a big surprise for me, or rather a big disappointment. To tell the truth, I would not recommend sandboxie to protect the average home users. Because by default it does nothing but prevents modifications outside of the sandbox.
  38. This means that I can steal passwords, cookies, and even spy on the users webcam, steal confidential user files.
  39. I’ll show how sandboxing technology works in the next demo. Just for clarification, when you see the „Hack the planet”, it is me, the attacker. And when you see unicorns and rainbows, it is the victim browser.
  40. Our next topic is the internet security suites, how they can or cannot protect you against malicious browser extensions.
  41. I wont mention any vendor names, but I promise you, the conclusion will be the same. These are the biggest and most popular internet security suites. Think about vendors with their names starting letter S or K.
  42. The first vendor detects and removes my extension on a signature basis (because I have sent my code to them). But if I insert an extra space character in one of the lines in my source code, the extension wont be detected any more. And this Internet security suite also installs its own extensions into Firefox, which are always two versions behind the current Firefox version. So they never run on my computer, because it was always blocked by firefox.
  43. So my extension was able to circumvent the protection of this internet security suite.
  44. The next vendor promises a safe browser, which is merely a new clear default Firefox profile. The problem with this approach is that I can install my extension into this safe browser at least 2 different ways. One of these ways is to modify the user registry settings, which will install the extension into this safe browser. The second approach is to modify the SQLite database of this safe browser. I alreadycontacted the vendor, but they have not fixed this yet.
  45. The next vendor is my favourite one. A user on an internet forum asked the vendor, whether their product can protect him against Xenotix keylogx. This is a proof of concept malicious browser extension, created by Ajin Abraham, who was planned to do his presentation.
  46. The vendors response is so beautiful that it’s worth to be analyzed word by word, just like a poem. The poet starts with an in medias res beginning, „no it doesnt at thats by design”, so it states it won protect the user. What the poet meant about by design, I have no idea. It is also for sure that in Firefox there is nothing like sandboxing. And by suggesting to remove the extension the vendor implies that the extension is not to be hid from the user. And why the heck should I buy their product, if I have to detect and remove the extension by myself????
  47. And I looked at other safe browser solutions in internet security suites, but they all proved to be useless, and I was a very very sad panda
  48. I almost gave up, when I found the Avast Internet Security Suite. I was not able to install my extension into their safe browser, so I had to find other ways to hack it. In the next demo, I’m going to show you how I can circumvent the protection of Avast safe browser.
  49. My suggestions to the vendors who promise safe browser solutions are the followings:Do not trust the local root certificate lists. Protect the settings and the files of the safe browser.Do not use old, outdated, vulnerable browsers.And my suggestions to the users are:Do not use browser extensions to protect against malicious browser extensions. And last but not least install and update your antivirus solution, because it will protect you in 90% of the cases.
  50. As I failed to find the elixir, my next challenge had to be to move on. So I went on and left the forest of internet security suites and entered the promising field of the Endpoint Financial Fraud Prevention and Anti-Keylogging applications
  51. In case you did not know what these are, these applications are usually recommended by big financial institutions, saying „if you use this, you will be safe”. And again, I wont mention the vendors names, but the conclusion will be the same
  52. Usually these applications will protect you against the so called „API hooking” attack. In the next demo, I’m going to show you this attack.First, I’ll show how Zemana protection will protect you against this API hooking attack, which is used by financial malwares like Zeus or Spyeye, and how Zemana wont protect you against malicious browser extensions.
  53. Vendor nr 2. promises an awful lot of things, lets see this in practice.
  54. In the Internet Explorer every extension was disabled, but not in Firefox. I contacted the vendor, and they sent me a new version in less than a week, where every firefox extension was disabled. I was very excited, but then I asked whether this version will be the next public version, however their answer made me sad. It turned out that it was not a public version, it was only sent to me. They have a plan to detect and block the malicious browser extensions individually.
  55. And I think this is OK, they are the experts, they know what they are talking about. I hope, they do.....
  56. Vendor number 3. When I tested this vendor, they were using an old, vulnerable Firefox version. And I was also able to install my extension into their safe browser. I contacted the vendor, and they fixed their product in less than a week, so right now there is no way to hack this safe browser that I know of. But to tell you the truth, I did not waste my time trying to find other ways to hack it.
  57. Vendor number four was also a great fun to test. First, the application indicated that it has found a malware on my computer, but it turned out that it was only the Symantec it detected as a malicious software.
  58. It promises a lot of things, but it can not protect you against malicious browser extensions.
  59. At the end of my journey I had to realize that the axioms are really true, and that I have been looking for the elixir in the wrong place, because the client side protections are deemed to fall. On these links you can find the source code to my malicious browser extensions, my previous presentations about malicious browser extension