Browser extension can be used for criminal purposes

Posted: October 26, 2012 in IT Security News, Vulnerability News
Tags: , , , ,


Browser extension

Specialist anti-virus protection Zoltan Balazs announced the creation of a special program, which looks like an extension to the browser and perform almost all the functions typical of malware.

In particular, Balazs’s extension supports remote management, modification viewed web-pages, download and execute external code, theft of login information to log in to various services, bypassing two-factor authentication on the web-sites, and more. Among other things, Bazals promises to publish its program code in a public repository GitHub as an experimental corroboration of its findings about the vulnerabilities of modern browsers.

Balazs himself working in the Hungarian branch of the well-known consulting firm Deloitte. His product, he decided to show what risks may pose a browser extension and the antivirus industry attention to this problem. Prior to the open publication Balazs shared his code with the major vendors.

When to use browser extensions for criminal activities are known. So, in May of this year, it was discovered an extension to the browser Chrome, which inserts false advertising page on Wikipedia. However, so far malicious extensions mainly served for fraud with online advertising, or for processing search requests to a fake website. Balazs development shows that such extensions can be used for more serious attacks.

To check their guesses Balazs created extensions for browsers Firefox, Chrome and Safari, and soon going to present yet another version of Internet Explorer. These extensions can be used to steal session label (cookie) and even to deceive two-factor identity verification system – it allows you to “steal” accounts on various web-sites.

Firefox version is also able to steal passwords from the password manager built, download and execute files (only among Windows), change the content of web-pages, as do the “banking Trojans” to hide information on stolen vehicles. It also supports the removal of the image with a web-camera Flash-application on the web-page, and acting as a proxy server for the HTTP, which allows an attacker to penetrate the victim network. This extension works even with Android-version of Firefox, which supports slightly less features, but identifies and sends out the geographic coordinates.

Version of the extension for Chrome can not load, dispatch and execution of files, at least for now. The developer claims that he had no time to implement these functions. At the same time, the technology Native Client (NaCl) in the browser Chrome, designed to run the code in C and C + + from the web-application that allows you to crack the hashes encrypted passwords. A colleague Balazs even managed to write a distributed system for password cracking technologies Chrome NaCl.

Version of the extension for Safari, says the developer, was the easiest to implement, since the extensions for Chrome easily converted to extensions for Safari. Due to the nature of the extensions malicious traffic is indistinguishable from normal, so that even with a firewall (personal or network) to identify and it is almost impossible to identify.

The difficulty of the spread of such extensions is different in different browsers. For Firefox easier to use social engineering – you just need to convince people that they need to install the extension. The fact that Firefox supports the installation of third-party extensions from unknown sources. Unlike Firefox, Chrome browser supports extensions only from the official app store. There is two ways – the publication of malicious extensions in the official store some ways, either direct copying malicious files to the extensions directly to the victim’s machine.

At the moment Balazs failed to make discreet installation of malicious browser extensions in Chrome, but he fears that the authors of these viruses have learned to do it. According to Balazs, all browser vendors should strictly limit the ability to install extensions like the browser Google – it’s quite an effective measure. Also, security companies should pay more attention to the danger of the threat in browser extensions. At this point the mechanism for detection of dangerous extensions is in its infancy: Balazs argues that even when making its signature anti-virus program to the database, he can easily escape detection by making minor changes to the code of its expansion.

Related links:…remote-controlled-browser-extension-malware/…Malware_That_Works_As_a_Browser_Extension…/Researcher_to_demonstrate_feature_rich_malware…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s