Tuesday, December 9, 2008

Firefox Malware

You may have already heard of this, but there is a malware which goes around disguised as a Firefox extension. I have no details regarding the malicious code but to be honest, I am not surprised at all. In fact, I wonder why it took so long for the bad guys to figure that Firefox is an excellent malware delivery platform. Usually they are quicker.
Firefox Wallpaper

A couple of months back, just before my BlackHat talk, I was planning to launch yet another of my experiments. It was supposed to be part of the my talk under the "4th generation malware" topic. My plan was to smuggle malicious code as a Firefox addon on addons.mozilla.org as a proof that even benign-looking extensions can contain quite catastrophic backdoors. For obvious reasons I did not go with my plan but the task still seams very much possible.

The reason for this is because JavaScript, XML and anything else Firefox is made of, are quite twisted to follow. We are talking about asynchronous calls, events, language peculiarities and what not. Hiding stuff are dead easy especially when most extensions look like an intermingled blob of crap, i.e. jar files, encodings, URL protocols, other types of encapsulations, etc. There are hundreds of ways to obfuscate malicious code and some times you may even look at it and don’t even realize that it is there unless you spend a huge amount of time figuring your away around functions which at first glance may look like not having much of a purpose but at the same time are the key of unlocking the ugly secret. Add some XPCOM into the mix and you have the recipe for a nightmare. I wonder how the Firefox guys are dealing with the addons flooding their doors on a daily basis. I personally don’t trust them.

Even if Mozilla implements more granular security model for Firefox extension, in a similar fashion to what the Chrome developers are implementing now, it still wont be enough. The ugly truth is that most users will allow the extension to do whatever as long as it gets what it is asked for done.

The bottom line is that client-side, more specifically web technologies are immensely complicated. They are ridiculously expressive and at the same time nightmare for debugging and as such they make a perfect medium for smuggling some malicious code into. No FUD, just the ugly reality!


No comments: