Tuesday, September 25, 2012

How to install silently malicious extensions for Firefox

Recently, I had the pleasure of presenting on malicious browser extensions at SOURCE Seattle. I showed, amongst other things, how a malicious browser extension can be added silently to any Firefox profile. I've reworked the demonstration, and want to make it available to a wider audience.

3rd-party installation

You have probably already have encountered applications, like the Flash player or some repackaged free software, that wants you to install a toolbar or some spyware/adware for your browser. This is a 3rd-party installation of an extensions. For Firefox, this installation consists of copying the browser extension into your Firefox profile (or a special folder that contains extensions shared by all profiles).

Software installer contains a toolbar/adware/spyware extension

Firefox protects against this type of external extension installation by prompting the user the next time the browser is started - the user has the option to disable (default action) or enable the new extension.

Firefox warning for an extension installed outside of the browser

Silent installation

It is actually very easy to bypass the warning from Firefox. Firefox stores information about all extensions in a Sqlite3 database named extensions.sqlite, located in each Firefox profile. It contains:
  • name, version, description, etc.
  • enabled or disabled
  • active or not
  • installed from official Mozilla extension site or not

When Firefox starts, it checks the list of extensions under /extensions/ against the content of extensions.sqlite. If an extension exists on disk, but is not listed in the database, a warning is shown. The trick to install an extension silentlt, is to add a record into the database about the extension being installed and tell Firefox that the extension has actually already been approved by the user (active and enabled).


I've written a small program that installs an extension silently into any Firefox profile. You can download the program and the extension here, and the source code there.

The program was written in C# and can be compiled with the free Visual Studio Express for .Net from Microsoft.

Tool shows the steps to install the extension silently

The "malicious" extension does not actually do anything. All the malicious code has been commented out, although it includes some of the things an attacker could do, such as:
  • steal the list of logins and passwords saved
  • send out all the URLs visited by the user
  • disable security features
Do not worry about testing the "malicious" finctionality, the extension will not do anything - no information will be sent out.

I suggest that you create a custom profile to test the extension. To create a new profile named "demo", run the following command:

firefox -CreateProfile demo --no-remote

Then start Firefox with your new profile:

firefox -P demo --no-remote

I've included a video that shows the silent installation in case you're fearful of trying it for yourself:

Why it matters

Many free software packages push toolbars, adware and spyware into Firefox and other browsers, installed as part of their installation to earn some money for the extension creator (see previous PPI campaigns). Firefox gives users a chance to explicitly and clearly decide whether or not they want to enable these add-ons. Without this protection, many users can be tricked into running extensions they were are not aware of.

The second important point is that malicious browser extensions are much harder to detect once installed. Because extensions are part of the browser, their activity cannot be differentiated from the activity of the browser. Accessing the internet and accessing the file system are legitimate actions for the browser. The extension does not need to add itself to the startup scripts, or as a Windows service to be running after a computer reboot. The extension does not need to hook into Windows to intercept logins and passwords, etc. Finally, AV vendors struggle with detecting malicious JavaScript and any of the malicious Firefox extensions I've checked with VirusTotal were never flagged.

Going further

The silent installation could be even more sneaky. Instead of adding a new extension, it could also replace an existing extension, or append itself to an existing extension.

Monday, September 17, 2012

Internet Explorer Protected Mode in Windows 8

Microsoft Introduced Protected Mode in Internet Explorer with Windows Vista in 2006. With Windows 8, Microsoft added Enhanced Protected Mode. Protected Mode aims to keep users safe by restricting what BHOs (Browser Helper Objects, aka browser extensions) and plugins can do inside Internet Explorer.

Protected Mode enabled by default in IE 9

Protected Mode

Before I talk to the changes made in Windows 8, let me explain what Protected Mode does in Internet Explorer versions 7 through 9, especially when it comes to browser extensions. Internet Explorer, along with any extensions and plugins, run with a low integrity. This means that they have limited access to the system: read/write access to the file system, the registry and limited ability to run executables.


Internet Explorer extensions have write access to /AppData/LocalLow and a few folders useed by Internet Explorer to store cookies and favorites. Any untrusted application can write to LocalLow without triggering any User Account Control (UAC) violations, including applications deployed with ClickOnce. Zscaler Safe Shopping for Internet Explorer for example, creates a sub-directory in LocalLow to store the list of fake stores.

Extensions can run executables that have a low integrity only. Windows applications have a medium integrity, which means that Internet Explorer cannot run any application without an explicit permission from the user (UAC popup). An extension can therefore only launch an application with a low integrity, which means that it will have limited system access.

Write  access to the registry is also limited. An extension can write to the registry only under HKEY_CURRENT_USER\Software\AppDataLow\Software.

Read access

Protected mode does however give read access to the entire file system. A malicious extension could therefore upload all your important files under My Documents to a malicious server, for example.

Integrity elevation

It is possible to run an executable of a higher integrity by setting up an Integrity Elevation Policy. Basically, an entry is added to the registry to specify which executable should be run by a low integrity process at a higher integrity, without raising a UAC popup. This entry has to be added as an Administrator. It cannot be added from within Internet Explorer.

Windows 8

Windows 8 introduces Enhanced Protected Mode to fill some of the security gaps of the current Protected Mode. The most important change is a limit on read access. Read access to the file system and Registry are more restricted. Unfortunately, this new Protected Mode breaks many existing plugins. Microsoft has therefore decided to turn off Enhanced Protected Mode for Internet Explorer by default. So, by default, Windows 8 and Internet Explorer 10 do not offer any additional protection against data leakage by malicious browser extensions.

The most important take away from this is that Protected Mode still lets lets all extensions read the entire file system and arbitrary applications can be launched silently.

Thursday, September 13, 2012

Beware of IPhone5 Scams

Following Apple's announcement of the iPhone 5 yesterday, we have certainly seen a large number of web transactions to domains/URLs related to this subject.  While you may covet the latest and greatest gadget, this is just a friendly reminder to please keep in mind that the scammers / fraudsters know this desire and are using it in their social engineering lures.

A quick peek at some of the sites this morning, most appear to be "pay-per-click" / CPA style schemes in which the scammer monetizes clicks as well as gathers information about potential victims via surveys.  The lures include things win an iphone 5 "contest" or get one free for doing testing:

Beware of iPhone5 scams.  We will update this post as any "new" / unique scams or malware delivery are uncovered with this iPhone5 social engineering lure.

Friday, September 7, 2012

Abusing ClickOnce

Many web-based attacks try to fool the users into installing a malicious executable by faking a native application: fake AV, fake Flash updates, etc. These pages are well designed, but you can always tell it is not a native application running.

In a previous post, I described the ClickOnce deployment for Internet Explorer. ClickOnce is a a way to easily deploy applications on Windows computers. When a user clicks on a link that points to a ClikckOnce deployment, a new popup is opened. This popup is very different from any popup or window opened by Internet Explorer. If the user clicks on Install, the executable is downloaded and executed in a single step, without a way to cancel the installation at any point.

If the user minimizes the browser, the popup remains visible on the screen. The ClickOnce popup is a native application and it is therefore independent from the browser.

ClickOnce popup
ClickOnce would provide a great opportunity to trick Internet Explorer users into installing software. There are three fields displayed in the popup and they can all be abused to look like the user is going to install legitimate software from a legitimate vendor:
  • Name: Supposed to be the name of the software being installed. In my example, I set it to 'Windows Update'.
  • From: Domain where the software will be downloaded from. The space is limited. Although the most important part of a domain is on the right side (TLD and top-domain), the right side is actually truncated. Use a very long domain, as I did in the example shown and it looks like the  software is hosted on a sub-domain of microsoft.com (click on the image above to get a bigger version, and check the From domain).
  • Publisher: Who created the software. The Publisher is taken from the code signing certificate that was used to sign the ClickOnce deployment. An attacker can use a legitimate certificate with a name that sounds legitimate, or use a stolen code signing certificate (like Flamer). A self-signed certificate can be used to get the Publisher name as Microsoft, for example, but a red warning would be shown on the popup. Unfortunately, the red shield warning may not adequately scare users away...
It is pretty easy to create a ClickOnce deployment for any executable. The web server simply needs to send a specific MIME type, which is also easy to configure. I have not seen any broad attacks using this method. It is however something to keep an eye on as it would be a rather effective tool for social engineering attacks against end users.