Download - Lenoir Presentation
-
8/9/2019 Lenoir Presentation
1/48
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Browser Rootkits
Christophe Devaux - [email protected] Lenoir - [email protected]
Sogeti ESEC R&D
Sogeti/ESEC R&D Browser Rootkits 1/46
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
2/48
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Agenda
1 Introduction
2 Rootkit for Firefox
3 Rootkit for Internet Explorer
Sogeti/ESEC R&D Browser Rootkits 2/46
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
3/48
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Introduction
Why design a web browser rootkit?
Todays browsers
Browsers are getting so complex that they can be considered asoperating systems
Browsers are usually allowed to access the Internet
Constraints
Be as furtive as we canBe exploitable with user rights only
Sogeti/ESEC R&D Browser Rootkits 3/46
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
4/48
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
One add-on to rule them allHide the devil insideCommunication and SpreadingPayloadsConclusion
FIREFOX
Sogeti/ESEC R&D Browser Rootkits 4/46
O dd l h ll
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
5/48
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
One add-on to rule them allHide the devil insideCommunication and SpreadingPayloadsConclusion
Content
1 Introduction
2 Rootkit for Firefox
One add-on to rule them allHide the devil insideCommunication and SpreadingPayloadsConclusion
3 Rootkit for Internet Explorer
Sogeti/ESEC R&D Browser Rootkits 5/46
One add on to r le them all
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
6/48
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
One add-on to rule them allHide the devil insideCommunication and SpreadingPayloadsConclusion
Main principles
Build a Firefox add-on like a traditionnal rootkit kernel module
Attributes:
Loads and becomes persistent
Hides itself (from the browser scope)
Communicates and answers to orders
Constraints:
Exploitation with minimal user rights
Focus on the stealth of the solution
Multiplatforms
Sogeti/ESEC R&D Browser Rootkits 6/46
One add on to rule them all
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
7/48
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
One add-on to rule them allHide the devil insideCommunication and SpreadingPayloadsConclusion
What is an extension?
An extension...
is a simple compressed file with JavaScript/XUL/CSS/binaries/...
can be platform independent
adds overlays on Firefox XUL files
An overlay provides a mechanism for:
adding new user interfaces
overriding pieces of an existing XUL file
reusing particular pieces of the user interface
With an overlay on browser.xul, we can control the main Firefox window.
Sogeti/ESEC R&D Browser Rootkits 7/46
One add-on to rule them all
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
8/48
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
One add-on to rule them allHide the devil insideCommunication and SpreadingPayloadsConclusion
What is an extension?
Sogeti/ESEC R&D Browser Rootkits 8/46
I d iOne add-on to rule them all
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
9/48
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
One add on to rule them allHide the devil insideCommunication and SpreadingPayloadsConclusion
Installation
Traditional installation:
XPI package installed by social engineering, emails, P2P, ...
Using an infector:
Executable which edits Firefox Extensions Manager files
Using a vulnerability in Firefox:
Which allows a code execution (MFSA 2008-34, MFSA 2008-41, ...)
Sogeti/ESEC R&D Browser Rootkits 9/46
Int od tionOne add-on to rule them all
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
10/48
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Hide the devil insideCommunication and SpreadingPayloadsConclusion
Content
1 Introduction
2 Rootkit for Firefox
One add-on to rule them allHide the devil insideCommunication and SpreadingPayloadsConclusion
3 Rootkit for Internet Explorer
Sogeti/ESEC R&D Browser Rootkits 10/46
IntroductionOne add-on to rule them all
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
11/48
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Hide the devil insideCommunication and SpreadingPayloadsConclusion
Hide the extension
Three methods:
Using a Cascading Style Sheets file:
- User doesnt see the extension
Removing the extension from the Extensions Manager component:- Firefox doesnt see the extension
Infecting an already installed extension:- Traditional virus behavior
Sogeti/ESEC R&D Browser Rootkits 11/46
IntroductionOne add-on to rule them all
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
12/48
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Hide the devil insideCommunication and SpreadingPayloadsConclusion
Hide the extension
Sogeti/ESEC R&D Browser Rootkits 12/46
Introduction One add-on to rule them allHid h d il i id
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
13/48
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Hide the devil insideCommunication and SpreadingPayloadsConclusion
Hide the extension
Sogeti/ESEC R&D Browser Rootkits 12/46
Introduction One add-on to rule them allHid th d il i id
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
14/48
Rootkit for FirefoxRootkit for Internet Explorer
Hide the devil insideCommunication and SpreadingPayloadsConclusion
Content
1 Introduction
2 Rootkit for Firefox
One add-on to rule them allHide the devil insideCommunication and SpreadingPayloadsConclusion
3 Rootkit for Internet Explorer
Sogeti/ESEC R&D Browser Rootkits 13/46
Introduction One add-on to rule them allHide the devil inside
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
15/48
Rootkit for FirefoxRootkit for Internet Explorer
Hide the devil insideCommunication and SpreadingPayloadsConclusion
Communication
Communication process:
Communication with an external HTTP(S) server: Bypass firewallsXMLHttpRequest
Ask, execute, send back to master
Encrypted protocol (not fully implemented) using RSA and RC4
Sogeti/ESEC R&D Browser Rootkits 14/46
Introduction One add-on to rule them allHide the devil inside
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
16/48
Rootkit for FirefoxRootkit for Internet Explorer
Hide the devil insideCommunication and SpreadingPayloadsConclusion
Communication: the attacker webcontrol
Why use web server to control browser rootkits?
Browsers communicate by nature with web servers
Sending, receiving and parsing HTTP/XML requests is supportednatively by web browsers
Remark
The web server can easily be hidden using a fast flux like method
Sogeti/ESEC R&D Browser Rootkits 15/46
IntroductionR ki f Fi f
One add-on to rule them allHide the devil inside
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
17/48
Rootkit for FirefoxRootkit for Internet Explorer
Hide the devil insideCommunication and SpreadingPayloadsConclusion
Global architecture
Sogeti/ESEC R&D Browser Rootkits 16/46
IntroductionR tkit f Fi f
One add-on to rule them allHide the devil inside
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
18/48
Rootkit for FirefoxRootkit for Internet Explorer
Communication and SpreadingPayloadsConclusion
Spreading
Spreading mechanisms:
Traditional ways: mails, P2P, others worms, ...Hooks on webmails forms: catch emails and add an infector asattachment
Harvest all emails in web pages (Firefox can send emails by itself)
Sogeti/ESEC R&D Browser Rootkits 17/46
IntroductionRootkit for Firefox
One add-on to rule them allHide the devil inside
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
19/48
Rootkit for FirefoxRootkit for Internet Explorer
Communication and SpreadingPayloadsConclusion
Content
1 Introduction
2 Rootkit for Firefox
One add-on to rule them allHide the devil insideCommunication and SpreadingPayloadsConclusion
3 Rootkit for Internet Explorer
Sogeti/ESEC R&D Browser Rootkits 18/46
IntroductionRootkit for Firefox
One add-on to rule them allHide the devil inside
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
20/48
Rootkit for FirefoxRootkit for Internet Explorer
Communication and SpreadingPayloadsConclusion
XPCOM
XPCOM (Cross Platform Component Object Model)
multiple language bindings
includes interfaces for:
Component management
File abstractionObject message passing
Memory management
Sogeti/ESEC R&D Browser Rootkits 19/46
IntroductionRootkit for Firefox
One add-on to rule them allHide the devil insideC i i d S di
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
21/48
Rootkit for FirefoxRootkit for Internet Explorer
Communication and SpreadingPayloadsConclusion
AddEventListener
AddEventListener
Associates a function with a particular event
Useful to spy on the user activity
Logging is completed by HTTP headers sniffing
Logs are stored encrypted in the browser cache
Sogeti/ESEC R&D Browser Rootkits 20/46
IntroductionRootkit for Firefox
One add-on to rule them allHide the devil insideC i ti d S di
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
22/48
Rootkit for Internet ExplorerCommunication and SpreadingPayloadsConclusion
Payloads
From there, anything is possible
Passwords/Cookies/Bookmarks/History stealerKeylogger
ConnectBack
Sniffer (HTTP requests)
Botnet
Spam platform
Disable teflon :)
...
Sogeti/ESEC R&D Browser Rootkits 21/46
IntroductionRootkit for Firefox
One add-on to rule them allHide the devil insideCommunication and Spreading
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
23/48
Rootkit for Internet ExplorerCommunication and SpreadingPayloadsConclusion
Demo
Sogeti/ESEC R&D Browser Rootkits 22/46
IntroductionRootkit for Firefox
One add-on to rule them allHide the devil insideCommunication and Spreading
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
24/48
Rootkit for Internet ExplorerCommunication and SpreadingPayloadsConclusion
Content
1 Introduction
2 Rootkit for Firefox
One add-on to rule them allHide the devil insideCommunication and SpreadingPayloadsConclusion
3 Rootkit for Internet Explorer
Sogeti/ESEC R&D Browser Rootkits 23/46
IntroductionRootkit for Firefox
R ki f I E l
One add-on to rule them allHide the devil insideCommunication and Spreading
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
25/48
Rootkit for Internet ExplorerCommunication and SpreadingPayloadsConclusion
Conclusion
A real design problem and no real solution
Malicious Firefox extensions are easy to develop
There is NO security about extensions in Firefox
We would not be surprised to see this kind of spyware spread in the future
Sogeti/ESEC R&D Browser Rootkits 24/46
IntroductionRootkit for Firefox
R tkit f I t t E l
Overview of Internet Explorer security modelRootkit architecture proposalC l i
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
26/48
Rootkit for Internet Explorer Conclusion
INTERNET EXPLORER 7
Sogeti/ESEC R&D Browser Rootkits 25/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
27/48
Rootkit for Internet Explorer Conclusion
Content
1 Introduction
2 Rootkit for Firefox
3 Rootkit for Internet ExplorerOverview of Internet Explorer security model
Security zones
Security zones internals
Rootkit architecture proposalInjector
CoreCommunication Backdoor
Payloads
Conclusion
Sogeti/ESEC R&D Browser Rootkits 26/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
28/48
Rootkit for Internet Explorer Conclusion
Security zones
Five security zones
Local computer: web pages on local hard drives
Intranet: web pages on the intranet
Trusted sites: whitelist of trusted web sites
Internet: all pages that do not match any other zone
Restricted sites: blacklist of restricted web sites
Sogeti/ESEC R&D Browser Rootkits 27/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
29/48
Rootkit for Internet Explorer Conclusion
Security flags
ACTION_FLAGs
Represent all actions that can be taken in a security zone
POLICY_FLAGs
Represent how the browser will react to a required ACTION_FLAG
Security policy
Each zone has its own set of ACTION_FLAGs and POLICY_FLAGswhich defines its security
Sogeti/ESEC R&D Browser Rootkits 28/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
30/48
oo o e e p o e Co o
Security applied to a web page
Sogeti/ESEC R&D Browser Rootkits 29/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
31/48
p
Security manager overview
Sogeti/ESEC R&D Browser Rootkits 30/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
32/48
Content
1 Introduction
2 Rootkit for Firefox
3 Rootkit for Internet ExplorerOverview of Internet Explorer security model
Security zones
Security zones internals
Rootkit architecture proposalInjector
CoreCommunication Backdoor
Payloads
Conclusion
Sogeti/ESEC R&D Browser Rootkits 31/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
33/48
Internet Explorer rootkit
Constraints
Being usable with users rights
All in memory architecture to be furtive
Using IE functionnalities to be furtive
Why not use a Browser Helper Object?
BHOs require high level privileges to be installed
BHOs leave fingerprints in the registryBHOs are signed and checked by IE
Sogeti/ESEC R&D Browser Rootkits 32/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
34/48
Howto
Let http://evilsite be the rootkit owners webserver address
HowtosGet high level privileges for pages hosted on http://evilsite
Load pages and execute them without beeing seen
Stay connected to the attacker via http://evilsite
Sogeti/ESEC R&D Browser Rootkits 33/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
35/48
Injector
The purpose of the injector is to inject our rootkit code inside IEscontext
Methods that may be employedInject the code using another process on the victims computer
Inject the code remotely using a vulnerability
Inject the code using a malicious plug-in
We focus on rootkit architecture so we are using a simple dll injection
Sogeti/ESEC R&D Browser Rootkits 34/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
36/48
Granting privileges: security manager cache poisonning
URL-Zone cache
Corrupting URL-Zone cache to map http://evilsite to the zone we want
Zone-Action cache
Corrupting Zone-Action cache to give high privileges to the zonehttp://evilsite is mapped to
Results
http://evilsite will have high privileges
Problem
How to keep cache corrupted?
Sogeti/ESEC R&D Browser Rootkits 35/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
37/48
Hooking the security manager
Sogeti/ESEC R&D Browser Rootkits 36/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
38/48
Hooking the security manager
Sogeti/ESEC R&D Browser Rootkits 36/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
39/48
Hooking the security manager
Results
Caches will remain corrupted regardless to the registry configurationand users actions
Problem
Any other site in the corrupted zone will have high privileges
Sogeti/ESEC R&D Browser Rootkits 37/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
40/48
Adding a new zone
Sogeti/ESEC R&D Browser Rootkits 38/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
41/48
Adding a new zone
Results
Only http://evilsite is mapped to the newly created zone
The newly created zone will get its rights increased, default zonesconfigurations will not be modified
Problem
Some functionalities are still unavailable in new zones
Sogeti/ESEC R&D Browser Rootkits 39/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
42/48
Loading and executing pages: invisible tab
Internet Explorer 7 is a multitab browser:What about loading and executing http://evilsite pages in a new tab?
Problem
Creating a new tab is anything but furtive!
Answer
Create an invisible tab...
Sogeti/ESEC R&D Browser Rootkits 40/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
43/48
Loading and executing pages: invisible tab
Sogeti/ESEC R&D Browser Rootkits 41/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
44/48
Communication web page
The communication web page is loaded by the invisible tab
Technology used
Javascript and AJAX.
Actions
Gets queued orders from attackers web server
Loads payloads
Executes payloadsSends back results to attackers web server
Sogeti/ESEC R&D Browser Rootkits 42/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
45/48
Payloads
Payloads implement functionalities offered by the rootkit
Technology
Javascript
ActiveX scripts
Fonctionalities
Create / Read / Write / Delete files on and from victims computer
Read / Write into windows registryCreate processes
Sogeti/ESEC R&D Browser Rootkits 43/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
INTERNET EXPLORER
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
46/48
INTERNET EXPLORER 7
Sogeti/ESEC R&D Browser Rootkits 44/46
IntroductionRootkit for Firefox
Rootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
C
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
47/48
Content
1 Introduction
2 Rootkit for Firefox
3 Rootkit for Internet ExplorerOverview of Internet Explorer security model
Security zones
Security zones internals
Rootkit architecture proposalInjector
CoreCommunication Backdoor
Payloads
Conclusion
Sogeti/ESEC R&D Browser Rootkits 45/46
IntroductionRootkit for FirefoxRootkit for Internet Explorer
Overview of Internet Explorer security modelRootkit architecture proposalConclusion
C l i b I E l 7 ki
http://find/http://goback/ -
8/9/2019 Lenoir Presentation
48/48
Conclusion about Internet Explorer 7 rootkit
Browser rootkits are analogous to kernel rookit
Creating new browser objects (tabs, zones)
Using browser internal functions
FurtivenessEntirely in memory approach: allocating new memory or modifyingexisting data
To do
Make the rootkit persistent to IE process re-launch or computerreboot
Make new zones fully functional
Sogeti/ESEC R&D Browser Rootkits 46/46
http://find/http://goback/