[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

The Quest for the Client-Side Elixir Against Zombie Browsers

a.k.aZombie Browsers Reloaded

Legal disclaimer:Every point of views and thoughts are mine.The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future. What you will hear can be only used in test labs, and only for the good.

root@bt:~# whoami

Zoltán Balázs

Deloitte

Senior IT security consultant

Deloitte Senior IT security consultant

I’m OSCP, C|HFI, CPTS, MCP, CISSP

I’m NOT a CEH

CyberLympics@2012 CTF2nd runner up – gula.sh

root@bt:~# whoami

[email protected]

https://hu.linkedin.com/in/zbalazs

Twitter – zh4ck

root@bt:~# whoami

I Love Hacking

I Love Hacker Movies

I Love Memes

The quest for the client-side elixir against zombie browsers

Zombie browsers

Is there a solution?– Common defensive solutions– Internet security suites– Online banking – client side solutions

The quest for the client-side elixir against zombie browsers

http://is.gd/kiwidi

http://is.gd/umusap

Github: http://is.gd/safeno

History of malicious Firefox extensionsMalicious extensions

– Facebook spamming

– ad injection

– search toolbars

*Data from mozilla.org

2004

2005

2006

2007

2008

2009

2010

2011

2012

2013

0

20

40

60

80

©f-secure

My zombie browser extensionCommand and Control

Stealing cookies, passwords

Uploading/downloading files (Firefox only)

Binary execution (only on Firefox - Windows)

Webcam, geolocation

Forging financial transactions

Modifying content of the web page

More on YouTube

Hacmebank demo

Now it is just passwordBut real site with OTP login or smart-card login will fail also this attackTransaction authorization can block this attack!

Code publication

October 30, 2012Mozilla blocked my extension in Firefox in 25 minutes

Advanced Mozilla 133t 3v4s10n 2013

https://bugzilla.mozilla.org/show_bug.cgi?id=841791

June 20, 2013Chrome: Advanced scanning of extensions

Which company developed the first Netscape plugin in 1995 ?

*****


A***e


Adobe

Axiom

If a bad guy can persuade you to run his program on your computer, it's not your computer anymore. ©Microsoft

If a system can protect you against 300 different attack methods, this means it won’t protect you against the 301st. ©Zoli

Password stealing

Cookie stealing

Webcam spy

Reading user files

Writing user files

NoScript

Browserprotect

Sandboxie

NoScript

„Allows executable web content such as JavaScript, Java, Flash, Silverlight, and other plugins ... NoScript also offers specific countermeasures against security exploits.”

won’t protect you against malware, another extension

Browserprotect

„To protect your browser against malware hijacking your browser settings like home page, search providers and address bar search.”

„Runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.”

Protect (by default): writing files to disk (only to sandbox)

„Runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.”

Protect (by default): writing files to disk (only to sandbox)

Won’t protect:– Password stealing– Cookie stealing– Webcam spying– Reading files

Attacker

Victim

Internet security suites

Internet security suites

Vendor 1

Vendor 2

Vendor 3

Vendor 4

Vendor 5

The conclusion will be the same ...

Vendor Nr. 1

Detects and removes my Firefox extension based on signatures

Über 133t signature 3v4s10n 2k13

One additional space in a line

„Improved security” Firefox extensions

Always two versions behind the actual Firefox version

Vendor Nr. 1

Detects and removes my Firefox extension based on signatures

Über 133t signature 3v4s10n 2k13

One additional space in a line

„Improved security” Firefox extensions

Always two versions behind the actual Firefox version

Hacked with

browser extensio

n

Vendor Nr. 2

„Safe browser” solution– Creating a new, „clean” Firefox profile

Extensions installed via registry (HKCU)

Modifying „Safe browser” SQLite

Vendor contacted, no solution yet

Vendor Nr. 2

„Safe browser” solution– Creating a new, „clean” Firefox profil

Extensions installed via registry (HKCU)

Modifying „Safe browser” SQLite

Vendor contacted, no solution yet

Hacked with

browser extensio

n

Vendor Nr. 3

User question on a forum: „Does XYZ detect/block Xenotix KeylogX?

Vendor Nr. 3


Vendor official response: „No it doesn't, and that's by design. Browser add-ons are subject to the same sandboxing that the browser itself runs through and therefore can be managed by the user directly. ...If you're suspicious of any add-ons, you should definitely just remove them, or, open your browser in safemode which avoids loading any add-ons.”

Vendor Nr. 3


Vendor official response: „No it doesn't, and that's by design. Browser add-ons are subject to the same sandboxing that the browser itself runs through and therefore can be managed by the user directly. ...If you're suspicious of any add-ons, you should definitely just remove them, or, open your browser in safemode which avoids loading any add-ons.”

Hacked with

browser extensio

n,

by design

Vendor Nr. 4,5,...

„Safe” browser solution

Hacked with

browser extensio

n,

Avast Internet Security SuiteBrowser extension protection in safe browser

DEMOP

To the vendors:Don’t trust the local root CA!

Protect proxy settings, browser files, browser settings!Do not use old, outdated browser!Disable every browser extension!

To the users:Do not use browser extensions to protect against

browser extension!Install and update AV!

„Endpoint Financial Fraud Prevention” and „Anti-Keylogging Applications”

„Endpoint Financial Fraud Prevention” and „Anti-Keylogging Applications”

What??? – Recommended by big financial

institutions, „download it and you will be safe”

Vendor 1 (Zemana)

Vendor 2

Vendor 3

Vendor 4

Conclusion ... ;-)

Firefox + Zemana + api hooking + extension

DEMO

Vendor Nr. 2

Protects end-user endpoints against financial malware and phishing attacks.

By preventing attacks such as Man-in-the-Browser and Man-in-the-Middle, it secures credentials and personal information and stops financial fraud and account takeover.

And, it keeps endpoints malware-free by blocking malware installation and removing existing infections.

Vendor Nr. 2

Every extension disabled in Internet Explorer

But not in Firefox

They sent me a new version Every Firefox extension is disabled But it is not public ...

Plan for the future:They will detect if there is a malicious extension and that specific extension will be disabled in Firefox

Vendor Nr. 3

January, 2013: Firefox 13.01 (June, 2012)

Install via registry (HKCU)

Vendor contacted, problem solved

SSL MITM attack not working either, it protects it’s settings

GREAT SUCCESS

Vendor Nr. 4

Vendor Nr. 4

Protects You From:

Information stealing malware and spyware

0-hour malware and targeted attacks

Sophisticated financial malware like ZeuS and SpyEye

Key loggers, screen grabbers, microphone and webcam hijackers, SSL banker Trojans, spying rootkits and many more

Protects You From:

Information stealing malware and spyware

0-hour malware and targeted attacks

Sophisticated financial malware like ZeuS and SpyEye

Key loggers, screen grabbers, microphone and webcam hijackers, SSL banker Trojans, spying rootkits and many more

Vendor Nr. 4

Hacked with

browser extensio

n

Moral lesson: I was searching for the elixir in the

wrong forest

The client side only solutions are doomed to fail

Elixir should be looked for at the server side

protection forest

YouTube: http://is.gd/kiwidiSlideShare: http://is.gd/umusap

GitHub: http://is.gd/safeno

[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -

Technology

Transcript of [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -