Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Researcher to demonstrate feature-rich malware that works as a browser extension

Lucian Constantin | Oct. 25, 2012
Security researcher Zoltan Balazs has developed a remote-controlled piece of malware that functions as a browser extension and is capable of modifying Web pages, downloading and executing files, hijacking accounts, bypassing two-factor authentication security features enforced by some websites, and much more.

"One of my colleagues wrote a distributed password hash cracker module for Chrome's Native Client, so this means that we can send the hashes to the victim's browser and we can use the computer's CPUs to crack them," Balazs said.

The Safari version was easy to create because Chrome extensions can be easily converted to Safari extensions, Balazs said.

A browser infected with the extension can be controlled in the same way as a botnet client, because the extension can receive instructions from a website and can send information back to the attackers. Because this looks like normal HTTP traffic initiated by the browser, it's hard for local or network-level firewalls to block it.

The difficulty of distributing malicious browser extensions differs from browser to browser.

In Firefox, the easiest method is social engineering -- tricking users into installing the extensions, Balazs said. This is possible because Firefox allows the installation of extensions from third-party websites and many users are used to installing extensions in this way.

However, unlike Firefox, Chrome only allows users to install extensions from the official Chrome Web Store, Balazs said. So, unless the attacker manages to upload the malicious extension on the Chrome Web Store, social engineering is not an option.

The offline installation of extensions from unverified sources by copying the extension files in the right places and making the necessary modifications to the browser files is possible in both browsers if the attacker already has code execution access on the system, Balazs said.

Firefox normally notifies users during the browser start-up sequence about extensions that have been installed offline and asks for confirmation before enabling them. However, Balazs claims that he can bypass this feature in order to perform completely silent installations.

The researcher didn't manage to achieve silent extension installs in Chrome yet. However, he is aware of other malware samples that are able to do this, so he believes that it is possible.

Browser vendors like Mozilla and Apple should restrict the online installation of extensions only to their official repositories, like Google does in Chrome, Balazs said. That will really help in the long run, he said.

In addition, antivirus vendors should pay more attention to malicious browser extensions and improve their detection for this type of malware, the researcher said.

VirusTotal scans for publicly available samples of known malicious browser extensions showed that antivirus detection for them is almost non-existent, Balazs said Wednesday.

The researcher claims that even after some antivirus vendors added detection signatures for his proof-of-concept extension, he was able to evade detection again by making simple modifications to the code.


Previous Page  1  2 

Sign up for MIS Asia eNewsletters.