[eng] ohm2013 - the quest for the client-side elixir against zombie browsers -
DESCRIPTION
TRANSCRIPT
The Quest for the Client-Side Elixir Against Zombie Browsers
a.k.aZombie Browsers Reloaded
Legal disclaimer:Every point of views and thoughts are mine.The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future. What you will hear can be only used in test labs, and only for the good.
root@bt:~# whoami
Zoltán Balázs
Deloitte
Senior IT security consultant
Deloitte Senior IT security consultant
I’m OSCP, C|HFI, CPTS, MCP, CISSP
I’m NOT a CEH
CyberLympics@2012 CTF2nd runner up – gula.sh
root@bt:~# whoami
I Love Hacking
I Love Hacker Movies
I Love Memes
The quest for the client-side elixir against zombie browsers
Zombie browsers
Is there a solution?– Common defensive solutions– Internet security suites– Online banking – client side solutions
The quest for the client-side elixir against zombie browsers
http://is.gd/kiwidi
http://is.gd/umusap
Github: http://is.gd/safeno
History of malicious Firefox extensionsMalicious extensions
– Facebook spamming
– ad injection
– search toolbars
*Data from mozilla.org
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
0
20
40
60
80
©f-secure
My zombie browser extensionCommand and Control
Stealing cookies, passwords
Uploading/downloading files (Firefox only)
Binary execution (only on Firefox - Windows)
Webcam, geolocation
Forging financial transactions
Modifying content of the web page
More on YouTube
Hacmebank demo
Now it is just passwordBut real site with OTP login or smart-card login will fail also this attackTransaction authorization can block this attack!
Code publication
October 30, 2012Mozilla blocked my extension in Firefox in 25 minutes
Advanced Mozilla 133t 3v4s10n 2013
https://bugzilla.mozilla.org/show_bug.cgi?id=841791
June 20, 2013Chrome: Advanced scanning of extensions
Which company developed the first Netscape plugin in 1995 ?
*****
Which company developed the first Netscape plugin in 1995 ?
A***e
Which company developed the first Netscape plugin in 1995 ?
Adobe
Axiom
If a bad guy can persuade you to run his program on your computer, it's not your computer anymore. ©Microsoft
If a system can protect you against 300 different attack methods, this means it won’t protect you against the 301st. ©Zoli
Password stealing
Cookie stealing
Webcam spy
Reading user files
Writing user files
NoScript
Browserprotect
Sandboxie
NoScript
„Allows executable web content such as JavaScript, Java, Flash, Silverlight, and other plugins ... NoScript also offers specific countermeasures against security exploits.”
won’t protect you against malware, another extension
Browserprotect
„To protect your browser against malware hijacking your browser settings like home page, search providers and address bar search.”
„Runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.”
Protect (by default): writing files to disk (only to sandbox)
„Runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.”
Protect (by default): writing files to disk (only to sandbox)
Won’t protect:– Password stealing– Cookie stealing– Webcam spying– Reading files
Attacker
Victim
Internet security suites
Internet security suites
Vendor 1
Vendor 2
Vendor 3
Vendor 4
Vendor 5
The conclusion will be the same ...
Internet security suites
Vendor 1
Vendor 2
Vendor 3
Vendor 4
Vendor 5
The conclusion will be the same ...
Vendor Nr. 1
Detects and removes my Firefox extension based on signatures
Über 133t signature 3v4s10n 2k13
One additional space in a line
„Improved security” Firefox extensions
Always two versions behind the actual Firefox version
Vendor Nr. 1
Detects and removes my Firefox extension based on signatures
Über 133t signature 3v4s10n 2k13
One additional space in a line
„Improved security” Firefox extensions
Always two versions behind the actual Firefox version
Hacked with
browser extensio
n
Vendor Nr. 2
„Safe browser” solution– Creating a new, „clean” Firefox profile
Extensions installed via registry (HKCU)
Modifying „Safe browser” SQLite
Vendor contacted, no solution yet
Vendor Nr. 2
„Safe browser” solution– Creating a new, „clean” Firefox profil
Extensions installed via registry (HKCU)
Modifying „Safe browser” SQLite
Vendor contacted, no solution yet
Hacked with
browser extensio
n
Vendor Nr. 3
User question on a forum: „Does XYZ detect/block Xenotix KeylogX?
Vendor Nr. 3
User question on a forum: „Does XYZ detect/block Xenotix KeylogX?
Vendor official response: „No it doesn't, and that's by design. Browser add-ons are subject to the same sandboxing that the browser itself runs through and therefore can be managed by the user directly. ...If you're suspicious of any add-ons, you should definitely just remove them, or, open your browser in safemode which avoids loading any add-ons.”
Vendor Nr. 3
User question on a forum: „Does XYZ detect/block Xenotix KeylogX?
Vendor official response: „No it doesn't, and that's by design. Browser add-ons are subject to the same sandboxing that the browser itself runs through and therefore can be managed by the user directly. ...If you're suspicious of any add-ons, you should definitely just remove them, or, open your browser in safemode which avoids loading any add-ons.”
Hacked with
browser extensio
n,
by design
Vendor Nr. 4,5,...
„Safe” browser solution
Hacked with
browser extensio
n,
Avast Internet Security SuiteBrowser extension protection in safe browser
DEMOP
To the vendors:Don’t trust the local root CA!
Protect proxy settings, browser files, browser settings!Do not use old, outdated browser!Disable every browser extension!
To the users:Do not use browser extensions to protect against
browser extension!Install and update AV!
„Endpoint Financial Fraud Prevention” and „Anti-Keylogging Applications”
„Endpoint Financial Fraud Prevention” and „Anti-Keylogging Applications”
What??? – Recommended by big financial
institutions, „download it and you will be safe”
Vendor 1 (Zemana)
Vendor 2
Vendor 3
Vendor 4
Conclusion ... ;-)
Firefox + Zemana + api hooking + extension
DEMO
Vendor Nr. 2
Protects end-user endpoints against financial malware and phishing attacks.
By preventing attacks such as Man-in-the-Browser and Man-in-the-Middle, it secures credentials and personal information and stops financial fraud and account takeover.
And, it keeps endpoints malware-free by blocking malware installation and removing existing infections.
Vendor Nr. 2
Every extension disabled in Internet Explorer
But not in Firefox
They sent me a new version Every Firefox extension is disabled But it is not public ...
Plan for the future:They will detect if there is a malicious extension and that specific extension will be disabled in Firefox
Vendor Nr. 2
Every extension disabled in Internet Explorer
But not in Firefox
They sent me a new version Every Firefox extension is disabled But it is not public ...
Plan for the future:They will detect if there is a malicious extension and that specific extension will be disabled in Firefox
Vendor Nr. 3
January, 2013: Firefox 13.01 (June, 2012)
Install via registry (HKCU)
Vendor contacted, problem solved
SSL MITM attack not working either, it protects it’s settings
GREAT SUCCESS
Vendor Nr. 4
Vendor Nr. 4
Protects You From:
Information stealing malware and spyware
0-hour malware and targeted attacks
Sophisticated financial malware like ZeuS and SpyEye
Key loggers, screen grabbers, microphone and webcam hijackers, SSL banker Trojans, spying rootkits and many more
Protects You From:
Information stealing malware and spyware
0-hour malware and targeted attacks
Sophisticated financial malware like ZeuS and SpyEye
Key loggers, screen grabbers, microphone and webcam hijackers, SSL banker Trojans, spying rootkits and many more
Vendor Nr. 4
Hacked with
browser extensio
n
Moral lesson: I was searching for the elixir in the
wrong forest
The client side only solutions are doomed to fail
Elixir should be looked for at the server side
protection forest
YouTube: http://is.gd/kiwidiSlideShare: http://is.gd/umusap
GitHub: http://is.gd/safeno