Researcher to demonstrate feature-rich malware that works as a browser extension
The code for the proof-of-concept rogue browser extension will be released on GitHub
IDG News Service - Security researcher Zoltan Balazs has developed a remote-controlled piece of malware that functions as a browser extension and is capable of modifying Web pages, downloading and executing files, hijacking accounts, bypassing two-factor authentication security features enforced by some websites, and much more.
Balazs, who works as an IT security consultant for professional services firm Deloitte in Hungary, created the proof-of-concept malware in order to raise awareness about the security risks associated with browser extensions and as a call to the antivirus industry to take this type of threat more seriously.
The researcher plans to release the malware's source code on GitHub during a presentation at the Hacker Halted security conference in Miami next Tuesday, after having shared the code in advance with antivirus vendors.
There are known cases of cybercriminals using malicious browser extensions. For example, in May, the Wikimedia Foundation issued an alert about a Google Chrome extension that was inserting rogue ads into Wikipedia pages.
So far, cybercriminals have primarily used malicious browser extensions to perform click fraud by inserting rogue advertisements into websites or hijacking search queries. However, Balazs' project demonstrates that this type of malware could be used to launch far more serious attacks.
The researcher created versions of his proof-of-concept extension for Firefox, Chrome and Safari. A version for Internet Explorer might also be developed in the future, Balazs said on Wednesday.
The extension can be used to steal session cookies and even circumvent two-factor authentication systems like the one implemented by Google, the researcher said. This would allow attackers to hijack accounts on different websites.
The Firefox version can also: steal passwords from the browser's built-in password manager; download and execute files (only on Windows); modify the content of Web pages in the same way that banking Trojans modify online banking websites to hide rogue transaction records; take screen shots through the computer's webcam by accessing a Flash application hosted on a Web page; act as an HTTP proxy that allows an attacker to communicate with a server on the victim's internal network, and more.
The extension also works in Firefox for Android, where it loses some functionality because of the operating system's restrictions but gains some other capabilities like the ability to determine a device's geographical coordinates, Balazs said.
The Chrome version of the extension cannot be used to download, upload or execute files at the moment. "There are ways to do this, but I didn't have time to implement them yet," Balazs said.
However, Chrome's support for Native Client (NaCl), a sandboxing technology that allows Web applications to run C or C++ code inside the browser, can be leveraged by the Chrome extension to efficiently crack password hashes.
- SANS: Next-Generation Datacenters = Next-Generation Security This whitepaper takes a look at some new technology that may allow security teams to implement more flexible and capable protection models in...
- SANS: Protecting Virtual Endpoints with McAfee Server Security Suite Essentials SANS review of McAfees Server Security Suite Essentials that address some of the emerging challenges of securing virtual platforms and cloud environments.
- Mitigating Multiple DDoS Attack Vectors It's time to rethink and refine the enterprise security architecture, so organizations can remain agile and resilient against future threats. Download this infographic...
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Cloud BI in Action: Recorded Webinar of Customer, Kony, Inc. See how Kony, Inc., a leading enterprise mobility company, is using TIBCO Jaspersoft for Amazon Web Services and Redshift to achieve embedded analytics...
- Cloud BI Overview: Jaspersoft for AWS Check out this overview of Jaspersoft for AWS, to easily and affordably build business intelligence solutions as well as embed visualizations and analytics... All Endpoint Security White Papers | Webcasts