The document discusses the challenges of protecting against malware on web browsers through client-side solutions alone. It describes how the author was able to bypass protections in various internet security suites and anti-malware products by creating malicious browser extensions. While some vendors were able to address the issues, the document argues that client-side only solutions are fundamentally limited. It suggests focusing on server-side protections instead of seeking a "client-side elixir" for fully preventing malware.
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
The Quest for Client-Side Protection Against Zombie Browsers
1.
2. The Quest for the Client-Side Elixir
Against Zombie Browsers
a.k.a
Zombie Browsers Reloaded
Legal disclaimer:
Every point of views and thoughts are mine.
The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future.
What you will hear can be only used in test labs, and only for the good.
12. The quest for the client-side elixir
against zombie browsers
Zombie browsers
Is there a solution?
– Common defensive solutions
– Internet security suites
– Online banking – client side solutions
13. The quest for the client-side elixir
against zombie browsers
http://is.gd/kiwidi
http://is.gd/umusap
Github: http://is.gd/safeno
14.
15. History of malicious Firefox extensions
Malicious extensions
– Facebook spamming
– ad injection
– search toolbars
*Data from mozilla.org
0
20
40
60
80
2004 2006 2008 2010 2012
17. My zombie browser extension
Command and Control
Stealing cookies, passwords
Uploading/downloading files (Firefox only)
Binary execution (only on Firefox - Windows)
Webcam, geolocation
Forging financial transactions
Modifying content of the web page
More on YouTube
18.
19.
20.
21. Hacmebank demo
Now it is just password
But real site with OTP login or smart-card login will
fail also this attack
Transaction authorization can block this attack!
35. NoScript
„Allows executable web content such as
JavaScript, Java, Flash, Silverlight, and other plugins ... NoScript also
offers specific countermeasures against security exploits.”
won’t protect you against malware, another
extension
36. Browserprotect
„To protect your browser against malware
hijacking your browser settings like home
page, search providers and address bar search.”
37. „Runs your programs in an isolated space which prevents them from making permanent
changes to other programs and data in your computer.”
Protect (by default): writing files to disk (only to sandbox)
38. „Runs your programs in an isolated space which prevents them from making permanent
changes to other programs and data in your computer.”
Protect (by default): writing files to disk (only to sandbox)
Won’t protect:
– Password stealing
– Cookie stealing
– Webcam spying
– Reading files
43. Vendor Nr. 1
Detects and removes my Firefox
extension based on signatures
Über 133t signature 3v4s10n 2k13
One additional space in a line
„Improved security” Firefox extensions
Always two versions behind the actual
Firefox version
44. Vendor Nr. 1
Detects and removes my Firefox
extension based on signatures
Über 133t signature 3v4s10n 2k13
One additional space in a line
„Improved security” Firefox extensions
Always two versions behind the actual
Firefox version
45. Vendor Nr. 2
„Safe browser” solution
– Creating a new, „clean” Firefox profile
Extensions installed via registry (HKCU)
Modifying „Safe browser” SQLite
Vendor contacted, no solution yet
46. Vendor Nr. 2
„Safe browser” solution
– Creating a new, „clean” Firefox profil
Extensions installed via registry (HKCU)
Modifying „Safe browser” SQLite
Vendor contacted, no solution yet
47. Vendor Nr. 3
User question on a forum:
„Does XYZ detect/block Xenotix KeylogX?
48. Vendor Nr. 3
User question on a forum:
„Does XYZ detect/block Xenotix KeylogX?
Vendor official response:
„No it doesn't, and that's by design. Browser add-ons are
subject to the same sandboxing that the browser itself
runs through and therefore can be managed by the user
directly. ...
If you're suspicious of any add-ons, you should definitely
just remove them, or, open your browser in safemode
which avoids loading any add-ons.”
49. Vendor Nr. 3
User question on a forum:
„Does XYZ detect/block Xenotix KeylogX?
Vendor official response:
„No it doesn't, and that's by design. Browser add-ons are
subject to the same sandboxing that the browser itself
runs through and therefore can be managed by the user
directly. ...
If you're suspicious of any add-ons, you should definitely
just remove them, or, open your browser in safemode
which avoids loading any add-ons.”
52. To the vendors:
Don’t trust the local root CA!
Protect proxy settings, browser files, browser settings!
Do not use old, outdated browser!
Disable every browser extension!
To the users:
Do not use browser extensions to protect against browser extension!
Install and update AV!
54. „Endpoint Financial Fraud Prevention” and
„Anti-Keylogging Applications”
What???
– Recommended by big financial
institutions, „download it and you will be safe”
Vendor 1 (Zemana)
Vendor 2
Vendor 3
Vendor 4
Conclusion ... ;-)
56. Vendor Nr. 2
Protects end-user endpoints against
financial malware and phishing attacks.
By preventing attacks such as
Man-in-the-Browser and Man-in-the-Middle, it
secures credentials and personal information and
stops financial fraud and account takeover.
And, it keeps endpoints malware-free by blocking
malware installation and removing existing
infections.
57. Vendor Nr. 2
Every extension disabled in Internet Explorer
But not in Firefox
They sent me a new version
Every Firefox extension is disabled
But it is not public ...
Plan for the future:
They will detect if there is a
malicious extension and that specific
extension will be disabled in Firefox
58. Vendor Nr. 2
Every extension disabled in Internet Explorer
But not in Firefox
They sent me a new version
Every Firefox extension is disabled
But it is not public ...
Plan for the future:
They will detect if there is a
malicious extension and that specific
extension will be disabled in Firefox
59. Vendor Nr. 3
January, 2013: Firefox 13.01 (June, 2012)
Install via registry (HKCU)
Vendor contacted, problem solved
SSL MITM attack not working either, it protects
it’s settings
GREAT SUCCESS
61. Vendor Nr. 4
Protects You From:
Information stealing malware and spyware
0-hour malware and targeted attacks
Sophisticated financial malware like ZeuS and
SpyEye
Key loggers, screen grabbers, microphone and
webcam hijackers, SSL banker Trojans, spying
rootkits and many more
62. Protects You From:
Information stealing malware and spyware
0-hour malware and targeted attacks
Sophisticated financial malware like ZeuS and
SpyEye
Key loggers, screen grabbers, microphone and
webcam hijackers, SSL banker Trojans, spying
rootkits and many more
Vendor Nr. 4
63. Moral lesson: I was searching for the elixir in the wrong forest
The client side only solutions are doomed to fail
Elixir should be looked for at the server side protection forest
YouTube: http://is.gd/kiwidi
SlideShare: http://is.gd/umusap
GitHub: http://is.gd/safeno
Editor's Notes
Hi everyoneHow many of you use online banking? Come on!!! How many of you use online banking or bitcoin trading site? Hands upHow many of you use browser extensions in the same browser?Last question: how many of you are willing to install my extension into your browser?Today I’m going to talk about dangerous browser extensions and client side protection attempts
This is my name
This is where I work
This iswhat I’m paid for
This is the work most of the people think consultants are paid for
And this is what I’m proud aboutand I’m also a proud member of the gula.sh team, we scored as second runner up on the Global Cyberlympics competition last year.
These are my contacts
This is what I do 24 by 7
This is what I watch after hacking
And this is what I browse when I’m not hacking or watching hacker movies
In the beginning of my presentation I will talk about the malicius browser extensions, what they are capable of. And after that I will show you what kind of client side protections I was analysing against malicious browser extensions, like internet security suites.
If you are later interested, you can watch a lot of demos about this at the following youtube link, and you can also watch my previous presentations about this topic on slideshare, or download the source code from github.
Most of you remember how an average internet explorer 6 looked like in 2004. I bet all of you would go crazy of those crappy extensions. Do you remember that irritating purple monkey dancing in the corner of your browser? it is one of the first malicous browser extensions which spied on users browsing activity.
How does it work in practice? After the browser is infected, the extension polls the attacker webserver for new commands. If there is a new command, the client browser will execute it, like upload files from the victim to attacker, and so on.
Butdon’tforgetthatFirefox is alsosupportedon OSX, Linux, Windows, and evenonAndroid. ...
YoumightthinkthatChrome is safe, badnewsit’snot. MyzombieextensionwillhackyourChromeorSafariaswell.
After I had developed my malicious browser extensions against Firefox, Chrome, and Safari, I sent this code to 15 different AV vendors, so they could put it into their signature list and block it.
Which means that currently 10 AV vendor blocks my Firefox extension, to 5 out of 10 my code has not been sent. After doing the basic math, this means there are 10 AV vendors I have sent my code, but they are not blocking it.
And 5 AV vendors do detect my Chrome extension. I don’t have any good explanation about that.
I have two lessons to draw from this case:Firstly dont send encrypted ZIP files to the Antivirus vendors, because it might happen that they might be unable to process it, even if the email contains the password. Secondly if you send a ZIP file containing more than 10 files, it might be rejected by the AV vendors. The problem is that browser extensions are basically ZIP files, containing files of any amount. So if I create a browser extension containing 100 files, the users wont be able to send the samples to the antivirus vendors.
And I published my malicious browser extensions on Github, it has been blocked in Firefox after 25 minutes .
But unfortunately, it took me less time to circumvent this blocking. You can see two differences on the two source codes. The first one is that the extension has a different ID, and the second difference is that the first one is blocked by Firefox, but the second one is not.If you check this link, you can see that this problem is also exploited by the bad guys.
And evenin the official Google chrome extension store you might find malicious browser extensions sometimes. So if you downloaded this bad piggies extension, instead of hunting for bad piggies you had to hunt for malicious browser extensions on your computer.1.5 months ago Google announced that they will scan for malicious extensions more effectively, it still has to prove itself.
And there will always be people who want to change the colour of their facebook page, and they download some extension having very powerful privileges just to change their facebook colour. For example look at this one. Why should a facebook colour changer extension need to access all your websites and all your browsing information?
Beforeall of youfallasleep, here is a littlequizforyou.The first correct answer will be honored by two bottle of hacker beer.And thequestion is: whichcompanydevelopedthefirst Netscape pluginin 1995?
Here is a littleclueforyou
That’s right, Adobe. Funnything is thattheyarestillunabletodevelopsecureextensionswith 17 years of experiencebehindthem.
There is a rootkit in the wild since 2007 called mebroot, which installs its malicious chrome extension after the computer is infected, and manipulates in the background the online financial transactions. I believe the bad guys had been unable to manipulate the transactions in chrome via traditional attacks, so they created malicious browser extensions to do that job.After I saw there wer eso many problems with malicious browser extensions,
There I went, me, the brave hacker, grabbed my only faithful mate, my computer, to find the elixir against zombie browsers in the deep and dark forest of the Kingdom of Internet
There I went, me, the brave hacker, grabbed my only faithful mate, my computer, to find the elixir against zombie browsers in the deep and dark forest of the Kingdom of Internet
There I went, me, the brave hacker, grabbed my only faithful mate, my computer, to find the elixir against zombie browsers in the deep and dark forest of the Kingdom of Internet
There I went, me, the brave hacker, grabbed my only faithful mate, my computer, to find the elixir against zombie browsers in the deep and dark forest of the Kingdom of Internet
During my quest I bumped into two axioms. The first axiom warned me when an evil program code is running on my computer, my computer will perish. The second one drew my attention to the fact that if the system protects me against 300 different attack methods, it wont protect me against the 301st one.
So then I plucked up all my courage and set out for the realm of extensions and sandboxing technologies to see how they would protect my computer against my malicious extension - all those evil things like password stealing or webcam spying etc.
Noscript does what it promises. But it never promised to protect the users against malicious browser extensions. And dont forget that the settings of the firefox extensions are like a big happy family picnick, everybody can do whatever they want. Which means every extension can change the setting of another extension. This means that my browser extension can change the settings of Noscript as well.
The browserprotect extension is basically the same from this point of view, it does what it promises, but it cant protect the users against malicious browser extensions, and my extension can change the browserprotect settings as well.
The sandoxie program was a big surprise for me, or rather a big disappointment. To tell the truth, I would not recommend sandboxie to protect the average home users. Because by default it does nothing but prevents modifications outside of the sandbox.
This means that I can steal passwords, cookies, and even spy on the users webcam, steal confidential user files.
I’ll show how sandboxing technology works in the next demo. Just for clarification, when you see the „Hack the planet”, it is me, the attacker. And when you see unicorns and rainbows, it is the victim browser.
Our next topic is the internet security suites, how they can or cannot protect you against malicious browser extensions.
I wont mention any vendor names, but I promise you, the conclusion will be the same. These are the biggest and most popular internet security suites. Think about vendors with their names starting letter S or K.
The first vendor detects and removes my extension on a signature basis (because I have sent my code to them). But if I insert an extra space character in one of the lines in my source code, the extension wont be detected any more. And this Internet security suite also installs its own extensions into Firefox, which are always two versions behind the current Firefox version. So they never run on my computer, because it was always blocked by firefox.
So my extension was able to circumvent the protection of this internet security suite.
The next vendor promises a safe browser, which is merely a new clear default Firefox profile. The problem with this approach is that I can install my extension into this safe browser at least 2 different ways. One of these ways is to modify the user registry settings, which will install the extension into this safe browser. The second approach is to modify the SQLite database of this safe browser. I alreadycontacted the vendor, but they have not fixed this yet.
The next vendor is my favourite one. A user on an internet forum asked the vendor, whether their product can protect him against Xenotix keylogx. This is a proof of concept malicious browser extension, created by Ajin Abraham, who was planned to do his presentation.
The vendors response is so beautiful that it’s worth to be analyzed word by word, just like a poem. The poet starts with an in medias res beginning, „no it doesnt at thats by design”, so it states it won protect the user. What the poet meant about by design, I have no idea. It is also for sure that in Firefox there is nothing like sandboxing. And by suggesting to remove the extension the vendor implies that the extension is not to be hid from the user. And why the heck should I buy their product, if I have to detect and remove the extension by myself????
And I looked at other safe browser solutions in internet security suites, but they all proved to be useless, and I was a very very sad panda
I almost gave up, when I found the Avast Internet Security Suite. I was not able to install my extension into their safe browser, so I had to find other ways to hack it. In the next demo, I’m going to show you how I can circumvent the protection of Avast safe browser.
My suggestions to the vendors who promise safe browser solutions are the followings:Do not trust the local root certificate lists. Protect the settings and the files of the safe browser.Do not use old, outdated, vulnerable browsers.And my suggestions to the users are:Do not use browser extensions to protect against malicious browser extensions. And last but not least install and update your antivirus solution, because it will protect you in 90% of the cases.
As I failed to find the elixir, my next challenge had to be to move on. So I went on and left the forest of internet security suites and entered the promising field of the Endpoint Financial Fraud Prevention and Anti-Keylogging applications
In case you did not know what these are, these applications are usually recommended by big financial institutions, saying „if you use this, you will be safe”. And again, I wont mention the vendors names, but the conclusion will be the same
Usually these applications will protect you against the so called „API hooking” attack. In the next demo, I’m going to show you this attack.First, I’ll show how Zemana protection will protect you against this API hooking attack, which is used by financial malwares like Zeus or Spyeye, and how Zemana wont protect you against malicious browser extensions.
Vendor nr 2. promises an awful lot of things, lets see this in practice.
In the Internet Explorer every extension was disabled, but not in Firefox. I contacted the vendor, and they sent me a new version in less than a week, where every firefox extension was disabled. I was very excited, but then I asked whether this version will be the next public version, however their answer made me sad. It turned out that it was not a public version, it was only sent to me. They have a plan to detect and block the malicious browser extensions individually.
And I think this is OK, they are the experts, they know what they are talking about. I hope, they do.....
Vendor number 3. When I tested this vendor, they were using an old, vulnerable Firefox version. And I was also able to install my extension into their safe browser. I contacted the vendor, and they fixed their product in less than a week, so right now there is no way to hack this safe browser that I know of. But to tell you the truth, I did not waste my time trying to find other ways to hack it.
Vendor number four was also a great fun to test. First, the application indicated that it has found a malware on my computer, but it turned out that it was only the Symantec it detected as a malicious software.
It promises a lot of things, but it can not protect you against malicious browser extensions.
At the end of my journey I had to realize that the axioms are really true, and that I have been looking for the elixir in the wrong place, because the client side protections are deemed to fall. On these links you can find the source code to my malicious browser extensions, my previous presentations about malicious browser extension