Firefox Malware

Mon, 08 Dec 2008 19:48:37 GMT
by pdp

You may have already heard of this, but there is a malware which goes around disguised as a Firefox extension. I have no details regarding the malicious code but to be honest, I am not surprised at all. In fact, I wonder why it took so long for the bad guys to figure that Firefox is an excellent malware delivery platform. Usually they are quicker.

A couple of months back, just before my BlackHat talk, I was planning to launch yet another of my experiments. It was supposed to be part of the my talk under the "4th generation malware" topic. My plan was to smuggle malicious code as a Firefox addon on addons.mozilla.org as a proof that even benign-looking extensions can contain quite catastrophic backdoors. For obvious reasons I did not go with my plan but the task still seams very much possible.

The reason for this is because JavaScript, XML and anything else Firefox is made of, are quite twisted to follow. We are talking about asynchronous calls, events, language peculiarities and what not. Hiding stuff is dead easy especially when most extensions look like an intermingled blob of crap, i.e. jar files, encodings, URL protocols, other types of encapsulations, etc. There are hundreds of ways to obfuscate malicious code and some times you may even look at it and don't even realize that it is there unless you spend a huge amount of time figuring your way around functions which at first glance may look like not having much of a purpose but at the same time are the key of unlocking the ugly secret. Add some XPCOM into the mix and you have the recipe for a nightmare. I wonder how the Firefox guys are dealing with the addons flooding their doors on a daily basis. I personally don't trust them.

Even if Mozilla implements more granular security model for Firefox extension, in a similar fashion to what the Chrome developers are implementing now, it still wont be enough. The ugly truth is that most users will allow the extension to do whatever as long as it gets what it is asked.

The bottom line is that client-side, more specifically web technologies are immensely complicated. They are ridiculously expressive and at the same time nightmare for debugging and as such they make a perfect medium for smuggling some malicious code into. No FUD, just the ugly reality!

Archived Comments

mindcorrosivemindcorrosive
How about developing an addon in such a way that a "plausible deniability" to a gaping security hole is possible? What I mean is - someone can create a not-so-obvious gaping security hole, and still claim innocence, if it can easily be attributed to a coding error, not deliberate action. The thing is, you probably might not be able to pull this more than one or two times.. Then again, some products seem to be literally leaking with remotely exploited security holes - VLC first comes to mind..
pdppdp
yup, I don't see why it shouldn't work. :)
DaveDave
As far as I understand, Firefox was not the delivery platform but rather the target of the malware once it had infected the computer by other means. I don't remember where I read about it. The malware installed a plugin and named it GreaseMonkey. The malicious plugin looked for and logged details for over 100 finance websites such as banks, Paypal, Amazon and eBay. The rest of your post is, of course, still completely accurate. The other interesting point this raises is that Firefox has enough marketshare to be worth targeting specifically. It was inevitable, but it has actually happened now.
Morgan StoreyMorgan Storey
Maybe Mozilla needs to get all extensions in their source code format and compile/package it themselves, run a quick search using standard looking obfuscation type code and if any is obfuscated deny the code from being compiled/packaged and therefore not listed on the extensions site.
Mark MathsonMark Mathson
Nice post pdp. This brings to light something I have thought for a while. What implied trust do you give to a Firefox add-on when you decide to install it? Quite a bit really. One thought is a community review process an add-on goes through before publishing live. Code reviewed, product beta tested and then given a stamp of approval. I know they have the experimental add-ons, maybe tie this idea in. I don't know. Plus it wouldn't do any good if the 'community' was "in on it" together. ;-)
marchinermarchiner
AVGs that use pro-active defense like "kaspersky" can deal with new malware?
Krazy_KaosKrazy_Kaos
Nice post. Personally if I was to do that, I would first make an extension, a clean one. Release it. Wait 1 week. Release an update (still clean) and on the second update... malware (I think they will not check the source so well the 3rd time).
MikeMike
So all we know is that there is some add-on, somewhere, that does...something, and that add-on contains malware? Yikes. This is like when I watch my local news and they say something like, "Is an everyday product you use in your house SLOWLY KILLING YOU?...FIND OUT AT 11!" I need more details!!
noonenoone
i knew it was only a matter of time.
adamjakabadamjakab
...three years later... Just to let you know that there is quite a long thread going on started off by me asking a silly question about add-ons 'stealing' data from one another. The sad thing is that no one really worried about stuff like full user privileged file system access and friends. You might be interested but really i don't really see much change since pdp's post in the far 2008. I think as long as FF will consider 3rd party add-ons as "integral part of itself" we will always have to watch our backs!