SlideShare a Scribd company logo

[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions

Zoltan Balazs, profile picture
Zoltan Balazs

This document summarizes a presentation about malicious browser extensions and rootkits. It discusses the history of malicious extensions for Firefox, Chrome, and Safari. It demonstrates how to create a homemade Firefox extension that can steal cookies and passwords, upload/download files, and execute binaries remotely without user interaction. The presentation notes risks of zombie browsers include bypassing firewalls/filtering and accessing all browser secrets. It also demonstrates defeating 2-factor authentication on Gmail and hacking ChromeOS, though the latter demo did not work due to security restrictions. The document concludes by calling on antivirus companies to improve extension detection, browser companies to restrict extensions further, and users to use separate systems for banking.

Technology
1 of 51
Downloaded 23 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Introduction Zoltán Balázs ITSEC consultant Deloitte Hungary Instructor @NetAkademia.hu OSCP, CISSP, C|HFI, CPTS, MCP http://www.slideshare.net/bz98 Cyberlympics finals 2012 - 2nd runner up Member of the gula.sh team
I love Hacking
I love Zombie movies
I love LOLcats
Zombies + Hacking + LOLcats = I R ZOMBIE BROWSER
Zombie browsers, spiced with rootkit extensions Hacker Halted 2012 • Legal disclaimer: • Every point of views and thoughts are mine. • The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future. • What you will hear can be only used in test labs, and only for the good.
About:presentation • History of malicious extensions (add-on, plug-in, extension, BHO) • Focus on Firefox, Chrome, Safari • Advantages – disadvantages • Browser extension rootkits • Live demo – home made extension
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
History of malicious Firefox extensions • 90% of malicious extensions were created for Facebook spamming • 2004-2010: 5 • 2011: 5 • Jan 01, 2012 – Oct 23, 2012: 49* *Data from mozilla.org
More examples on Facecrook Text ©f-secure
My zombie extension • Command and Control • Stealing cookies, passwords • Uploading/downloading files (Firefox, Chrome NPAPI on todo list) • Binary execution (Firefox - Windows, Chrome NPAPI on todo list) • Geolocation
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
Safari demo
Installing the extension Physical access Social Engineering Remote code execution – without user interaction
Firefox rootkit 1 • Hook into other extension (even signed ones)
Firefox rootkit 2 • visible = false
Firefox rootkit 3 • seen in the wild
Quick Quiz - for Hacker Pschorr
Quick Quiz • Which company developed the first Netscape plugin? • *****
Quick Quiz • Which company developed the first Netscape plugin? • A***e
Quick Quiz • Which company developed the first Netscape plugin? • Adobe in 1995
Risks of a Zombie Browser • Eats your brain while you are asleep
Risks of a Zombie Browser
Risks of a Zombie Browser • Firewall/proxy  • Local firewall  • Application whitelisting  • Web-filtering 
Risks of a Zombie Browser • Cross-platform  • Cross-domain Universal XSS  • Every secret is available  • Password input method does not matter (password safe, virtual keyboard, etc.) • Before SSL (+JS obfuscation) • Malicious source codes are available  • Advantage against meterpreter  • exe/dll is not needed for persistence • Writing into registry is not needed
Risks of a zombie browser • Low AV signature based detection rate  • Sample from January 2011. – October 2012. 0/40 • Extension vs. behavioral based detection 
Risks of a zombie browser • Low AV signature based detection rate  • Sample from January 2011. – October 2012. 0/40 • Extension vs. behavioral based detection 
Friendly message to AV developers: try harder… Code snippets from undetected malicious browser extension var _0x39fe=["x73x63x72x69x70x74","x63x72x65x61x74x65 x45x6Cx65x6Dx65x6E x74","x74x79x70x65","x74x65x78x74… _0xaed4=[_0x39fe[0],_0x39fe[1],_0x39fe[2],_0x39fe[3],_0x39fe[4],_0x39f e[5],_0x39fe[6],_0x39fe[7],_0x39fe[8],_0x39fe[9]]; keylogger_namespace.keylogger… for(var x in mothership){if (mothership[x].command == "eval") {eval(mothership[x].data);
Profit ...
Firefox
Disadvantages (for the Hacker) • Not a real rootkit • Browser limitations (eg. portscan) • Platform limitations (eg. Execute binary code only on Windows) • Runs in user space • Runs only when browser is open • Extensions are not yet supported in: • Chrome on Android/iOS • Safari on iOS
Gmail demo • defeat 2 step verification • Why Google? • Hacking “the others” is boring • clear text cookies • missing 2 step verification • no concurrent session detection
Gmail demo • defeat 2 step verification
One to rule them all • Cookie + password stealing – defeat Google 2-step verification • Use password reset on other sites linked to G-mail (Paypal, etc.) • Install any app from Google Play to victim’s Android phone • Access Android WIFI passwords • Access to Google+, Docs, Picasa, Blogger, Contacts, Web history, Checkout, Apps, OpenID • Backdooring Google account • Adding application specific password • Stealing backup codes • G-mail mail forward rule
Chrome - rootkit
ChromeOS DEMO
ChromeOS DEMO Not today :-( no extension install from 3rd party site no Flash, no Java, no NPAPI
ChromeOS DEMO Not today :-( no extension install from 3rd party site no Flash, no Java, no NPAPI
Zombie Android DEMO • Android SQLite Journal Information Disclosure (CVE-2011-3901) • Android 2.3.7
Firefox webcam
Browser extensions might be bad • @antivirus developers • Be reactive • The browser is the new OS • @browser developers (Mozilla) • Default deny installing extensions from 3rd-party sites • Chrome-level security • Require permissions • Extension components – separate privileges • @browser developers (Google) – keep on the good job • but disable NPAPI :)
Browser extensions might be bad • @website developers • There is no prevention against password stealing • Cookie-stealing • Restrict session to IP (by default) • @users • Beware of malicious browser extensions • Use separated OS for e-banking and other sensitive stuff • Removing malicious extensions - create new clean profile in clean OS • @companies • Control which browsers users can use • Restrict extensions via GPO
One more thing ...
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
Should I release it on GitHub?
References • Grégoire Gentil: Hack any website, 2003 • Christophe Devaux, Julien Lenoir: Browser rootkits, 2008 • Duarte Silva: Firefox FFSpy PoC, 2008 • Andreas Grech: Stealing login details with a Google Chrome extension, 2010 • Matt Johansen, Kyle Osborn: Hacking Google ChromeOS, 2011 • Nicolas Paglieri: Attacking Web Browsers, 2012
Browser extensions might be bad, Mmmkay??? zbalazs@deloittece.com zbalazs4 hu.linkedin.com/in/zbalazs Code released(?) under GPL http://github.com/Z6543/ ZombieBrowserPack Greetz to @hekkcamp

More Related Content

PDF
MIPS-X
Zoltan Balazs
 
PDF
Qubes os presentation_to_clug_20150727
csirac2
 
PDF
Intro To Gentoo Embedded Cclug
Steve Arnold
 
PDF
Hands on Virtualization with Ganeti
OSCON Byrum
 
PDF
Gentoo Linux, or Why in the World You Should Compile Everything
Donnie Berkholz
 
PDF
[DockerCon 2019] Hardening Docker daemon with Rootless mode
Akihiro Suda
 
PPTX
QNAP COSCUP Container Station
Wu Fan-Cheng
 
PDF
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
Akihiro Suda
 
MIPS-X
Zoltan Balazs
 
Qubes os presentation_to_clug_20150727
csirac2
 
Intro To Gentoo Embedded Cclug
Steve Arnold
 
Hands on Virtualization with Ganeti
OSCON Byrum
 
Gentoo Linux, or Why in the World You Should Compile Everything
Donnie Berkholz
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
Akihiro Suda
 
QNAP COSCUP Container Station
Wu Fan-Cheng
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
Akihiro Suda
 

What's hot (20)

PPTX
OpenWRT and Perl
Dean Hamstead
 
PPTX
Qt5 (minimal) on beaglebone, with Yocto
Prabindh Sundareson
 
PDF
How to Connect MQTT Broker on ESP8266 WiFi
Naoto MATSUMOTO
 
PPT
OpenWRT guide and memo
家榮 吳
 
PDF
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
Akihiro Suda
 
PDF
FreeBSD hosting
punkt.de GmbH
 
ODP
Stealthy, Hypervisor-based Malware Analysis
Tamas K Lengyel
 
PPTX
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...
Mail.ru Group
 
PDF
Making Gentoo Tick
Anant Narayanan
 
PPTX
moscmy2016: Extending Docker
Mohammad Fairus Khalid
 
PDF
How to be a distribution-friendly project
Donnie Berkholz
 
PPTX
Yocto usage for Graphics SDK on AM335x
Prabindh Sundareson
 
PDF
Is Rust Programming ready for embedded development?
Knoldus Inc.
 
PDF
SmartOS Primer
Daniele Stroppa
 
PDF
Demystifying docker networking black magic - Lorenzo Fontana, Kiratech
Codemotion Tel Aviv
 
PDF
This one goes to 11!
APNIC
 
PDF
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
Akihiro Suda
 
ODP
openSUSE12.2 Review
SUSE Labs Taipei
 
PDF
LCE13: Virtualization Forum
Linaro
 
PDF
4 virtual router CloudStack Developer Day
Kimihiko Kitase
 
OpenWRT and Perl
Dean Hamstead
 
Qt5 (minimal) on beaglebone, with Yocto
Prabindh Sundareson
 
How to Connect MQTT Broker on ESP8266 WiFi
Naoto MATSUMOTO
 
OpenWRT guide and memo
家榮 吳
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
Akihiro Suda
 
FreeBSD hosting
punkt.de GmbH
 
Stealthy, Hypervisor-based Malware Analysis
Tamas K Lengyel
 
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...
Mail.ru Group
 
Making Gentoo Tick
Anant Narayanan
 
moscmy2016: Extending Docker
Mohammad Fairus Khalid
 
How to be a distribution-friendly project
Donnie Berkholz
 
Yocto usage for Graphics SDK on AM335x
Prabindh Sundareson
 
Is Rust Programming ready for embedded development?
Knoldus Inc.
 
SmartOS Primer
Daniele Stroppa
 
Demystifying docker networking black magic - Lorenzo Fontana, Kiratech
Codemotion Tel Aviv
 
This one goes to 11!
APNIC
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
Akihiro Suda
 
openSUSE12.2 Review
SUSE Labs Taipei
 
LCE13: Virtualization Forum
Linaro
 
4 virtual router CloudStack Developer Day
Kimihiko Kitase
 

Viewers also liked (15)

PDF
Hacking Windows 95 #33c3
Zoltan Balazs
 
PPTX
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
Zoltan Balazs
 
PDF
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
Zoltan Balazs
 
PPT
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
Zoltan Balazs
 
PPTX
Sandboxes
Zoltan Balazs
 
PPT
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
PPTX
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
PPTX
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
PDF
[ENG] Hacktivity 2013 - Alice in eXploitland
Zoltan Balazs
 
PPTX
[HUN] Védtelen böngészők - Ethical Hacking
Zoltan Balazs
 
PDF
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
PDF
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
PPTX
Hacking with Remote Admin Tools (RAT)
Zoltan Balazs
 
PDF
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
PPTX
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
Hacking Windows 95 #33c3
Zoltan Balazs
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
Zoltan Balazs
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
Zoltan Balazs
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
Zoltan Balazs
 
Sandboxes
Zoltan Balazs
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
[ENG] Hacktivity 2013 - Alice in eXploitland
Zoltan Balazs
 
[HUN] Védtelen böngészők - Ethical Hacking
Zoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
Hacking with Remote Admin Tools (RAT)
Zoltan Balazs
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
Ransomware - what is it, how to protect against it
Zoltan Balazs
 

Similar to [ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions (20)

PDF
Hacktivityonly 121013141039-phpapp02
Комсс Файквэе
 
PDF
Zombie browsers spiced with rootkit extensions - DefCamp 2012
DefCamp
 
PDF
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
PDF
Metasploitation part-1 (murtuja)
ClubHack
 
PDF
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
PDF
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
 
PDF
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
PPTX
External JavaScript Widget Development Best Practices
Volkan Özçelik
 
PPTX
Java scriptwidgetdevelopmentjstanbul2012
Volkan Özçelik
 
PPTX
Forensics WS Consolidated
Karter Rohrer
 
PDF
Алексей Старов - Как проводить киберраследования?
HackIT Ukraine
 
PPTX
External JavaScript Widget Development Best Practices (updated) (v.1.1)
Volkan Özçelik
 
PDF
Web Security - Introduction v.1.3
Oles Seheda
 
PDF
Web Security - Introduction
SQALab
 
PPTX
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
PPTX
CheckPoint: Anatomy of an evolving bot
Group of company MUK
 
ODP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
PPTX
Malware Analysis For The Enterprise
Jason Ross
 
PDF
DEEPSEC 2013: Malware Datamining And Attribution
Michael Boman
 
PDF
Malware collection and analysis
Chong-Kuan Chen
 
Hacktivityonly 121013141039-phpapp02
Комсс Файквэе
 
Zombie browsers spiced with rootkit extensions - DefCamp 2012
DefCamp
 
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
Metasploitation part-1 (murtuja)
ClubHack
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
 
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
External JavaScript Widget Development Best Practices
Volkan Özçelik
 
Java scriptwidgetdevelopmentjstanbul2012
Volkan Özçelik
 
Forensics WS Consolidated
Karter Rohrer
 
Алексей Старов - Как проводить киберраследования?
HackIT Ukraine
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
Volkan Özçelik
 
Web Security - Introduction v.1.3
Oles Seheda
 
Web Security - Introduction
SQALab
 
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
CheckPoint: Anatomy of an evolving bot
Group of company MUK
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
Malware Analysis For The Enterprise
Jason Ross
 
DEEPSEC 2013: Malware Datamining And Attribution
Michael Boman
 
Malware collection and analysis
Chong-Kuan Chen
 

More from Zoltan Balazs (7)

PPTX
[ Hackersuli ] Privacy on the blockchain
Zoltan Balazs
 
PPTX
MLSEC 2020
Zoltan Balazs
 
PDF
Web3 + scams = It's a match
Zoltan Balazs
 
PPTX
How to hide your browser 0-day @ Disobey
Zoltan Balazs
 
PPTX
Explain Ethereum smart contract hacking like i am a five
Zoltan Balazs
 
PDF
How to hide your browser 0-days
Zoltan Balazs
 
PPTX
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 
[ Hackersuli ] Privacy on the blockchain
Zoltan Balazs
 
MLSEC 2020
Zoltan Balazs
 
Web3 + scams = It's a match
Zoltan Balazs
 
How to hide your browser 0-day @ Disobey
Zoltan Balazs
 
Explain Ethereum smart contract hacking like i am a five
Zoltan Balazs
 
How to hide your browser 0-days
Zoltan Balazs
 
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 

Recently uploaded (20)

PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 

[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions

  • 1. Introduction Zoltán Balázs ITSEC consultant Deloitte Hungary Instructor @NetAkademia.hu OSCP, CISSP, C|HFI, CPTS, MCP http://www.slideshare.net/bz98 Cyberlympics finals 2012 - 2nd runner up Member of the gula.sh team
  • 3. I love Zombie movies
  • 5. Zombies + Hacking + LOLcats = I R ZOMBIE BROWSER
  • 6. Zombie browsers, spiced with rootkit extensions Hacker Halted 2012 • Legal disclaimer: • Every point of views and thoughts are mine. • The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future. • What you will hear can be only used in test labs, and only for the good.
  • 7. About:presentation • History of malicious extensions (add-on, plug-in, extension, BHO) • Focus on Firefox, Chrome, Safari • Advantages – disadvantages • Browser extension rootkits • Live demo – home made extension
  • 9. History of malicious Firefox extensions • 90% of malicious extensions were created for Facebook spamming • 2004-2010: 5 • 2011: 5 • Jan 01, 2012 – Oct 23, 2012: 49* *Data from mozilla.org
  • 10. More examples on Facecrook Text ©f-secure
  • 11. My zombie extension • Command and Control • Stealing cookies, passwords • Uploading/downloading files (Firefox, Chrome NPAPI on todo list) • Binary execution (Firefox - Windows, Chrome NPAPI on todo list) • Geolocation
  • 18. Installing the extension Physical access Social Engineering Remote code execution – without user interaction
  • 19. Firefox rootkit 1 • Hook into other extension (even signed ones)
  • 20. Firefox rootkit 2 • visible = false
  • 21. Firefox rootkit 3 • seen in the wild
  • 22. Quick Quiz - for Hacker Pschorr
  • 23. Quick Quiz • Which company developed the first Netscape plugin? • *****
  • 24. Quick Quiz • Which company developed the first Netscape plugin? • A***e
  • 25. Quick Quiz • Which company developed the first Netscape plugin? • Adobe in 1995
  • 26. Risks of a Zombie Browser • Eats your brain while you are asleep
  • 27. Risks of a Zombie Browser
  • 28. Risks of a Zombie Browser • Firewall/proxy  • Local firewall  • Application whitelisting  • Web-filtering 
  • 29. Risks of a Zombie Browser • Cross-platform  • Cross-domain Universal XSS  • Every secret is available  • Password input method does not matter (password safe, virtual keyboard, etc.) • Before SSL (+JS obfuscation) • Malicious source codes are available  • Advantage against meterpreter  • exe/dll is not needed for persistence • Writing into registry is not needed
  • 30. Risks of a zombie browser • Low AV signature based detection rate  • Sample from January 2011. – October 2012. 0/40 • Extension vs. behavioral based detection 
  • 31. Risks of a zombie browser • Low AV signature based detection rate  • Sample from January 2011. – October 2012. 0/40 • Extension vs. behavioral based detection 
  • 32. Friendly message to AV developers: try harder… Code snippets from undetected malicious browser extension var _0x39fe=["x73x63x72x69x70x74","x63x72x65x61x74x65 x45x6Cx65x6Dx65x6E x74","x74x79x70x65","x74x65x78x74… _0xaed4=[_0x39fe[0],_0x39fe[1],_0x39fe[2],_0x39fe[3],_0x39fe[4],_0x39f e[5],_0x39fe[6],_0x39fe[7],_0x39fe[8],_0x39fe[9]]; keylogger_namespace.keylogger… for(var x in mothership){if (mothership[x].command == "eval") {eval(mothership[x].data);
  • 35. Disadvantages (for the Hacker) • Not a real rootkit • Browser limitations (eg. portscan) • Platform limitations (eg. Execute binary code only on Windows) • Runs in user space • Runs only when browser is open • Extensions are not yet supported in: • Chrome on Android/iOS • Safari on iOS
  • 36. Gmail demo • defeat 2 step verification • Why Google? • Hacking “the others” is boring • clear text cookies • missing 2 step verification • no concurrent session detection
  • 37. Gmail demo • defeat 2 step verification
  • 38. One to rule them all • Cookie + password stealing – defeat Google 2-step verification • Use password reset on other sites linked to G-mail (Paypal, etc.) • Install any app from Google Play to victim’s Android phone • Access Android WIFI passwords • Access to Google+, Docs, Picasa, Blogger, Contacts, Web history, Checkout, Apps, OpenID • Backdooring Google account • Adding application specific password • Stealing backup codes • G-mail mail forward rule
  • 41. ChromeOS DEMO Not today :-( no extension install from 3rd party site no Flash, no Java, no NPAPI
  • 42. ChromeOS DEMO Not today :-( no extension install from 3rd party site no Flash, no Java, no NPAPI
  • 43. Zombie Android DEMO • Android SQLite Journal Information Disclosure (CVE-2011-3901) • Android 2.3.7
  • 45. Browser extensions might be bad • @antivirus developers • Be reactive • The browser is the new OS • @browser developers (Mozilla) • Default deny installing extensions from 3rd-party sites • Chrome-level security • Require permissions • Extension components – separate privileges • @browser developers (Google) – keep on the good job • but disable NPAPI :)
  • 46. Browser extensions might be bad • @website developers • There is no prevention against password stealing • Cookie-stealing • Restrict session to IP (by default) • @users • Beware of malicious browser extensions • Use separated OS for e-banking and other sensitive stuff • Removing malicious extensions - create new clean profile in clean OS • @companies • Control which browsers users can use • Restrict extensions via GPO
  • 49. Should I release it on GitHub?
  • 50. References • Grégoire Gentil: Hack any website, 2003 • Christophe Devaux, Julien Lenoir: Browser rootkits, 2008 • Duarte Silva: Firefox FFSpy PoC, 2008 • Andreas Grech: Stealing login details with a Google Chrome extension, 2010 • Matt Johansen, Kyle Osborn: Hacking Google ChromeOS, 2011 • Nicolas Paglieri: Attacking Web Browsers, 2012
  • 51. Browser extensions might be bad, Mmmkay??? zbalazs@deloittece.com zbalazs4 hu.linkedin.com/in/zbalazs Code released(?) under GPL http://github.com/Z6543/ ZombieBrowserPack Greetz to @hekkcamp