[eng] ohm2013 - the quest for the client-side elixir against zombie browsers -
DESCRIPTION
TRANSCRIPT
![Page 1: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/1.jpg)
![Page 2: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/2.jpg)
The Quest for the Client-Side Elixir Against Zombie Browsers
a.k.aZombie Browsers Reloaded
Legal disclaimer:Every point of views and thoughts are mine.The next presentation’s contents do not have any connection with my employers opinion, whether past, present or future. What you will hear can be only used in test labs, and only for the good.
![Page 3: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/3.jpg)
root@bt:~# whoami
Zoltán Balázs
![Page 4: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/4.jpg)
Deloitte
![Page 5: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/5.jpg)
Senior IT security consultant
![Page 6: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/6.jpg)
Deloitte Senior IT security consultant
![Page 7: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/7.jpg)
I’m OSCP, C|HFI, CPTS, MCP, CISSP
I’m NOT a CEH
CyberLympics@2012 CTF2nd runner up – gula.sh
root@bt:~# whoami
![Page 9: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/9.jpg)
I Love Hacking
![Page 10: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/10.jpg)
I Love Hacker Movies
![Page 11: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/11.jpg)
I Love Memes
![Page 12: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/12.jpg)
The quest for the client-side elixir against zombie browsers
Zombie browsers
Is there a solution?– Common defensive solutions– Internet security suites– Online banking – client side solutions
![Page 13: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/13.jpg)
The quest for the client-side elixir against zombie browsers
http://is.gd/kiwidi
http://is.gd/umusap
Github: http://is.gd/safeno
![Page 14: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/14.jpg)
![Page 15: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/15.jpg)
History of malicious Firefox extensionsMalicious extensions
– Facebook spamming
– ad injection
– search toolbars
*Data from mozilla.org
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
0
20
40
60
80
![Page 16: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/16.jpg)
©f-secure
![Page 17: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/17.jpg)
My zombie browser extensionCommand and Control
Stealing cookies, passwords
Uploading/downloading files (Firefox only)
Binary execution (only on Firefox - Windows)
Webcam, geolocation
Forging financial transactions
Modifying content of the web page
More on YouTube
![Page 18: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/18.jpg)
![Page 19: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/19.jpg)
![Page 20: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/20.jpg)
![Page 21: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/21.jpg)
Hacmebank demo
Now it is just passwordBut real site with OTP login or smart-card login will fail also this attackTransaction authorization can block this attack!
![Page 22: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/22.jpg)
Code publication
October 30, 2012Mozilla blocked my extension in Firefox in 25 minutes
![Page 23: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/23.jpg)
Advanced Mozilla 133t 3v4s10n 2013
https://bugzilla.mozilla.org/show_bug.cgi?id=841791
![Page 24: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/24.jpg)
June 20, 2013Chrome: Advanced scanning of extensions
![Page 25: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/25.jpg)
Which company developed the first Netscape plugin in 1995 ?
*****
![Page 26: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/26.jpg)
Which company developed the first Netscape plugin in 1995 ?
A***e
![Page 27: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/27.jpg)
Which company developed the first Netscape plugin in 1995 ?
Adobe
![Page 28: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/28.jpg)
![Page 29: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/29.jpg)
![Page 30: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/30.jpg)
![Page 31: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/31.jpg)
![Page 32: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/32.jpg)
![Page 33: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/33.jpg)
Axiom
If a bad guy can persuade you to run his program on your computer, it's not your computer anymore. ©Microsoft
If a system can protect you against 300 different attack methods, this means it won’t protect you against the 301st. ©Zoli
![Page 34: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/34.jpg)
Password stealing
Cookie stealing
Webcam spy
Reading user files
Writing user files
NoScript
Browserprotect
Sandboxie
![Page 35: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/35.jpg)
NoScript
„Allows executable web content such as JavaScript, Java, Flash, Silverlight, and other plugins ... NoScript also offers specific countermeasures against security exploits.”
won’t protect you against malware, another extension
![Page 36: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/36.jpg)
Browserprotect
„To protect your browser against malware hijacking your browser settings like home page, search providers and address bar search.”
![Page 37: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/37.jpg)
„Runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.”
Protect (by default): writing files to disk (only to sandbox)
![Page 38: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/38.jpg)
„Runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.”
Protect (by default): writing files to disk (only to sandbox)
Won’t protect:– Password stealing– Cookie stealing– Webcam spying– Reading files
![Page 39: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/39.jpg)
Attacker
Victim
![Page 40: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/40.jpg)
Internet security suites
![Page 41: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/41.jpg)
Internet security suites
Vendor 1
Vendor 2
Vendor 3
Vendor 4
Vendor 5
The conclusion will be the same ...
![Page 42: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/42.jpg)
Internet security suites
Vendor 1
Vendor 2
Vendor 3
Vendor 4
Vendor 5
The conclusion will be the same ...
![Page 43: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/43.jpg)
Vendor Nr. 1
Detects and removes my Firefox extension based on signatures
Über 133t signature 3v4s10n 2k13
One additional space in a line
„Improved security” Firefox extensions
Always two versions behind the actual Firefox version
![Page 44: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/44.jpg)
Vendor Nr. 1
Detects and removes my Firefox extension based on signatures
Über 133t signature 3v4s10n 2k13
One additional space in a line
„Improved security” Firefox extensions
Always two versions behind the actual Firefox version
Hacked with
browser extensio
n
![Page 45: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/45.jpg)
Vendor Nr. 2
„Safe browser” solution– Creating a new, „clean” Firefox profile
Extensions installed via registry (HKCU)
Modifying „Safe browser” SQLite
Vendor contacted, no solution yet
![Page 46: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/46.jpg)
Vendor Nr. 2
„Safe browser” solution– Creating a new, „clean” Firefox profil
Extensions installed via registry (HKCU)
Modifying „Safe browser” SQLite
Vendor contacted, no solution yet
Hacked with
browser extensio
n
![Page 47: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/47.jpg)
Vendor Nr. 3
User question on a forum: „Does XYZ detect/block Xenotix KeylogX?
![Page 48: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/48.jpg)
Vendor Nr. 3
User question on a forum: „Does XYZ detect/block Xenotix KeylogX?
Vendor official response: „No it doesn't, and that's by design. Browser add-ons are subject to the same sandboxing that the browser itself runs through and therefore can be managed by the user directly. ...If you're suspicious of any add-ons, you should definitely just remove them, or, open your browser in safemode which avoids loading any add-ons.”
![Page 49: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/49.jpg)
Vendor Nr. 3
User question on a forum: „Does XYZ detect/block Xenotix KeylogX?
Vendor official response: „No it doesn't, and that's by design. Browser add-ons are subject to the same sandboxing that the browser itself runs through and therefore can be managed by the user directly. ...If you're suspicious of any add-ons, you should definitely just remove them, or, open your browser in safemode which avoids loading any add-ons.”
Hacked with
browser extensio
n,
by design
![Page 50: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/50.jpg)
Vendor Nr. 4,5,...
„Safe” browser solution
Hacked with
browser extensio
n,
![Page 51: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/51.jpg)
Avast Internet Security SuiteBrowser extension protection in safe browser
DEMOP
![Page 52: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/52.jpg)
To the vendors:Don’t trust the local root CA!
Protect proxy settings, browser files, browser settings!Do not use old, outdated browser!Disable every browser extension!
To the users:Do not use browser extensions to protect against
browser extension!Install and update AV!
![Page 53: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/53.jpg)
„Endpoint Financial Fraud Prevention” and „Anti-Keylogging Applications”
![Page 54: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/54.jpg)
„Endpoint Financial Fraud Prevention” and „Anti-Keylogging Applications”
What??? – Recommended by big financial
institutions, „download it and you will be safe”
Vendor 1 (Zemana)
Vendor 2
Vendor 3
Vendor 4
Conclusion ... ;-)
![Page 55: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/55.jpg)
Firefox + Zemana + api hooking + extension
DEMO
![Page 56: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/56.jpg)
Vendor Nr. 2
Protects end-user endpoints against financial malware and phishing attacks.
By preventing attacks such as Man-in-the-Browser and Man-in-the-Middle, it secures credentials and personal information and stops financial fraud and account takeover.
And, it keeps endpoints malware-free by blocking malware installation and removing existing infections.
![Page 57: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/57.jpg)
Vendor Nr. 2
Every extension disabled in Internet Explorer
But not in Firefox
They sent me a new version Every Firefox extension is disabled But it is not public ...
Plan for the future:They will detect if there is a malicious extension and that specific extension will be disabled in Firefox
![Page 58: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/58.jpg)
Vendor Nr. 2
Every extension disabled in Internet Explorer
But not in Firefox
They sent me a new version Every Firefox extension is disabled But it is not public ...
Plan for the future:They will detect if there is a malicious extension and that specific extension will be disabled in Firefox
![Page 59: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/59.jpg)
Vendor Nr. 3
January, 2013: Firefox 13.01 (June, 2012)
Install via registry (HKCU)
Vendor contacted, problem solved
SSL MITM attack not working either, it protects it’s settings
GREAT SUCCESS
![Page 60: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/60.jpg)
Vendor Nr. 4
![Page 61: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/61.jpg)
Vendor Nr. 4
Protects You From:
Information stealing malware and spyware
0-hour malware and targeted attacks
Sophisticated financial malware like ZeuS and SpyEye
Key loggers, screen grabbers, microphone and webcam hijackers, SSL banker Trojans, spying rootkits and many more
![Page 62: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/62.jpg)
Protects You From:
Information stealing malware and spyware
0-hour malware and targeted attacks
Sophisticated financial malware like ZeuS and SpyEye
Key loggers, screen grabbers, microphone and webcam hijackers, SSL banker Trojans, spying rootkits and many more
Vendor Nr. 4
Hacked with
browser extensio
n
![Page 63: [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://reader034.vdocument.in/reader034/viewer/2022051513/546c1f75b4af9f752c8b4eeb/html5/thumbnails/63.jpg)
Moral lesson: I was searching for the elixir in the
wrong forest
The client side only solutions are doomed to fail
Elixir should be looked for at the server side
protection forest
YouTube: http://is.gd/kiwidiSlideShare: http://is.gd/umusap
GitHub: http://is.gd/safeno