SlideShare a Scribd company logo

Browser Malware Taxonomy

Aditya K Sood
Aditya K Sood
Technology
1 of 6
VIRUS BULLETIN www.virusbtn.com FEATURE 2 but reserving IP ranges and then mapping them out would. A BROWSER MALWARE Even today, we have reserved IP address space that nobody is supposed to use (224.0.0.0 upwards is reserved for multicast, TAXONOMY 10.0.0.0/8 is part of RFC 1918’s internal address space, and Aditya K. Sood, Richard J. Enbody so forth). The work that needs to be done is the following: Michigan State University, USA • A committee of people must figure out how many IP addresses should be reserved for sending mail – such In this paper, we propose a taxonomy of browser malware. that we are not likely to run out of space in a couple of We classify browser add-ons, emphasizing their privileges. decades – and then reserve an appropriate range for it. Since privileges impact the capability of malware, we use • IANA must then reserve that space and come up with the resulting classification as a basis for our taxonomy. We rules for how to hand that out to the RIRs. The RIRs hope that this taxonomy will provide better insight into the must then come up with rules for how to allocate it to techniques and tactics used by browser malware, and assist the LIRs, who then have to figure out how to allocate in the development of defences. it to their customers. They then have to manage the infrastructure necessary to maintain the mappings of who owns what. BROWSER MALWARE – SUBVERTING DESIGN PRINCIPLES • Next, RFCs need to be written on how to send and receive mail over IPv6. Browsers are becoming a prominent medium for spreading malware infections because they are the interface to the • Then, software vendors need to write code to perform web. Browser malware thrives by exploiting flaws in IPv6 email transactions that are able to implement these browser design principles. The design shortcomings most rules. extensively exploited are: • Finally, IP blocklist maintainers need to start • Insufficient isolation of components in existing browser populating their lists in IPv6 notation pursuant to the designs. Browser malware exploits the principle of restrictions that are built into the RFCs. isolation to run arbitrary code in the context of a It’s a ton of work – years of it – but if we want to start running browser to modify other components and receiving mail over IPv6 then that’s what needs to be done. corrupt the normal functioning of running components. This restriction of IP space for mail solves one problem • Unrestricted communication among browser but it doesn’t solve others. On the one hand, it makes components. Browser malware manipulates the management of IPs scalable for machines that are bots. principle of integrity by eavesdropping on the Today, most spam is sent from botnets. However, botnets do inter-component communication interfaces and not always send out all of their spam directly – many bots performing malicious hooks on the HTTP interfaces to compromise legitimate mail hosts or email accounts and control the traffic flow. send out spam that way, or create a throwaway account at a • Flaws in same origin policy implementation. Browser free email service and send out small amounts of spam from malware exploits the principle of same origin policy it before discarding it. This technique is used today but on because persistent browser state is not effectively a smaller scale than spamming directly. If we successfully partitioned. This weakness allows the malware to solve the problem of direct-to-spam botnets, spammers will conduct attacks by exploiting flaws in the same origin simply shift the bulk of their spamming to compromised or policy. throwaway accounts. • Insufficient browser customization restrictions. I guess that means those of us in the e-security industry will Browser design permits extensive customization to always have a job. There’s a silver lining to everything! enhance flexibility in the browser, but does so with insufficient restrictions. Browser malware exploits the principle of flexibility by executing malicious code as a REFERENCES part of extensible code. [1] Levine, J. A Politically Incorrect Guide to IPv6, part • Vulnerable privacy models. Existing browser designs III. http://jl.ly/Internet/v6incor3.html?seemore=y. have adopted a privacy model which is not robust. [2] Leiba, B. IP Blocklists, Email, and IPv6. Website cookies, user history, browser storage and http://www.circleid.com/posts/ip_blocklists_email_ so on are the foundation of users’ privacy. Browser and_ipv6/. malware overcomes the privacy model by exploiting the 8 JUNE 2011
VIRUS BULLETIN www.virusbtn.com internal browser state to manipulate the interfaces that ‘sandbox’). Adobe Flash is an example of a plug-in. We control the privacy components. have borrowed Firefox terminology, but the definitions Our focus is on the Mozilla Firefox and Microsoft Internet fit other browsers. One can think of extensions as being Explorer browsers. part of the browser whereas plug-ins are separate, but intimately connected to the browser. It is the difference in privileges that differentiates add-ons with respect to BROWSER MALWARE TAXONOMY (BMT) malware. In developing our taxonomy we define browser malware as Let’s briefly take a look at Microsoft’s browser a malicious piece of code that results in the circumvention terminology. Browser Helper Objects (BHO) are treated of browser functionality or which uses a browser as a as a part of the Microsoft Internet Explorer extension platform to infect operating system (OS) layers thereby. model [1]. In our taxonomy we are treating BHOs as Our taxonomy, BMT, is based on the following critical extensions and ActiveX Objects as supporting programs elements of security that are exploited by the browser for proprietary plug-ins. An Active X Object has a malware: wide variety of functionality in the way it is used. For example, when installing a BHO from a remote location • Browser malware exploits security vulnerabilities in the an ActiveX Object can be used to download that BHO. components, plug-ins and OS layers. If an ActiveX Object is allowed to run from a browser, it • Browser malware contains malicious extensions can perform malicious functions by directly calling OS that reside in the browser itself and exploit the objects. Custom designed or proprietary plug-ins require characteristics of the default browser architecture. an Active X Object to run dynamically if the plug-in is not permanently enabled in the browser. • Browser malware uses the OS as a base to hook and hijack critical browser functions in order to take control A BHO is a DLL (Dynamic Link Library) that runs of the browser communication channel. automatically when Internet Explorer is loaded. Extensions in Internet Explorer use the COM interface to design inline components that run in exactly the same manner as other proprietary components. BHOs extend the browser functionality to a great extent, but can also be used for nefarious purposes. Most of the time Active X Objects and BHOs are installed as DLLs in the operating system because Microsoft makes extensive use of DLLs for all types of operations. Our proposed BMT uses this extension and plug-in distinction along with their different privileges to differentiate between the types of malware. CLASS A BROWSER MALWARE Class A browser malware exploits the default monolithic Figure 1: Generic browser extensibility model. architecture of browsers. It installs itself as a browser component and utilizes the browser model to conduct In order to discuss browsers we need to define some terms. attacks. This type of malware is quite dangerous because To complicate this task, different browsers use different it functions as an inline component. Malicious extensions terminology. Browsers depend on a variety of ‘add-ons’ and browser rootkits fall into this category. Also, class A for extensibility, flexibility, and customization. With browser malware can exploit inherent vulnerabilities in respect to browser malware we find it useful to divide the browser native components to download binaries into add-ons into two categories: extensions and plug-ins (see the operating system. Figure 2 shows the class A browser Figure 1). Extensions run in the browser’s context so they malware model. have the same rights as the browser itself. An example of an extension would be NoScript (for Firefox). In contrast, As a browser component, class A browser malware has plug-ins run as separate processes and interact with the the full access rights of the browser and runs in the same browser through an API that is more restricted than that memory context (address space) as other extensions, so it used by an extension (some refer to this restriction as a can perform the following operations: JUNE 2011 9
VIRUS BULLETIN www.virusbtn.com events to generate listener functions for communication with third-party servers. It can use encrypted protocols for data transfer in a secure manner. Examples of class A browsers include Firefox FormSpy [7], FFSniff [8], Sothink Web Video Downloader 4.0 spreading Win32.LdPinch.gen [9], Master Filer spreading Win32.Bifrose.32.Bifrose Trojan [9], Download.ject [10, 11] and MyWay Searchbar [12, 13]. Note that browser exploit packs such as the Phoenix [14] and BlackHole [15, 16] do not install any extensions, but do exploit browser vulnerabilities to download malicious executables in the system. Therefore, they display some of the typical behaviour of Class A browser malware. CLASS B BROWSER MALWARE Class B browser malware exploits vulnerabilities in the plug-in interface in order to cause an infection. Since Figure 2: Class A browser malware. most plug-ins originate from third-party vendors, inherent vulnerabilities in plug-ins play a critical role in determining • It is capable of reading and writing to disks, controlling the success of class B browser malware. Generally, plug-ins network sockets, tampering with the browser’s user run as separate processes and are usually placed in a interface, stealing stored data, altering the registry and sandbox so the interface with the browser is restricted. modifying other extensions. Plug-ins are platform-independent code so vulnerabilities • It can exploit other installed extensions by using in third-party code such as Adobe Flash can broadly impact JavaScript wrapper functions to change their browser security. The impact is significant because the functionality. It can interact with installed plug-ins such risk of exploitation in third-party software is transferred as PDF or Flash in order to launch malicious code. In to the browser. This interdependency results in hybrid this way it can act as a carrier for trojans. vulnerabilities that exist when the plug-in code is run • Like a rootkit it can hide itself in the browser. For simultaneously with the browser. A malicious plug-in can example, Firefox extensions can be hidden by use JavaScript in a web page (loaded in a sub window) to manipulating parameters in the install.rdf file and using CSS [2] to install malicious extensions with transparent style metrics. Basically, the aim is to remove entries in the extension manager so that malicious extensions cannot be enumerated. In Internet Explorer, it is possible to hide extensions by hooking objects in Security Manager [3] and creating new objects such as invisible tags. • Class A browser malware can also exploit the security vulnerabilities present in the different browser components such as the rendering engine, JS interpreter, browser engine, XML parser, networking modules and user interface. Exploitation of these vulnerabilities can result in successful execution of drive-by download attacks [4]. JavaScript heap corruption [5, 6] plays a critical role in the successful execution of these types of attacks. • Class A browser malware can make explicit use of asynchronous HTTP requests via AJAX with associated Figure 3: Class B browser malware. 10 JUNE 2011
VIRUS BULLETIN www.virusbtn.com perform various functions. A web page’s JavaScript runs OS layer vulnerabilities by using the access rights of the under restricted privileges (sandboxed) so it cannot interact user of the operating system. In general, class C browser much with the internal browser components. Of course, malware uses system-level APIs to attack the browser vulnerabilities in the sandboxing can allow modification or plug-in processes in order to control the browser of the internal browser components. In any case, plug-ins communication interface. This malware also contains operate outside of browsers and can act as a parasite to use system-level rootkits specifically aimed at exploiting the browser resources to spread infections. browser interface with the OS. Class C browser malware Figure 3 shows the high-level view of class B browser establishes itself in either the user-land or kernel-land layers malware. of the OS, or some hybrid of the two. As noted earlier, both class A and class B browser malware play a crucial Class B browser malware shows the following role in dropping class C browser malware in the OS by characteristics: exploiting certain vulnerabilities in browsers and plug-ins. • Custom designed plug-ins can run malicious scripts This observation indicates that dependencies exist between in the browser and exploit DOM to carry out all classes of browser malware that are presented in this XSS for stealing sensitive information, phishing, taxonomy. Figure 4 shows a high-level view of class C malvertisements and social engineering attacks. In browser malware. Firefox, malicious plug-ins make use of the Netscape Plug-in Application Programming Interface (NPAPI), which is used to design platform-independent code. NPAPI plug-ins are specifically used by class B browser malware for malicious Internet functionality which is a potential playground for spreading infections. In Internet Explorer, custom designed plug-ins use Active X Objects to execute arbitrary code that can manipulate browser resources. • Malicious plug-ins can carry exploit code in order to drop binaries in the OS by exploiting vulnerabilities in the plug-in interface – so-called drive-by download attacks. Examples include the exploitation of vulnerabilities in the Adobe Reader, Flash and Silverlight plug-ins. • Apart from JavaScript heap corruption, class B browser malware also uses evasive techniques such as RC4 encryption, splitter modules including variables and Figure 4: Class C browser malware. arrays, multiple level compressions and encoding as well as cross referencing of objects in order to evade Class C browser malware shows the following detection. However, it supports both JavaScript and non characteristics: JavaScript-based exploits. • This class of malware typically behaves like a rootkit Real-world examples of class B browser malware include and hides itself in the OS so that the possibility Trojan.Pidief [17], Exploit.PDF-JS.Gen [18], SWF of detection is reduced. Class C browser malware AdJack Gnida [19], Trojan:SWF/Redirector.I [20] and basically aims to control the browser’s communication TrojanDownloader:SWF/Nerner.A [21]. interface with the Internet to manipulate the traffic Note that browser exploit packs such as BlackHole and flow. Class C browser malware implements hooking Phoenix show characteristics of class B malware because [22] in order to take control of the execution flow. In these packs exploit vulnerabilities in third-party support user-land space, this class of malware uses Import plug-ins such as Adobe Flash and Java. Address Table (IAT) hooking, inline hooking and DLL hijacking using APIs. In kernel-land space, this class of malware primarily performs hooking CLASS C BROWSER MALWARE through the System Service Descriptor Table (SSDT) Class C browser malware typically resides in the operating in order to control the browser-related functions in system and exploits the browser interface. It also exploits the kernel. JUNE 2011 11
VIRUS BULLETIN www.virusbtn.com • Class C browser malware is capable of hooking [5] Sotirov, A. Heap Feng Shui in JavaScript. Black the browser communication channel, traffic Hat Europe 2007. http://www.blackhat.com/ monitoring, injecting malicious traffic into the presentations/bh-europe-07/Sotirov/Presentation/ browser, circumventing OS firewalls, generating fake bh-eu-07-sotirov-apr19.pdf. website pages and keylogging POST requests and all system-related activities. This ability is critical because [6] Chennete, S.; Joseph, M. Detecting Web Browser class C browser malware has complete control of the Heap Corruption Attacks. Black Hat USA 2007. standard HTTP functions in OS libraries which are https://www.blackhat.com/presentations/bh-usa- used heavily by browsers for all types of work. 07/Chenette_and_Joseph/Presentation/bh-usa-07- chenette_and_joseph.pdf. Real-world examples include the Zeus bot [23], SpyEye bot [24], IRC bots [25] and PRRF [26]. [7] Oswald, E. Trojan Hides Itself as Firefox Extension. BetaNews. http://www.betanews.com/ Note that browser exploit packs such as BlackHole and article/Trojan-Hides-Itself-as-Firefox- Phoenix actually exploit issues in browsers and plug-ins to Extension/1153934797. drop class C browser malware into the system. [8] Costoya, J. Malicious Firefox Extensions. Trend Micro blog. http://blog.trendmicro.com/malicious- CONCLUSION firefox-extensions/. In this browser malware taxonomy we have presented [9] Claburn, T. Mozilla Removes Two Malicious three different classes of browser malware classified on Firefox Add-Ons. Information Week. the basis of a browser architectural model. In particular, http://www.informationweek.com/news/security/ differences in privileges are critical in the classification. vulnerabilities/222700171. Class A browser malware resides in the browser process and acts as an inline component of the browser. Class A [10] Schneier, B. Schneier Micros. Schneier on Security. browser malware exploits vulnerabilities in the browser http://www.schneier.com/blog/archives/2004/10/ process. Class B browser malware takes the form of schneier_micros.html. malicious plug-ins and also exploits vulnerabilities in third-party vendor software. Class C browser malware [11] Wikipedia. Download.ject. http://en.wikipedia.org/ resides in the operating system and controls the browser w/index.php?title=Download.ject&oldid= communication channel from outside. 423105396. We hope that this taxonomy will provide better insight into [12] Leyden, J. Dell rejects spyware. The Register. the techniques and tactics used by browser malware, and http://www.theregister.co.uk/2005/07/15/dell_my_ assist in the development of defences. way_controversy/. [13] Wikipedia. MyWay Searchbar. REFERENCES http://en.wikipedia.org/w/index.php?title=MyWay_ Searchbar&oldid=427757462, 2005. [1] Microsoft. Verified Security for Browser Extensions. http://research.microsoft.com/ [14] SecNiche Security. Phoenix Exploit Kit (2.4) pubs/141971/tr.pdf, 2010. – Infection Analysis. Malware At Stake Blog. http://secniche.blogspot.com/2010/10/ [2] Devaux, C.; Lenoir, J. Browser Rootkits. phoenix-exploit-kit-24-analysis.html. Hack.lu, 2008. http://archive.hack.lu/2008/lenoir_ presentation.pdf. [15] Websense Blog. Black Hole Exploit Pack. http://community.websense.com/blogs/securitylabs/ [3] Wueest, C.; Florio, E. Firefox and Malware: When pages/black-hole-exploit-kit.aspx. your browser bytes you. Virus Bulletin International Conference 2009. http://www.virusbtn.com/pdf/ [16] SecNiche Security. Java OBE + Blackhole Dead conference_slides/2009/Wueest-Florio-VB2009.pdf. Man Rising. Malware At Stake Blog. http://secniche.blogspot.com/2011/02/java-obe- [4] Barwinski, M.; Irvine, C.; Levin, T. Empirical tookit-exploits-blackhole-dead.html. Study of Drive-by-Download Spyware. http://www.cisr.us/downloads/papers/06paper_ [17] Symantec Security Report. The Rise of PDF spyware.pdf. Malware. http://www.symantec.com/content/en/us/ 12 JUNE 2011
VIRUS BULLETIN www.virusbtn.com FEATURE 3 enterprise/media/security_response/whitepapers/ NEW TARGETED ATTACK VIA the_rise_of_pdf_malware.pdf. GOOGLE IMAGES [18] BitDefender. Exploit.PDF-JS.Gen. Robert X Wang http://www.bitdefender.com/VIRUS-1000487-en-- iSIGHT Partners, USA Exploit.PDF-JS.Gen.html. [19] Lindner, F. Defending the Poor – Countering Flash Fake AV is a term used to describe threats which Exploits. http://www.recurity-labs.com/content/ masquerade as real security products, fooling victims into pub/DefendingThePoor_26C3.pdf. believing that they have discovered infections on their [20] Microsoft. Trojan:SWF/Redirector.I. machines. The ‘products’ then insist on payment for an http://www.microsoft.com/security/portal/Threat/ activation/registration code in order to clean the supposed Encyclopedia/Entry.aspx?Name=Trojan%3aSWF% threats from the system. 2fRedirector.I. As with many other threats, social engineering techniques are often used to spread fake AV. The malicious file may [21] Microsoft. TrojanDownloader:SWF/Nerner.A. have a tempting name and arrive as an email attachment, a http://www.microsoft.com/security/portal/Threat/ download link, or a shared folder. However, such methods Encyclopedia/Entry.aspx?Name=TrojanDownloade require a considerable amount of user interaction – if the r%3ASWF%2FNerner.A. user doesn’t download and execute the file, the fake AV [22] Wikipedia. Hooking. http://en.wikipedia.org/w/ will not be able to fool the user into believing their system index.php?title=Hooking&oldid=428889341. is infected and subsequently generate revenue for the attacker. [23] Leyden, J. Zeus bot latches onto Windows shortcut security hole. The Register, 2010. A new method of targeted attack has recently been http://www.theregister.co.uk/2010/07/27/zeus_ discovered in which the auto preview feature of Google exploit_shortcut_hole/. Images is utilized to lure the user into downloading and purchasing the fake AV application. This method has proved [24] Coogan, P. SpyEye Bot versus Zeus Bot. Symantec to be very effective. Blog. http://www.symantec.com/connect/blogs/ spyeye-bot-versus-zeus-bot. Google Image Search [25] Honeynet. Tracking Bots and Botnets. http://www.honeynet.org/book/export/html/50. [26] Tereshkin, A. Rootkits: Attacking Personal Firewalls. Black Hat USA 2006. Search and collect Computer user images automatically http://blackhat.com/presentations/bh-usa-06/BH- US-06-Tereshkin.pdf. [27] Bugzilla. Bug ID- 483086 non-http[s] SearchForm Auto preview URIs should be ignored. https://bugzilla.mozilla.org/ show_bug.cgi?id=483086. [28] BitDefender. Trojan.PWS.ChromeInject.B. http://www.bitdefender.com/VIRUS-1000451-en-- Trojan.PWS.ChromeInject.B.html. Redirector server Display faked scanning result [29] Nightangle, J. Firefox Malware. to scare people into downloading Fake AV http://blog.johnath.com/2008/12/08/firefox- malware/. Update Fake AV server address [30] Louw, M.; Lim, J.; Venkatakrishnan, V.N. ExtensibleWeb Browser Security. http://www.cs.uic.edu/~venkat/research/papers/ extensible-browser-dimva07.pdf. Fake AV server JUNE 2011 13

Recommended

XSS Remediation
XSS RemediationXSS Remediation
XSS RemediationDenim Group
 
Simplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project ZeroSimplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project ZeroShawn Zhu
 
Software newsletter
Software newsletterSoftware newsletter
Software newsletterKelly-Ann Cornibert
 
Wifi direct p2p app
Wifi direct p2p appWifi direct p2p app
Wifi direct p2p appgeniushkg
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detectionChong-Kuan Chen
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Trabajo de jose
Trabajo de jose Trabajo de jose
Trabajo de jose josemgg
 

Recommended

XSS Remediation
XSS RemediationXSS Remediation
XSS RemediationDenim Group
 
Simplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project ZeroSimplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project ZeroShawn Zhu
 
Software newsletter
Software newsletterSoftware newsletter
Software newsletterKelly-Ann Cornibert
 
Wifi direct p2p app
Wifi direct p2p appWifi direct p2p app
Wifi direct p2p appgeniushkg
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detectionChong-Kuan Chen
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Trabajo de jose
Trabajo de jose Trabajo de jose
Trabajo de jose josemgg
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Onsachettih
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Aditya K Sood
 
Browser Security ppt.pptx
Browser Security ppt.pptxBrowser Security ppt.pptx
Browser Security ppt.pptxAjaySahre
 
Internet browsers by Andres Haydar
Internet browsers by Andres HaydarInternet browsers by Andres Haydar
Internet browsers by Andres HaydarAndresHaydar
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserAditya K Sood
 
Joy
JoyJoy
Joyjyothsnajoy
 
Joy
JoyJoy
Joyjyothsnajoy
 
Os in-a-browser
Os in-a-browserOs in-a-browser
Os in-a-browserFarrukh Naeem
 
Open source software
Open source softwareOpen source software
Open source softwareAmruhtha Viswanathan
 
Kristiaan De Roeck at UX Antwerp Meetup - 30 January 2018
Kristiaan De Roeck at UX Antwerp Meetup - 30 January 2018Kristiaan De Roeck at UX Antwerp Meetup - 30 January 2018
Kristiaan De Roeck at UX Antwerp Meetup - 30 January 2018UX Antwerp Meetup
 
Browsers
BrowsersBrowsers
BrowsersSebastian Lora
 
Browsers
BrowsersBrowsers
BrowsersSebastian Lora
 
Browsers
BrowsersBrowsers
BrowsersSebastian Lora
 
Best software development tools in 2021
Best software development tools in 2021Best software development tools in 2021
Best software development tools in 2021Samaritan InfoTech
 
Prominent Back-end frameworks to consider in 2022!
Prominent Back-end frameworks to consider in 2022!Prominent Back-end frameworks to consider in 2022!
Prominent Back-end frameworks to consider in 2022!Shelly Megan
 
Web Development SEO Expate BD LTD 1 01.02.2023 .pdf
Web Development SEO Expate BD LTD 1 01.02.2023 .pdfWeb Development SEO Expate BD LTD 1 01.02.2023 .pdf
Web Development SEO Expate BD LTD 1 01.02.2023 .pdfSeo Expate BD LTD
 
Browsers .
Browsers .Browsers .
Browsers .seripa3
 
SoC Keynote:The State of the Art in Integration Technology
SoC Keynote:The State of the Art in Integration TechnologySoC Keynote:The State of the Art in Integration Technology
SoC Keynote:The State of the Art in Integration TechnologySrinath Perera
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021IJMER
 
Firefox vs. chrome
Firefox vs. chromeFirefox vs. chrome
Firefox vs. chromePrabhath Suminda
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 

More Related Content

Similar to Browser Malware Taxonomy

AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Onsachettih
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Aditya K Sood
 
Browser Security ppt.pptx
Browser Security ppt.pptxBrowser Security ppt.pptx
Browser Security ppt.pptxAjaySahre
 
Internet browsers by Andres Haydar
Internet browsers by Andres HaydarInternet browsers by Andres Haydar
Internet browsers by Andres HaydarAndresHaydar
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserAditya K Sood
 
Kristiaan De Roeck at UX Antwerp Meetup - 30 January 2018
Kristiaan De Roeck at UX Antwerp Meetup - 30 January 2018Kristiaan De Roeck at UX Antwerp Meetup - 30 January 2018
Kristiaan De Roeck at UX Antwerp Meetup - 30 January 2018UX Antwerp Meetup
 
Best software development tools in 2021
Best software development tools in 2021Best software development tools in 2021
Best software development tools in 2021Samaritan InfoTech
 
Prominent Back-end frameworks to consider in 2022!
Prominent Back-end frameworks to consider in 2022!Prominent Back-end frameworks to consider in 2022!
Prominent Back-end frameworks to consider in 2022!Shelly Megan
 
Web Development SEO Expate BD LTD 1 01.02.2023 .pdf
Web Development SEO Expate BD LTD 1 01.02.2023 .pdfWeb Development SEO Expate BD LTD 1 01.02.2023 .pdf
Web Development SEO Expate BD LTD 1 01.02.2023 .pdfSeo Expate BD LTD
 
Browsers .
Browsers .Browsers .
Browsers .seripa3
 
SoC Keynote:The State of the Art in Integration Technology
SoC Keynote:The State of the Art in Integration TechnologySoC Keynote:The State of the Art in Integration Technology
SoC Keynote:The State of the Art in Integration TechnologySrinath Perera
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021IJMER
 

Similar to Browser Malware Taxonomy (20)

AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
 
Browser Security ppt.pptx
Browser Security ppt.pptxBrowser Security ppt.pptx
Browser Security ppt.pptx
 
Internet browsers by Andres Haydar
Internet browsers by Andres HaydarInternet browsers by Andres Haydar
Internet browsers by Andres Haydar
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
 
Joy
JoyJoy
Joy
 
Joy
JoyJoy
Joy
 
Os in-a-browser
Os in-a-browserOs in-a-browser
Os in-a-browser
 
Open source software
Open source softwareOpen source software
Open source software
 
Kristiaan De Roeck at UX Antwerp Meetup - 30 January 2018
Kristiaan De Roeck at UX Antwerp Meetup - 30 January 2018Kristiaan De Roeck at UX Antwerp Meetup - 30 January 2018
Kristiaan De Roeck at UX Antwerp Meetup - 30 January 2018
 
Browsers
BrowsersBrowsers
Browsers
 
Browsers
BrowsersBrowsers
Browsers
 
Browsers
BrowsersBrowsers
Browsers
 
Best software development tools in 2021
Best software development tools in 2021Best software development tools in 2021
Best software development tools in 2021
 
Prominent Back-end frameworks to consider in 2022!
Prominent Back-end frameworks to consider in 2022!Prominent Back-end frameworks to consider in 2022!
Prominent Back-end frameworks to consider in 2022!
 
Web Development SEO Expate BD LTD 1 01.02.2023 .pdf
Web Development SEO Expate BD LTD 1 01.02.2023 .pdfWeb Development SEO Expate BD LTD 1 01.02.2023 .pdf
Web Development SEO Expate BD LTD 1 01.02.2023 .pdf
 
Browsers .
Browsers .Browsers .
Browsers .
 
SoC Keynote:The State of the Art in Integration Technology
SoC Keynote:The State of the Art in Integration TechnologySoC Keynote:The State of the Art in Integration Technology
SoC Keynote:The State of the Art in Integration Technology
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021
 
Firefox vs. chrome
Firefox vs. chromeFirefox vs. chrome
Firefox vs. chrome
 

More from Aditya K Sood

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodAditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineAditya K Sood
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Aditya K Sood
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis PaperAditya K Sood
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareAditya K Sood
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...Aditya K Sood
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingAditya K Sood
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Aditya K Sood
 

More from Aditya K Sood (20)

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB Instances
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in Elasticsearch
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and Defences
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis Paper
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile Hacking
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
 

Recently uploaded

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Recently uploaded (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Browser Malware Taxonomy

  • 1. VIRUS BULLETIN www.virusbtn.com FEATURE 2 but reserving IP ranges and then mapping them out would. A BROWSER MALWARE Even today, we have reserved IP address space that nobody is supposed to use (224.0.0.0 upwards is reserved for multicast, TAXONOMY 10.0.0.0/8 is part of RFC 1918’s internal address space, and Aditya K. Sood, Richard J. Enbody so forth). The work that needs to be done is the following: Michigan State University, USA • A committee of people must figure out how many IP addresses should be reserved for sending mail – such In this paper, we propose a taxonomy of browser malware. that we are not likely to run out of space in a couple of We classify browser add-ons, emphasizing their privileges. decades – and then reserve an appropriate range for it. Since privileges impact the capability of malware, we use • IANA must then reserve that space and come up with the resulting classification as a basis for our taxonomy. We rules for how to hand that out to the RIRs. The RIRs hope that this taxonomy will provide better insight into the must then come up with rules for how to allocate it to techniques and tactics used by browser malware, and assist the LIRs, who then have to figure out how to allocate in the development of defences. it to their customers. They then have to manage the infrastructure necessary to maintain the mappings of who owns what. BROWSER MALWARE – SUBVERTING DESIGN PRINCIPLES • Next, RFCs need to be written on how to send and receive mail over IPv6. Browsers are becoming a prominent medium for spreading malware infections because they are the interface to the • Then, software vendors need to write code to perform web. Browser malware thrives by exploiting flaws in IPv6 email transactions that are able to implement these browser design principles. The design shortcomings most rules. extensively exploited are: • Finally, IP blocklist maintainers need to start • Insufficient isolation of components in existing browser populating their lists in IPv6 notation pursuant to the designs. Browser malware exploits the principle of restrictions that are built into the RFCs. isolation to run arbitrary code in the context of a It’s a ton of work – years of it – but if we want to start running browser to modify other components and receiving mail over IPv6 then that’s what needs to be done. corrupt the normal functioning of running components. This restriction of IP space for mail solves one problem • Unrestricted communication among browser but it doesn’t solve others. On the one hand, it makes components. Browser malware manipulates the management of IPs scalable for machines that are bots. principle of integrity by eavesdropping on the Today, most spam is sent from botnets. However, botnets do inter-component communication interfaces and not always send out all of their spam directly – many bots performing malicious hooks on the HTTP interfaces to compromise legitimate mail hosts or email accounts and control the traffic flow. send out spam that way, or create a throwaway account at a • Flaws in same origin policy implementation. Browser free email service and send out small amounts of spam from malware exploits the principle of same origin policy it before discarding it. This technique is used today but on because persistent browser state is not effectively a smaller scale than spamming directly. If we successfully partitioned. This weakness allows the malware to solve the problem of direct-to-spam botnets, spammers will conduct attacks by exploiting flaws in the same origin simply shift the bulk of their spamming to compromised or policy. throwaway accounts. • Insufficient browser customization restrictions. I guess that means those of us in the e-security industry will Browser design permits extensive customization to always have a job. There’s a silver lining to everything! enhance flexibility in the browser, but does so with insufficient restrictions. Browser malware exploits the principle of flexibility by executing malicious code as a REFERENCES part of extensible code. [1] Levine, J. A Politically Incorrect Guide to IPv6, part • Vulnerable privacy models. Existing browser designs III. http://jl.ly/Internet/v6incor3.html?seemore=y. have adopted a privacy model which is not robust. [2] Leiba, B. IP Blocklists, Email, and IPv6. Website cookies, user history, browser storage and http://www.circleid.com/posts/ip_blocklists_email_ so on are the foundation of users’ privacy. Browser and_ipv6/. malware overcomes the privacy model by exploiting the 8 JUNE 2011
  • 2. VIRUS BULLETIN www.virusbtn.com internal browser state to manipulate the interfaces that ‘sandbox’). Adobe Flash is an example of a plug-in. We control the privacy components. have borrowed Firefox terminology, but the definitions Our focus is on the Mozilla Firefox and Microsoft Internet fit other browsers. One can think of extensions as being Explorer browsers. part of the browser whereas plug-ins are separate, but intimately connected to the browser. It is the difference in privileges that differentiates add-ons with respect to BROWSER MALWARE TAXONOMY (BMT) malware. In developing our taxonomy we define browser malware as Let’s briefly take a look at Microsoft’s browser a malicious piece of code that results in the circumvention terminology. Browser Helper Objects (BHO) are treated of browser functionality or which uses a browser as a as a part of the Microsoft Internet Explorer extension platform to infect operating system (OS) layers thereby. model [1]. In our taxonomy we are treating BHOs as Our taxonomy, BMT, is based on the following critical extensions and ActiveX Objects as supporting programs elements of security that are exploited by the browser for proprietary plug-ins. An Active X Object has a malware: wide variety of functionality in the way it is used. For example, when installing a BHO from a remote location • Browser malware exploits security vulnerabilities in the an ActiveX Object can be used to download that BHO. components, plug-ins and OS layers. If an ActiveX Object is allowed to run from a browser, it • Browser malware contains malicious extensions can perform malicious functions by directly calling OS that reside in the browser itself and exploit the objects. Custom designed or proprietary plug-ins require characteristics of the default browser architecture. an Active X Object to run dynamically if the plug-in is not permanently enabled in the browser. • Browser malware uses the OS as a base to hook and hijack critical browser functions in order to take control A BHO is a DLL (Dynamic Link Library) that runs of the browser communication channel. automatically when Internet Explorer is loaded. Extensions in Internet Explorer use the COM interface to design inline components that run in exactly the same manner as other proprietary components. BHOs extend the browser functionality to a great extent, but can also be used for nefarious purposes. Most of the time Active X Objects and BHOs are installed as DLLs in the operating system because Microsoft makes extensive use of DLLs for all types of operations. Our proposed BMT uses this extension and plug-in distinction along with their different privileges to differentiate between the types of malware. CLASS A BROWSER MALWARE Class A browser malware exploits the default monolithic Figure 1: Generic browser extensibility model. architecture of browsers. It installs itself as a browser component and utilizes the browser model to conduct In order to discuss browsers we need to define some terms. attacks. This type of malware is quite dangerous because To complicate this task, different browsers use different it functions as an inline component. Malicious extensions terminology. Browsers depend on a variety of ‘add-ons’ and browser rootkits fall into this category. Also, class A for extensibility, flexibility, and customization. With browser malware can exploit inherent vulnerabilities in respect to browser malware we find it useful to divide the browser native components to download binaries into add-ons into two categories: extensions and plug-ins (see the operating system. Figure 2 shows the class A browser Figure 1). Extensions run in the browser’s context so they malware model. have the same rights as the browser itself. An example of an extension would be NoScript (for Firefox). In contrast, As a browser component, class A browser malware has plug-ins run as separate processes and interact with the the full access rights of the browser and runs in the same browser through an API that is more restricted than that memory context (address space) as other extensions, so it used by an extension (some refer to this restriction as a can perform the following operations: JUNE 2011 9
  • 3. VIRUS BULLETIN www.virusbtn.com events to generate listener functions for communication with third-party servers. It can use encrypted protocols for data transfer in a secure manner. Examples of class A browsers include Firefox FormSpy [7], FFSniff [8], Sothink Web Video Downloader 4.0 spreading Win32.LdPinch.gen [9], Master Filer spreading Win32.Bifrose.32.Bifrose Trojan [9], Download.ject [10, 11] and MyWay Searchbar [12, 13]. Note that browser exploit packs such as the Phoenix [14] and BlackHole [15, 16] do not install any extensions, but do exploit browser vulnerabilities to download malicious executables in the system. Therefore, they display some of the typical behaviour of Class A browser malware. CLASS B BROWSER MALWARE Class B browser malware exploits vulnerabilities in the plug-in interface in order to cause an infection. Since Figure 2: Class A browser malware. most plug-ins originate from third-party vendors, inherent vulnerabilities in plug-ins play a critical role in determining • It is capable of reading and writing to disks, controlling the success of class B browser malware. Generally, plug-ins network sockets, tampering with the browser’s user run as separate processes and are usually placed in a interface, stealing stored data, altering the registry and sandbox so the interface with the browser is restricted. modifying other extensions. Plug-ins are platform-independent code so vulnerabilities • It can exploit other installed extensions by using in third-party code such as Adobe Flash can broadly impact JavaScript wrapper functions to change their browser security. The impact is significant because the functionality. It can interact with installed plug-ins such risk of exploitation in third-party software is transferred as PDF or Flash in order to launch malicious code. In to the browser. This interdependency results in hybrid this way it can act as a carrier for trojans. vulnerabilities that exist when the plug-in code is run • Like a rootkit it can hide itself in the browser. For simultaneously with the browser. A malicious plug-in can example, Firefox extensions can be hidden by use JavaScript in a web page (loaded in a sub window) to manipulating parameters in the install.rdf file and using CSS [2] to install malicious extensions with transparent style metrics. Basically, the aim is to remove entries in the extension manager so that malicious extensions cannot be enumerated. In Internet Explorer, it is possible to hide extensions by hooking objects in Security Manager [3] and creating new objects such as invisible tags. • Class A browser malware can also exploit the security vulnerabilities present in the different browser components such as the rendering engine, JS interpreter, browser engine, XML parser, networking modules and user interface. Exploitation of these vulnerabilities can result in successful execution of drive-by download attacks [4]. JavaScript heap corruption [5, 6] plays a critical role in the successful execution of these types of attacks. • Class A browser malware can make explicit use of asynchronous HTTP requests via AJAX with associated Figure 3: Class B browser malware. 10 JUNE 2011
  • 4. VIRUS BULLETIN www.virusbtn.com perform various functions. A web page’s JavaScript runs OS layer vulnerabilities by using the access rights of the under restricted privileges (sandboxed) so it cannot interact user of the operating system. In general, class C browser much with the internal browser components. Of course, malware uses system-level APIs to attack the browser vulnerabilities in the sandboxing can allow modification or plug-in processes in order to control the browser of the internal browser components. In any case, plug-ins communication interface. This malware also contains operate outside of browsers and can act as a parasite to use system-level rootkits specifically aimed at exploiting the browser resources to spread infections. browser interface with the OS. Class C browser malware Figure 3 shows the high-level view of class B browser establishes itself in either the user-land or kernel-land layers malware. of the OS, or some hybrid of the two. As noted earlier, both class A and class B browser malware play a crucial Class B browser malware shows the following role in dropping class C browser malware in the OS by characteristics: exploiting certain vulnerabilities in browsers and plug-ins. • Custom designed plug-ins can run malicious scripts This observation indicates that dependencies exist between in the browser and exploit DOM to carry out all classes of browser malware that are presented in this XSS for stealing sensitive information, phishing, taxonomy. Figure 4 shows a high-level view of class C malvertisements and social engineering attacks. In browser malware. Firefox, malicious plug-ins make use of the Netscape Plug-in Application Programming Interface (NPAPI), which is used to design platform-independent code. NPAPI plug-ins are specifically used by class B browser malware for malicious Internet functionality which is a potential playground for spreading infections. In Internet Explorer, custom designed plug-ins use Active X Objects to execute arbitrary code that can manipulate browser resources. • Malicious plug-ins can carry exploit code in order to drop binaries in the OS by exploiting vulnerabilities in the plug-in interface – so-called drive-by download attacks. Examples include the exploitation of vulnerabilities in the Adobe Reader, Flash and Silverlight plug-ins. • Apart from JavaScript heap corruption, class B browser malware also uses evasive techniques such as RC4 encryption, splitter modules including variables and Figure 4: Class C browser malware. arrays, multiple level compressions and encoding as well as cross referencing of objects in order to evade Class C browser malware shows the following detection. However, it supports both JavaScript and non characteristics: JavaScript-based exploits. • This class of malware typically behaves like a rootkit Real-world examples of class B browser malware include and hides itself in the OS so that the possibility Trojan.Pidief [17], Exploit.PDF-JS.Gen [18], SWF of detection is reduced. Class C browser malware AdJack Gnida [19], Trojan:SWF/Redirector.I [20] and basically aims to control the browser’s communication TrojanDownloader:SWF/Nerner.A [21]. interface with the Internet to manipulate the traffic Note that browser exploit packs such as BlackHole and flow. Class C browser malware implements hooking Phoenix show characteristics of class B malware because [22] in order to take control of the execution flow. In these packs exploit vulnerabilities in third-party support user-land space, this class of malware uses Import plug-ins such as Adobe Flash and Java. Address Table (IAT) hooking, inline hooking and DLL hijacking using APIs. In kernel-land space, this class of malware primarily performs hooking CLASS C BROWSER MALWARE through the System Service Descriptor Table (SSDT) Class C browser malware typically resides in the operating in order to control the browser-related functions in system and exploits the browser interface. It also exploits the kernel. JUNE 2011 11
  • 5. VIRUS BULLETIN www.virusbtn.com • Class C browser malware is capable of hooking [5] Sotirov, A. Heap Feng Shui in JavaScript. Black the browser communication channel, traffic Hat Europe 2007. http://www.blackhat.com/ monitoring, injecting malicious traffic into the presentations/bh-europe-07/Sotirov/Presentation/ browser, circumventing OS firewalls, generating fake bh-eu-07-sotirov-apr19.pdf. website pages and keylogging POST requests and all system-related activities. This ability is critical because [6] Chennete, S.; Joseph, M. Detecting Web Browser class C browser malware has complete control of the Heap Corruption Attacks. Black Hat USA 2007. standard HTTP functions in OS libraries which are https://www.blackhat.com/presentations/bh-usa- used heavily by browsers for all types of work. 07/Chenette_and_Joseph/Presentation/bh-usa-07- chenette_and_joseph.pdf. Real-world examples include the Zeus bot [23], SpyEye bot [24], IRC bots [25] and PRRF [26]. [7] Oswald, E. Trojan Hides Itself as Firefox Extension. BetaNews. http://www.betanews.com/ Note that browser exploit packs such as BlackHole and article/Trojan-Hides-Itself-as-Firefox- Phoenix actually exploit issues in browsers and plug-ins to Extension/1153934797. drop class C browser malware into the system. [8] Costoya, J. Malicious Firefox Extensions. Trend Micro blog. http://blog.trendmicro.com/malicious- CONCLUSION firefox-extensions/. In this browser malware taxonomy we have presented [9] Claburn, T. Mozilla Removes Two Malicious three different classes of browser malware classified on Firefox Add-Ons. Information Week. the basis of a browser architectural model. In particular, http://www.informationweek.com/news/security/ differences in privileges are critical in the classification. vulnerabilities/222700171. Class A browser malware resides in the browser process and acts as an inline component of the browser. Class A [10] Schneier, B. Schneier Micros. Schneier on Security. browser malware exploits vulnerabilities in the browser http://www.schneier.com/blog/archives/2004/10/ process. Class B browser malware takes the form of schneier_micros.html. malicious plug-ins and also exploits vulnerabilities in third-party vendor software. Class C browser malware [11] Wikipedia. Download.ject. http://en.wikipedia.org/ resides in the operating system and controls the browser w/index.php?title=Download.ject&oldid= communication channel from outside. 423105396. We hope that this taxonomy will provide better insight into [12] Leyden, J. Dell rejects spyware. The Register. the techniques and tactics used by browser malware, and http://www.theregister.co.uk/2005/07/15/dell_my_ assist in the development of defences. way_controversy/. [13] Wikipedia. MyWay Searchbar. REFERENCES http://en.wikipedia.org/w/index.php?title=MyWay_ Searchbar&oldid=427757462, 2005. [1] Microsoft. Verified Security for Browser Extensions. http://research.microsoft.com/ [14] SecNiche Security. Phoenix Exploit Kit (2.4) pubs/141971/tr.pdf, 2010. – Infection Analysis. Malware At Stake Blog. http://secniche.blogspot.com/2010/10/ [2] Devaux, C.; Lenoir, J. Browser Rootkits. phoenix-exploit-kit-24-analysis.html. Hack.lu, 2008. http://archive.hack.lu/2008/lenoir_ presentation.pdf. [15] Websense Blog. Black Hole Exploit Pack. http://community.websense.com/blogs/securitylabs/ [3] Wueest, C.; Florio, E. Firefox and Malware: When pages/black-hole-exploit-kit.aspx. your browser bytes you. Virus Bulletin International Conference 2009. http://www.virusbtn.com/pdf/ [16] SecNiche Security. Java OBE + Blackhole Dead conference_slides/2009/Wueest-Florio-VB2009.pdf. Man Rising. Malware At Stake Blog. http://secniche.blogspot.com/2011/02/java-obe- [4] Barwinski, M.; Irvine, C.; Levin, T. Empirical tookit-exploits-blackhole-dead.html. Study of Drive-by-Download Spyware. http://www.cisr.us/downloads/papers/06paper_ [17] Symantec Security Report. The Rise of PDF spyware.pdf. Malware. http://www.symantec.com/content/en/us/ 12 JUNE 2011
  • 6. VIRUS BULLETIN www.virusbtn.com FEATURE 3 enterprise/media/security_response/whitepapers/ NEW TARGETED ATTACK VIA the_rise_of_pdf_malware.pdf. GOOGLE IMAGES [18] BitDefender. Exploit.PDF-JS.Gen. Robert X Wang http://www.bitdefender.com/VIRUS-1000487-en-- iSIGHT Partners, USA Exploit.PDF-JS.Gen.html. [19] Lindner, F. Defending the Poor – Countering Flash Fake AV is a term used to describe threats which Exploits. http://www.recurity-labs.com/content/ masquerade as real security products, fooling victims into pub/DefendingThePoor_26C3.pdf. believing that they have discovered infections on their [20] Microsoft. Trojan:SWF/Redirector.I. machines. The ‘products’ then insist on payment for an http://www.microsoft.com/security/portal/Threat/ activation/registration code in order to clean the supposed Encyclopedia/Entry.aspx?Name=Trojan%3aSWF% threats from the system. 2fRedirector.I. As with many other threats, social engineering techniques are often used to spread fake AV. The malicious file may [21] Microsoft. TrojanDownloader:SWF/Nerner.A. have a tempting name and arrive as an email attachment, a http://www.microsoft.com/security/portal/Threat/ download link, or a shared folder. However, such methods Encyclopedia/Entry.aspx?Name=TrojanDownloade require a considerable amount of user interaction – if the r%3ASWF%2FNerner.A. user doesn’t download and execute the file, the fake AV [22] Wikipedia. Hooking. http://en.wikipedia.org/w/ will not be able to fool the user into believing their system index.php?title=Hooking&oldid=428889341. is infected and subsequently generate revenue for the attacker. [23] Leyden, J. Zeus bot latches onto Windows shortcut security hole. The Register, 2010. A new method of targeted attack has recently been http://www.theregister.co.uk/2010/07/27/zeus_ discovered in which the auto preview feature of Google exploit_shortcut_hole/. Images is utilized to lure the user into downloading and purchasing the fake AV application. This method has proved [24] Coogan, P. SpyEye Bot versus Zeus Bot. Symantec to be very effective. Blog. http://www.symantec.com/connect/blogs/ spyeye-bot-versus-zeus-bot. Google Image Search [25] Honeynet. Tracking Bots and Botnets. http://www.honeynet.org/book/export/html/50. [26] Tereshkin, A. Rootkits: Attacking Personal Firewalls. Black Hat USA 2006. Search and collect Computer user images automatically http://blackhat.com/presentations/bh-usa-06/BH- US-06-Tereshkin.pdf. [27] Bugzilla. Bug ID- 483086 non-http[s] SearchForm Auto preview URIs should be ignored. https://bugzilla.mozilla.org/ show_bug.cgi?id=483086. [28] BitDefender. Trojan.PWS.ChromeInject.B. http://www.bitdefender.com/VIRUS-1000451-en-- Trojan.PWS.ChromeInject.B.html. Redirector server Display faked scanning result [29] Nightangle, J. Firefox Malware. to scare people into downloading Fake AV http://blog.johnath.com/2008/12/08/firefox- malware/. Update Fake AV server address [30] Louw, M.; Lim, J.; Venkatakrishnan, V.N. ExtensibleWeb Browser Security. http://www.cs.uic.edu/~venkat/research/papers/ extensible-browser-dimva07.pdf. Fake AV server JUNE 2011 13