Researcher to demonstrate feature-rich malware that works as a browser extension

The code for the proof-of-concept rogue browser extension will be released on GitHub

Security researcher Zoltan Balazs has developed a remote-controlled piece of malware that functions as a browser extension and is capable of modifying Web pages, downloading and executing files, hijacking accounts, bypassing two-factor authentication security features enforced by some websites, and much more.

Balazs, who works as an IT security consultant for professional services firm Deloitte in Hungary, created the proof-of-concept malware in order to raise awareness about the security risks associated with browser extensions and as a call to the antivirus industry to take this type of threat more seriously.

The researcher plans to release the malware's source code on GitHub during a presentation at the Hacker Halted security conference in Miami next Tuesday, after having shared the code in advance with antivirus vendors.

There are known cases of cybercriminals using malicious browser extensions. For example, in May, the Wikimedia Foundation issued an alert about a Google Chrome extension that was inserting rogue ads into Wikipedia pages.

So far, cybercriminals have primarily used malicious browser extensions to perform click fraud by inserting rogue advertisements into websites or hijacking search queries. However, Balazs' project demonstrates that this type of malware could be used to launch far more serious attacks.

The researcher created versions of his proof-of-concept extension for Firefox, Chrome and Safari. A version for Internet Explorer might also be developed in the future, Balazs said on Wednesday.

The extension can be used to steal session cookies and even circumvent two-factor authentication systems like the one implemented by Google, the researcher said. This would allow attackers to hijack accounts on different websites.

The Firefox version can also: steal passwords from the browser's built-in password manager; download and execute files (only on Windows); modify the content of Web pages in the same way that banking Trojans modify online banking websites to hide rogue transaction records; take screen shots through the computer's webcam by accessing a Flash application hosted on a Web page; act as an HTTP proxy that allows an attacker to communicate with a server on the victim's internal network, and more.

The extension also works in Firefox for Android, where it loses some functionality because of the operating system's restrictions but gains some other capabilities like the ability to determine a device's geographical coordinates, Balazs said.

The Chrome version of the extension cannot be used to download, upload or execute files at the moment. "There are ways to do this, but I didn't have time to implement them yet," Balazs said.

However, Chrome's support for Native Client (NaCl), a sandboxing technology that allows Web applications to run C or C++ code inside the browser, can be leveraged by the Chrome extension to efficiently crack password hashes.

"One of my colleagues wrote a distributed password hash cracker module for Chrome's Native Client, so this means that we can send the hashes to the victim's browser and we can use the computer's CPUs to crack them," Balazs said.

The Safari version was easy to create because Chrome extensions can be easily converted to Safari extensions, Balazs said.

A browser infected with the extension can be controlled in the same way as a botnet client, because the extension can receive instructions from a website and can send information back to the attackers. Because this looks like normal HTTP traffic initiated by the browser, it's hard for local or network-level firewalls to block it.

The difficulty of distributing malicious browser extensions differs from browser to browser.

In Firefox, the easiest method is social engineering -- tricking users into installing the extensions, Balazs said. This is possible because Firefox allows the installation of extensions from third-party websites and many users are used to installing extensions in this way.

However, unlike Firefox, Chrome only allows users to install extensions from the official Chrome Web Store, Balazs said. So, unless the attacker manages to upload the malicious extension on the Chrome Web Store, social engineering is not an option.

The offline installation of extensions from unverified sources by copying the extension files in the right places and making the necessary modifications to the browser files is possible in both browsers if the attacker already has code execution access on the system, Balazs said.

Firefox normally notifies users during the browser start-up sequence about extensions that have been installed offline and asks for confirmation before enabling them. However, Balazs claims that he can bypass this feature in order to perform completely silent installations.

The researcher didn't manage to achieve silent extension installs in Chrome yet. However, he is aware of other malware samples that are able to do this, so he believes that it is possible.

Browser vendors like Mozilla and Apple should restrict the online installation of extensions only to their official repositories, like Google does in Chrome, Balazs said. That will really help in the long run, he said.

In addition, antivirus vendors should pay more attention to malicious browser extensions and improve their detection for this type of malware, the researcher said.

VirusTotal scans for publicly available samples of known malicious browser extensions showed that antivirus detection for them is almost non-existent, Balazs said Wednesday.

The researcher claims that even after some antivirus vendors added detection signatures for his proof-of-concept extension, he was able to evade detection again by making simple modifications to the code.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsonline safetysecurityDesktop securitybrowserssoftwaremalwaremozillaDeloitteAppleGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts