SlideShare une entreprise Scribd logo

The Listening: Email Client Backdoor

Michael Scovetta
Michael Scovetta
Technologie
1  sur  36
Télécharger pour lire hors ligne
The Listening Email Client Backdoor Esteban Guillardoy esteban@immunityinc.com 1
Introduction ● This presentation will focus on a backdoor implementation based on Thunderbird 3.x ● Different approach taking advantage of the addon/extension features ● How to make it persistant and hide the C&C by using steganography 2
Demo How cool is this presentation? It is starting with a demo :) 3
How all this started ● Never leave the office without locking your session - FAIL! ● Malicious Brainstorming... 4
Adapting the idea ● Web Browsers are commonly targeted ● But Email Clients are not ● Why not using this as a real backdoor? 5
The challenge ● Targets go on and off ● Covertness without losing reliability ● Routing the data ● Stealthiness ● Resistance to traffic analysis ● No suspicious open ports ● Avoid antiviruses & scanners ● Thinking of future trojans 6
Why an email client Don't you use one? Is it Thunderbird? 7
Email Client Extensions ● Only Thunderbird 3.x for now ● multiplatform backdoor out of the box ● Trusted code ● Full access to all client functions ● Program execution ● Easy development ● Solve us part of the challenge 8
Backdoor controlled by simply sending emails 9
Features ● Doesn't require user interaction ● Hidden C&C using steganography on images ● Encryption using public & private key ● Processes every email that arrives to the client ● Predefined Actions ● Command execution with output retrieval 10
11
Mozilla Addons/Extensions Basic structure: /components/* /content or /chrome/content /defaults/preferences/*.js /chrome.manifest /install.rdf 12
Development ● “Must have” tools ● Firebug + ChromeBug ● Extension Developer ● Chrome List ● Extension Manager Extended ● Console2 ● Inspector Widget ● DOM Inspector ● MozRepl ● Event Spy ● XPCOMViewer 13
How it works 14
Email Check ● Listener on notification service Components.classes["@mozilla.org/messenger/msgnotificationservice;1"]; notificationService.addListener(this, notificationService.msgsClassified); ● Our method gets called with each new email ● Filter messages by checking attachments “attachment.contentType.match(/image/png/) != null” 15
Encryption ● Private & Public key algorithm (PGP) ● Used to send commands & output ● Implementation in Javascript ● Wrapper around gnupg in Python 16
Hiding Information ● Steganography on images to hide the info ● Who applies steganalysis on every image attached on an email? ● Common approach is to avoid external images from loading Message: “INFILTRATE 2011” Original Modified 17
Hiding Information ● Least Significant Bit (LSB) algorithm 0 1 1 0 1 1 0 0 0 0 1 = “a” ● We need 3 pixels per byte to hide ● If image is greyscale we could use more than 1 bit per pixel 18
Hiding Information ● Python Implementation ● Using Python Imaging Library (PIL) ● Some bitwise operations and we are ready ● Javascript Implementation ● Hidden iframe to create a HTML5 canvas element ● Retrieve pixel info with: var context = canvas.getContext('2d'); var data = context.getImageData(0,0,canvas.width,canvas.height); 19
Execution ● Using XPCOM interfaces nsIProcess or nsIProcess2 ● Fix arguments to redirect output to temp file ● Read temp file and then delete it 20
Getting Output 1) XMLHttpRequest 2) Sending an email ● New email: Components.classes["@mozilla.org/messengercompose;1"] Components.classes["@mozilla.org/messenger/account-manager;1"] ● Send it: Components.classes["@mozilla.org/messengercompose/compose;1"] ● Delete it from Sent folder 21
Deployment ● Discover profiles by reading profiles.ini: ● Windows, usually in %AppData% Thunderbird ● Linux, usually in ~/.thunderbird/ or ~/.mozilla-thunderbird/ ● Mac OS X, usually in ~/Library/Thunderbird/ 22
Deployment - Injecting Existing Addon 1) Installed addons in %profile-dir%/extensions.ini 2) Copy backdoor into %selected-addon%/content/ 3) Edit chrome.manifest overlay chrome://messenger/content/messenger.xul chrome://selected-addon/content/backdoorOverlay.xul ● Hard to detect ● User trusts installed addons ● Addon updates are a problem 23
Deployment - New Addon 1) Copy backdoor into TB extensions folder 2) Create a file with random name (an uuid) 3) write the path to backdoor folder ● May be easily detected by looking a the Extensions Manager ● But we can use a trick to hide it 24
25
Deployment alternatives ● Install Manifest (install.rdf) <em:updateURL> <em:updateKey> ● Mozilla Addons Updates 1) Update manifest retrieved in a secure fashion Through SSL Signed Update Manifests 2) Update package retrieved matches Through SSL File Hashes ● Publishing on Mozilla Addon Site (AMO) Policies & Review Process Sandbox then public Blocklist 26
Deployment alternatives ● MITM to deliver fake updates ● (P)Owning widely used addon sites (?) ● Become a reviewer for a long time (?) ● Using Mozilla cert to sign updates #comodogate :P ● Zamboni project (new AMO site) Source code available ● https://github.com/jbalogh/zamboni ● https://github.com/mozilla/zamboni Audit the code and test you said? Master visible on https://preview.addons.mozilla.org Next branch visible on https://next.addons.mozilla.org 27
Avoiding detection ● <em:hidden> deprecated since Gecko 1.9.2 ● Hooking Extensions Manager ● Overlay for chrome://mozapps/content/extensions/extensions.xul ● Some javascript code to filter our extension chrome://mozapps/content/extensions/extensions.js 28
Avoiding detection ● Skip updates by editing install.rdf file: <em:updateURL>FAKE URL HERE</em:updateURL> This url could also be used to update our backdoor ● Disabling extensions updates globaly: ● extensions.update.enabled ● extensions.update.interval ● extensions.update.url 29
Capabilities Demo 30
Getting PGP Information ● Enigmail Addon commonly used ● Hook “enigMessageDecrypt” ● Prompt for passphrase twice ● EnigGetSecretKeys & enigmailSvc.extractKey FTW ● Match passphrase with ID 31
Improvements ● Better steganography algorithms ● Unicode steganography ● Inject all addons ● More methods to get output 32
Alternative uses ● Building a SPAM controlled botnet ● others? 33
Conclusion ● Complete SDK to develop ● Global scope useful for us ● Multiplatform backdoor ● Hijacked extensions are hard to detect ● Execution with common user but.. ● Further research on other email clients 34
Reference & Similar work ● Mozilla Develper Network ● mozillaZine KB & Forum ● StackOverflow questions ● Immunity PINK Framework ● Abusing Firefox Addons at Defcon17 ● Digninja twitter botnet (unicode steg) ● IronGeek steg botnet 35
The End Thank you for your time Questions? Esteban Guillardoy esteban@immunityinc.com @sagar38 36

Recommandé

Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesMichael Scovetta
 
Android Attacks
Android AttacksAndroid Attacks
Android AttacksMichael Scovetta
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State MachinesMichael Scovetta
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromePositive Hack Days
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들GangSeok Lee
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Windows internals Essentials
Windows internals EssentialsWindows internals Essentials
Windows internals EssentialsJohn Ombagi
 

Recommandé

Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesMichael Scovetta
 
Android Attacks
Android AttacksAndroid Attacks
Android AttacksMichael Scovetta
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State MachinesMichael Scovetta
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromePositive Hack Days
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들GangSeok Lee
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Windows internals Essentials
Windows internals EssentialsWindows internals Essentials
Windows internals EssentialsJohn Ombagi
 
One Year of Porting - Post-mortem of two Linux/SteamOS launches
One Year of Porting - Post-mortem of two Linux/SteamOS launchesOne Year of Porting - Post-mortem of two Linux/SteamOS launches
One Year of Porting - Post-mortem of two Linux/SteamOS launchesLeszek Godlewski
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализаPositive Hack Days
 
Android Variants, Hacks, Tricks and Resources
Android Variants, Hacks, Tricks and ResourcesAndroid Variants, Hacks, Tricks and Resources
Android Variants, Hacks, Tricks and ResourcesOpersys inc.
 
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
 
Linux as a gaming platform, ideology aside
Linux as a gaming platform, ideology asideLinux as a gaming platform, ideology aside
Linux as a gaming platform, ideology asideLeszek Godlewski
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game ProgrammingLeszek Godlewski
 
Why kernelspace sucks?
Why kernelspace sucks?Why kernelspace sucks?
Why kernelspace sucks?OpenFest team
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...RootedCON
 
Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012Opersys inc.
 
Embedded Android Workshop at ELC Europe
Embedded Android Workshop at ELC EuropeEmbedded Android Workshop at ELC Europe
Embedded Android Workshop at ELC EuropeOpersys inc.
 
Linux as a gaming platform - Errata
Linux as a gaming platform - ErrataLinux as a gaming platform - Errata
Linux as a gaming platform - ErrataLeszek Godlewski
 
Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Opersys inc.
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...egypt
 
Android Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConIIAndroid Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConIIOpersys inc.
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresShakacon
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)Michael Scovetta
 
DMI Summer 2010 - Final Presentations
DMI Summer 2010 - Final PresentationsDMI Summer 2010 - Final Presentations
DMI Summer 2010 - Final PresentationsDigital Methods Initiative
 

Contenu connexe

Tendances

One Year of Porting - Post-mortem of two Linux/SteamOS launches
One Year of Porting - Post-mortem of two Linux/SteamOS launchesOne Year of Porting - Post-mortem of two Linux/SteamOS launches
One Year of Porting - Post-mortem of two Linux/SteamOS launchesLeszek Godlewski
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализаPositive Hack Days
 
Android Variants, Hacks, Tricks and Resources
Android Variants, Hacks, Tricks and ResourcesAndroid Variants, Hacks, Tricks and Resources
Android Variants, Hacks, Tricks and ResourcesOpersys inc.
 
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
 
Linux as a gaming platform, ideology aside
Linux as a gaming platform, ideology asideLinux as a gaming platform, ideology aside
Linux as a gaming platform, ideology asideLeszek Godlewski
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game ProgrammingLeszek Godlewski
 
Why kernelspace sucks?
Why kernelspace sucks?Why kernelspace sucks?
Why kernelspace sucks?OpenFest team
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...RootedCON
 
Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012Opersys inc.
 
Embedded Android Workshop at ELC Europe
Embedded Android Workshop at ELC EuropeEmbedded Android Workshop at ELC Europe
Embedded Android Workshop at ELC EuropeOpersys inc.
 
Linux as a gaming platform - Errata
Linux as a gaming platform - ErrataLinux as a gaming platform - Errata
Linux as a gaming platform - ErrataLeszek Godlewski
 
Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Opersys inc.
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...egypt
 
Android Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConIIAndroid Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConIIOpersys inc.
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresShakacon
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 

Tendances (20)

One Year of Porting - Post-mortem of two Linux/SteamOS launches
One Year of Porting - Post-mortem of two Linux/SteamOS launchesOne Year of Porting - Post-mortem of two Linux/SteamOS launches
One Year of Porting - Post-mortem of two Linux/SteamOS launches
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализа
 
Android Variants, Hacks, Tricks and Resources
Android Variants, Hacks, Tricks and ResourcesAndroid Variants, Hacks, Tricks and Resources
Android Variants, Hacks, Tricks and Resources
 
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
 
Linux as a gaming platform, ideology aside
Linux as a gaming platform, ideology asideLinux as a gaming platform, ideology aside
Linux as a gaming platform, ideology aside
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game Programming
 
Why kernelspace sucks?
Why kernelspace sucks?Why kernelspace sucks?
Why kernelspace sucks?
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
 
Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012
 
Embedded Android Workshop at ELC Europe
Embedded Android Workshop at ELC EuropeEmbedded Android Workshop at ELC Europe
Embedded Android Workshop at ELC Europe
 
Linux as a gaming platform - Errata
Linux as a gaming platform - ErrataLinux as a gaming platform - Errata
Linux as a gaming platform - Errata
 
Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
 
Android Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConIIAndroid Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConII
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
 
Pentester++
Pentester++Pentester++
Pentester++
 

En vedette

Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)Michael Scovetta
 
E diasporas atlasnovember2010
E diasporas atlasnovember2010E diasporas atlasnovember2010
E diasporas atlasnovember2010TIC-Migrations
 
Migration stories in a digital era.
Migration stories in a digital era.Migration stories in a digital era.
Migration stories in a digital era.DH Benelux
 
A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...
A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...
A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...annehelmond
 
Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)Michael Scovetta
 
Systematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesSystematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesMichael Scovetta
 
High Assurance Systems (Fisher)
High Assurance Systems (Fisher)High Assurance Systems (Fisher)
High Assurance Systems (Fisher)Michael Scovetta
 
Anomaly Detection at Multiple Scales (Waltzman)
Anomaly Detection at Multiple Scales (Waltzman)Anomaly Detection at Multiple Scales (Waltzman)
Anomaly Detection at Multiple Scales (Waltzman)Michael Scovetta
 
Introducing the Ceylon Project
Introducing the Ceylon ProjectIntroducing the Ceylon Project
Introducing the Ceylon ProjectMichael Scovetta
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForMichael Scovetta
 
National Cyber Range (Ranka)
National Cyber Range (Ranka)National Cyber Range (Ranka)
National Cyber Range (Ranka)Michael Scovetta
 

En vedette (20)

Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)
 
DMI Summer 2010 - Final Presentations
DMI Summer 2010 - Final PresentationsDMI Summer 2010 - Final Presentations
DMI Summer 2010 - Final Presentations
 
E diasporas atlasnovember2010
E diasporas atlasnovember2010E diasporas atlasnovember2010
E diasporas atlasnovember2010
 
TIC-Migrations
TIC-MigrationsTIC-Migrations
TIC-Migrations
 
Migration stories in a digital era.
Migration stories in a digital era.Migration stories in a digital era.
Migration stories in a digital era.
 
E-diasporas Atlas
E-diasporas AtlasE-diasporas Atlas
E-diasporas Atlas
 
A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...
A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...
A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...
 
Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)
 
Systematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesSystematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android Smartphones
 
High Assurance Systems (Fisher)
High Assurance Systems (Fisher)High Assurance Systems (Fisher)
High Assurance Systems (Fisher)
 
Attacking the WebKit Heap
Attacking the WebKit HeapAttacking the WebKit Heap
Attacking the WebKit Heap
 
Smooth CoffeeScript
Smooth CoffeeScriptSmooth CoffeeScript
Smooth CoffeeScript
 
Anomaly Detection at Multiple Scales (Waltzman)
Anomaly Detection at Multiple Scales (Waltzman)Anomaly Detection at Multiple Scales (Waltzman)
Anomaly Detection at Multiple Scales (Waltzman)
 
The Ceylon Type System
The Ceylon Type SystemThe Ceylon Type System
The Ceylon Type System
 
Introducing the Ceylon Project
Introducing the Ceylon ProjectIntroducing the Ceylon Project
Introducing the Ceylon Project
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking For
 
National Cyber Range (Ranka)
National Cyber Range (Ranka)National Cyber Range (Ranka)
National Cyber Range (Ranka)
 
Strategic Surprise
Strategic SurpriseStrategic Surprise
Strategic Surprise
 
Stackjacking
StackjackingStackjacking
Stackjacking
 
HTML5 Web Security
HTML5 Web SecurityHTML5 Web Security
HTML5 Web Security
 

Similaire à The Listening: Email Client Backdoor

Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Frameworkegypt
 
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
Headless Android at AnDevCon3
Headless Android at AnDevCon3Headless Android at AnDevCon3
Headless Android at AnDevCon3Opersys inc.
 
Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBakry3
 
Leveraging Android's Linux Heritage
Leveraging Android's Linux HeritageLeveraging Android's Linux Heritage
Leveraging Android's Linux HeritageOpersys inc.
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...Tom Limoncelli
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Opersys inc.
 
Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3Opersys inc.
 
Headless browser: puppeteer and git client : GitKraken
Headless browser: puppeteer and git client : GitKrakenHeadless browser: puppeteer and git client : GitKraken
Headless browser: puppeteer and git client : GitKrakenSheikhMoonwaraAnjumM
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...Nico Meisenzahl
 
Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011Opersys inc.
 
Integrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperationsIntegrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperationsLuca Mazzaferro
 
HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key Linaro
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 
Truemotion Adventures in Containerization
Truemotion Adventures in ContainerizationTruemotion Adventures in Containerization
Truemotion Adventures in ContainerizationRyan Hunter
 
CSCAMP2013 - Introduction to pwnCore
CSCAMP2013 - Introduction to pwnCoreCSCAMP2013 - Introduction to pwnCore
CSCAMP2013 - Introduction to pwnCoreAnwar Mohamed
 

Similaire à The Listening: Email Client Backdoor (20)

Headless Android
Headless AndroidHeadless Android
Headless Android
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
 
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
Headless Android at AnDevCon3
Headless Android at AnDevCon3Headless Android at AnDevCon3
Headless Android at AnDevCon3
 
Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slides
 
Leveraging Android's Linux Heritage
Leveraging Android's Linux HeritageLeveraging Android's Linux Heritage
Leveraging Android's Linux Heritage
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
 
Go at Skroutz
Go at SkroutzGo at Skroutz
Go at Skroutz
 
Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3
 
Headless browser: puppeteer and git client : GitKraken
Headless browser: puppeteer and git client : GitKrakenHeadless browser: puppeteer and git client : GitKraken
Headless browser: puppeteer and git client : GitKraken
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
 
Modest Maemo Summit 09
Modest Maemo Summit 09Modest Maemo Summit 09
Modest Maemo Summit 09
 
Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011
 
Integrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperationsIntegrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperations
 
HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Truemotion Adventures in Containerization
Truemotion Adventures in ContainerizationTruemotion Adventures in Containerization
Truemotion Adventures in Containerization
 
CSCAMP2013 - Introduction to pwnCore
CSCAMP2013 - Introduction to pwnCoreCSCAMP2013 - Introduction to pwnCore
CSCAMP2013 - Introduction to pwnCore
 

Plus de Michael Scovetta

Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Michael Scovetta
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Consumer Password Worst Practices
Consumer Password Worst PracticesConsumer Password Worst Practices
Consumer Password Worst PracticesMichael Scovetta
 
A collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsA collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsMichael Scovetta
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)Michael Scovetta
 
Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Michael Scovetta
 
PROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal VerificationPROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal VerificationMichael Scovetta
 
Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)Michael Scovetta
 
DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)Michael Scovetta
 

Plus de Michael Scovetta (9)

Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
Consumer Password Worst Practices
Consumer Password Worst PracticesConsumer Password Worst Practices
Consumer Password Worst Practices
 
A collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsA collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programs
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)
 
Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)
 
PROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal VerificationPROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal Verification
 
Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)
 
DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)
 

Dernier

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Dernier (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

The Listening: Email Client Backdoor

  • 1. The Listening Email Client Backdoor Esteban Guillardoy esteban@immunityinc.com 1
  • 2. Introduction ● This presentation will focus on a backdoor implementation based on Thunderbird 3.x ● Different approach taking advantage of the addon/extension features ● How to make it persistant and hide the C&C by using steganography 2
  • 3. Demo How cool is this presentation? It is starting with a demo :) 3
  • 4. How all this started ● Never leave the office without locking your session - FAIL! ● Malicious Brainstorming... 4
  • 5. Adapting the idea ● Web Browsers are commonly targeted ● But Email Clients are not ● Why not using this as a real backdoor? 5
  • 6. The challenge ● Targets go on and off ● Covertness without losing reliability ● Routing the data ● Stealthiness ● Resistance to traffic analysis ● No suspicious open ports ● Avoid antiviruses & scanners ● Thinking of future trojans 6
  • 7. Why an email client Don't you use one? Is it Thunderbird? 7
  • 8. Email Client Extensions ● Only Thunderbird 3.x for now ● multiplatform backdoor out of the box ● Trusted code ● Full access to all client functions ● Program execution ● Easy development ● Solve us part of the challenge 8
  • 9. Backdoor controlled by simply sending emails 9
  • 10. Features ● Doesn't require user interaction ● Hidden C&C using steganography on images ● Encryption using public & private key ● Processes every email that arrives to the client ● Predefined Actions ● Command execution with output retrieval 10
  • 11. 11
  • 12. Mozilla Addons/Extensions Basic structure: /components/* /content or /chrome/content /defaults/preferences/*.js /chrome.manifest /install.rdf 12
  • 13. Development ● “Must have” tools ● Firebug + ChromeBug ● Extension Developer ● Chrome List ● Extension Manager Extended ● Console2 ● Inspector Widget ● DOM Inspector ● MozRepl ● Event Spy ● XPCOMViewer 13
  • 15. Email Check ● Listener on notification service Components.classes["@mozilla.org/messenger/msgnotificationservice;1"]; notificationService.addListener(this, notificationService.msgsClassified); ● Our method gets called with each new email ● Filter messages by checking attachments “attachment.contentType.match(/image/png/) != null” 15
  • 16. Encryption ● Private & Public key algorithm (PGP) ● Used to send commands & output ● Implementation in Javascript ● Wrapper around gnupg in Python 16
  • 17. Hiding Information ● Steganography on images to hide the info ● Who applies steganalysis on every image attached on an email? ● Common approach is to avoid external images from loading Message: “INFILTRATE 2011” Original Modified 17
  • 18. Hiding Information ● Least Significant Bit (LSB) algorithm 0 1 1 0 1 1 0 0 0 0 1 = “a” ● We need 3 pixels per byte to hide ● If image is greyscale we could use more than 1 bit per pixel 18
  • 19. Hiding Information ● Python Implementation ● Using Python Imaging Library (PIL) ● Some bitwise operations and we are ready ● Javascript Implementation ● Hidden iframe to create a HTML5 canvas element ● Retrieve pixel info with: var context = canvas.getContext('2d'); var data = context.getImageData(0,0,canvas.width,canvas.height); 19
  • 20. Execution ● Using XPCOM interfaces nsIProcess or nsIProcess2 ● Fix arguments to redirect output to temp file ● Read temp file and then delete it 20
  • 21. Getting Output 1) XMLHttpRequest 2) Sending an email ● New email: Components.classes["@mozilla.org/messengercompose;1"] Components.classes["@mozilla.org/messenger/account-manager;1"] ● Send it: Components.classes["@mozilla.org/messengercompose/compose;1"] ● Delete it from Sent folder 21
  • 22. Deployment ● Discover profiles by reading profiles.ini: ● Windows, usually in %AppData% Thunderbird ● Linux, usually in ~/.thunderbird/ or ~/.mozilla-thunderbird/ ● Mac OS X, usually in ~/Library/Thunderbird/ 22
  • 23. Deployment - Injecting Existing Addon 1) Installed addons in %profile-dir%/extensions.ini 2) Copy backdoor into %selected-addon%/content/ 3) Edit chrome.manifest overlay chrome://messenger/content/messenger.xul chrome://selected-addon/content/backdoorOverlay.xul ● Hard to detect ● User trusts installed addons ● Addon updates are a problem 23
  • 24. Deployment - New Addon 1) Copy backdoor into TB extensions folder 2) Create a file with random name (an uuid) 3) write the path to backdoor folder ● May be easily detected by looking a the Extensions Manager ● But we can use a trick to hide it 24
  • 25. 25
  • 26. Deployment alternatives ● Install Manifest (install.rdf) <em:updateURL> <em:updateKey> ● Mozilla Addons Updates 1) Update manifest retrieved in a secure fashion Through SSL Signed Update Manifests 2) Update package retrieved matches Through SSL File Hashes ● Publishing on Mozilla Addon Site (AMO) Policies & Review Process Sandbox then public Blocklist 26
  • 27. Deployment alternatives ● MITM to deliver fake updates ● (P)Owning widely used addon sites (?) ● Become a reviewer for a long time (?) ● Using Mozilla cert to sign updates #comodogate :P ● Zamboni project (new AMO site) Source code available ● https://github.com/jbalogh/zamboni ● https://github.com/mozilla/zamboni Audit the code and test you said? Master visible on https://preview.addons.mozilla.org Next branch visible on https://next.addons.mozilla.org 27
  • 28. Avoiding detection ● <em:hidden> deprecated since Gecko 1.9.2 ● Hooking Extensions Manager ● Overlay for chrome://mozapps/content/extensions/extensions.xul ● Some javascript code to filter our extension chrome://mozapps/content/extensions/extensions.js 28
  • 29. Avoiding detection ● Skip updates by editing install.rdf file: <em:updateURL>FAKE URL HERE</em:updateURL> This url could also be used to update our backdoor ● Disabling extensions updates globaly: ● extensions.update.enabled ● extensions.update.interval ● extensions.update.url 29
  • 31. Getting PGP Information ● Enigmail Addon commonly used ● Hook “enigMessageDecrypt” ● Prompt for passphrase twice ● EnigGetSecretKeys & enigmailSvc.extractKey FTW ● Match passphrase with ID 31
  • 32. Improvements ● Better steganography algorithms ● Unicode steganography ● Inject all addons ● More methods to get output 32
  • 33. Alternative uses ● Building a SPAM controlled botnet ● others? 33
  • 34. Conclusion ● Complete SDK to develop ● Global scope useful for us ● Multiplatform backdoor ● Hijacked extensions are hard to detect ● Execution with common user but.. ● Further research on other email clients 34
  • 35. Reference & Similar work ● Mozilla Develper Network ● mozillaZine KB & Forum ● StackOverflow questions ● Immunity PINK Framework ● Abusing Firefox Addons at Defcon17 ● Digninja twitter botnet (unicode steg) ● IronGeek steg botnet 35
  • 36. The End Thank you for your time Questions? Esteban Guillardoy esteban@immunityinc.com @sagar38 36