PoC Extension to Turn Browsers into Evil Botnets

Years ago I remember having a discussion with a colleague on interesting areas of research in information security. He brought up the idea of malicious browser plugins/extensions and mentioned creating something that could help raise awareness. I poo-pooed the idea at the time but the tides have changed according to a recent article on The Register. It looks like Zoltan Balazs has created a proof-of-concept with the forthcoming release of an extension that offers capabilities that any malicious hacker would jump for. The extension works on most recent browser versions and current operating systems with a notable exception of Internet Explorer.

The extension Zoltan plans to present at Hacker Halted in Miami “offers a command-and-control control panel, rootkit capabilities, the ability to steal cookies and passwords, execute JavaScript, upload and download files, and more.” The command-and-control aspect of this extension is particularly interesting. Since communication appears as a standard browser connection, the extension could easily bypass most traditional protections such as firewalls (usually allow HTTPS out from browser), web proxies (including access to authentication credentials if needed), and white-listing (usually allows since only sees browser running).

So how do we defend against potential malicious extensions? As a first step Zoltan mentions augmenting existing antivirus capabilities to look deeper inside browsers to extend down to the extension level. Also browser makers could adopt an Apple-like closed “store” by default where they vet extensions for security risks prior to publishing. And finally training organizations could start incorporating warnings of malicious extensions into their existing awareness programs so users are more careful about the extensions they install.

via The Register

A security researcher has developed a proof-of-concept browser botnet extension to illustrate the perils of what he describes as a “looming menace”.

Zoltan Balazs of Deloitte Hungary developed the code to illustrate the risk from malicious browser add-ons, which he argues anti-virus vendors are ill-equipped to defend against.

The proof-of-concept Chrome, Safari and Firefox extension offers a command-and-control control panel, rootkit capabilities, the ability to steal cookies and passwords, execute JavaScript, upload and download files, and more.

Balazs is due to demonstrate how the technology works on both PCs and Android phones at the Hacker Halted conference in Miami, Florida later this week.

Balazs is also expected to demonstrate how the proof-of-concept code might be used to bypass Google’s two-step verification process.

Continued here.

#####

Is the Apple-like closed ecosystem the best way to address the potential of malicious extensions? Today’s post pic is from BullGuard.com. See ya!

2 comments for “PoC Extension to Turn Browsers into Evil Botnets

  1. October 24, 2012 at 2:59 pm

    BLOGGED: PoC Extension to Turn Browsers into Evil Botnets http://t.co/DF1N7TIH

  2. November 12, 2012 at 8:40 pm

    PoC Extension to Turn Browsers into Evil Botnets http://t.co/8jGCZPom

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.