SlideShare una empresa de Scribd logo

Jinx - Malware 2.0

Itzik Kotler
Itzik Kotler

Browsers nowadays are competing with operating systems as the next application development platform. The rapid development of Web 2.0 keeps pushing browser developers into implementing advanced features that allow the creation of interactive multimedia applications. This sets the grounds for a new fertile environment in which a new breed of malware can come to life. Malware that is OS and architecture independent, as covert as a cutting edge rootkit but at the same time implemented through a series of API\'s and a generous variety of high-level OOP languages simplifying the task

1 de 40
Descargar para leer sin conexión
Jinx – Malware 2.0 We know it’s big, we measured it! Itzik Kotler Yoni Rom
This is how your browser looks like before Jinx has loaded …
This is how your browser looks like after Jinx has loaded …
Did you see the difference? • The pixel on the 31337th row has changed from white to black… just kidding ;-) • Javascript by nature is GUI-less thus it will not alter the browser interface (unless you explicitly ask it to).
10 seconds on Javascript • High level scripting language commonly used for client-side web development. • “Natively” supported by Browsers, no need for additional components (e.g. ActiveX’s). • Javascripts do not need any special security privileges prior to execution. • Capable of using some of the hottest Web 2.0 features such as AJAX.
Exit Assembly, Enter Javascript • Cross platform – Malware is oblivious to the underlaying OS. • Architecture independent – Malware is oblivious of the CPU. • Unified – Malware uses constant standard API. • Comprehensive – Malware doesn’t need any external modules.
Sharpen Your Pencil and Take out a Clean Sheet of Paper. No, this isn't a quiz, It's your first Javascript malware programming class!
Entry Point (Mozilla Design Flaw) • hiddenWindow.html – The hidden window is similar to a regular window, but unlike any other window, it is available the whole time the application is running, but isn't visible to the user. • Paths – %ProgramFiles%Mozilla FirefoxreshiddenWindow.html – /opt/firefox/res/hiddenWindow.html – /usr/share/iceweasel/res/hiddenWindow.html
Typical hiddenWindow.html • Includes something like this: – <html><head><title></title></head><body></ body></html> • Document base URI is set to: – resource://gre/res/hiddenWindow.html • Loaded only once (not per instance). • Globally used (not per profile).
Welcome to ChromeWindow • The Window object and initial scope of hiddenWindow.html • A very restricted object, both in methods (read only properties) and in access to files. • Not a very interesting place to be stuck in for a long time …
Escaping from resource:// • What changes a document restriction is the URL from which it was invoked. • hiddenWindow.html can be invoked through different base URI … file:/// • So if hiddenWindow.html is invoked through file:/// URL it is basically free of resource:// and is no longer considered to be a resident of Chrome.
Jailbreak Javascript Style … <script> if (location.search) { alert(“Hello World!n”); } else { location.href = “file://<path>/hiddenWindow.html?homefree”; } </script> …
Javascript and Files • After the jail break, we’re running from file:/// and as such we are capable of accessing files and reading their data. • Files on the target computer and mapped share’s are accessible through file:/// URI • Let’s start reading some files then …
Hello C:BOOT.INI & IFRAME • IFRAME allows us to open BOOT.INI through: file:///C:/boot.ini • Since our document also originates from file:/// we are completely bypassing the same origin policy enforcement. • Works almost perfectly and is completely scalable.
Reading Files through IFRAME … <iframe id=“foobar” src=“file:///C:/boot.ini “></iframe> <script> alert(document.getElementById(‘foobar’).co ntentDocument.body.innerHTML); </script> …
Problems with IFRAME • Accessing the IFRAME content needs to be synchronous, as rendering takes time. • When trying to access a FILE which has a registered URI (e.g. Word Document) instead of returning the .innerHTML, an application will be launched (e.g. Word). • IFRAME is so 90’s ;-)
Exit IFRAME, Enter AJAX • AJAX is not emotionally or mentally attached with URI’s, thus it won’t launch any associated applications. • AJAX can be synchronous thus eliminating the waiting period. • AJAX is a Web 2.0 pioneer.
DIR-a-like through AJAX … <script> var http = new XMLHttpRequest(); http.open("GET", "." ,false); http.send(null); </script> …
Implementing pwd() through AJAX … <script> .. // Initialization of AJAX socket (as before) http.responseText.substring(http.responseT ext.indexOf(' '), http.responseText.indexOf('n')); </script> …
= getHiddenWindowPath • AJAX allow us to automatically locate hiddenWindow.html and thus we no longer require any “static” paths. • Did we already mention that we’re cross platform? ;-)
AJAX’s addiction to text • AJAX always assumes the data is TEXT, this is due to the default charset which doesn’t support binary/high ASCII values. • Lucky this issue can be easily bypassed through overriding the default charset with something that supports high ASCII values.
Overriding AJAX’s default charset … <script> // assume AJAX socket is declared as ‘file’ file.overrideMimeType('text/plain; charset=x- user-defined'); file.send(null); </script> …
Let’s put the O in OUTPUT • Data is coming in through IFRAME and/or AJAX but how does it go out? • We can’t submit it through FORM as it would require us to leave the file:/// document in favor of the http:// document and a http:// document can’t go back to file:/// ... • AJAX won’t allow us to do POST since we’re violating the same origin domain policy …
We’re simply going to GET it! • GET supports up to 2k of data passed through URL (depend on the server). • IFRAME partially ignores the same origin domain policy as it will perform the request but won’t let us peek in to the result. • Simple PHP on the server side will quickly reassemble the data back into a single file.
When one (byte) becomes four • GET doesn’t support binary characters, so how are we going to push it out? • Encoding methods (ratio byte to byte): – BASE64 1:0.5..3 (e.g., YQ==) – ESCAPE 1:1||1:3 (e.g., A, %20) – HEX 1:2 (e.g. 41)
Keep it quiet (CPU Usage) • Javascript was never really designed to work with so much buffers and allocated memory and it shows. • A solution to this problem is to redesign the malware to be preemptive and instead of being linearly executed (blocking), it should be event driven, by pre-scheduled events (non-blocking).
setInterval() & document.hash • Javascript supports an alarm()-like function that’s called setInterval(). • Anchors (aka. hashes) can be set and changed without reloading the document, this could be a good place to store the states the malware is going through (State Machine 101)…
= Scheduler ... <script> If (self.jinx_id) { clearInterval(self.jinx_id); } try { jinx_dispatch(); } catch (e) { … } self.jinx_id = setInterval(‘jinx_schd()’, 1500); </script> …
= Dispatch … <script> If (!location.hash) { location.hash = ‘#idle’; } If (location.hash == ‘#idle’) { … } If (location.hash == ‘#start_task’) { … } </script> …
Build me a framework … • Every X seconds we’re invoking the scheduler function, which in turn calls the dispatch function. • The calling of the dispatch function is wrapped by a try and catch clause to prevent errors from breaking the run cycle. • Tasks can be queued and the queue can be changed on the fly.
From Malware to Bot • Jinx will accept commands from a master (e.g. files to retrieve, result of queries) and obey. • If we would like to load a document (through an IFRAME) we still couldn’t access it’s content due to the same domain policy …
<script> ? • Funny as it may sound, there is no problem at all to use the src attribute in order to fetch a remote Javascript. • I know, I know … but believe me, it works and we can directly load functions and variables from a remote site without violating any policies or triggering any alarms. • But … this is BlackHat right?
*0DAY* (Design Flaw) • CSS links are also protected by same origin policy, thus we can’t access elements in CSS directly (An exception will be raised). • Legacy properties in DOM elements bypass this thus opening up 15 bytes that can be loaded from a remote CSS.
CSS-bypassing-same-origin-policy … <script> document.fgColor; // 3 bytes document.bgColor // 3 bytes document.alinkColor; // 3 bytes document.linkColor; // 3 bytes document.vlinkColor; // 3 bytes </script> …
What can be done with 15 bytes? • 15 bytes are equal to 120 bits • We can reserve 5 bits for an opcode, that leaves us with ~14 bytes for payload and 32 possible opcodes • Since those bytes are represented by RGB there is no wrong or right (even NULL bytes are allowed to party!)
So? • We have demonstrated that it is possible to create a fully functional bot using only Javascript. • Please see the proof of concept and the supplied source code of our dearly beloved Jinx, a fully working Javascript malware.
The Future • Using Google AJAX API to make malware that can search for it’s master website (eliminate the single point of failure) • Exploiting different URI handlers to launch applications. • Con people in to solving CAPTCHA through fake popup windows.
Links/References • Working with windows in chrome code – http://developer.mozilla.org/en/docs/Working_ with_windows_in_chrome_code
Q&A … <script> alert(“Hello World!n”); </script> …
Thank you!

Recomendados

Breaking The Cross Domain Barrier
Breaking The Cross Domain BarrierBreaking The Cross Domain Barrier
Breaking The Cross Domain BarrierAlex Sexton
 
Modern iframe programming
Modern iframe programmingModern iframe programming
Modern iframe programmingbenvinegar
 
Modernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsModernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsAlex Sexton
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 
Javascript cross domain communication
Javascript cross domain communicationJavascript cross domain communication
Javascript cross domain communicationChenKuo Chen
 
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Evan J Johnson (Not a CISSP)
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)securityn|u - The Open Security Community
 

Recomendados

Breaking The Cross Domain Barrier
Breaking The Cross Domain BarrierBreaking The Cross Domain Barrier
Breaking The Cross Domain BarrierAlex Sexton
 
Modern iframe programming
Modern iframe programmingModern iframe programming
Modern iframe programmingbenvinegar
 
Modernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsModernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsAlex Sexton
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 
Javascript cross domain communication
Javascript cross domain communicationJavascript cross domain communication
Javascript cross domain communicationChenKuo Chen
 
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Evan J Johnson (Not a CISSP)
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)securityn|u - The Open Security Community
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
Brubeck: The Lightning Talk
Brubeck: The Lightning TalkBrubeck: The Lightning Talk
Brubeck: The Lightning TalkJames Dennis
 
Web development basics (Part-7)
Web development basics (Part-7)Web development basics (Part-7)
Web development basics (Part-7)Rajat Pratap Singh
 
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attackDistributed computing in browsers as client side attack
Distributed computing in browsers as client side attackIvan Novikov
 
Javascript debugging
Javascript debuggingJavascript debugging
Javascript debuggingaudiodog
 
Web development basics (Part-4)
Web development basics (Part-4)Web development basics (Part-4)
Web development basics (Part-4)Rajat Pratap Singh
 
PHP BASIC PRESENTATION
PHP BASIC PRESENTATIONPHP BASIC PRESENTATION
PHP BASIC PRESENTATIONkrutitrivedi
 
Php
PhpPhp
Phpkhushbulakhani1
 
Web development basics (Part-6)
Web development basics (Part-6)Web development basics (Part-6)
Web development basics (Part-6)Rajat Pratap Singh
 
Web Application Development using PHP Chapter 1
Web Application Development using PHP Chapter 1Web Application Development using PHP Chapter 1
Web Application Development using PHP Chapter 1Mohd Harris Ahmad Jaal
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSPerfectial, LLC
 
Web programming
Web programmingWeb programming
Web programmingLeo Mark Villar
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Web Development with Python and Django
Web Development with Python and DjangoWeb Development with Python and Django
Web Development with Python and DjangoMichael Pirnat
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= TOWASP EEE
 
NoSQL for great good [hanoi.rb talk]
NoSQL for great good [hanoi.rb talk]NoSQL for great good [hanoi.rb talk]
NoSQL for great good [hanoi.rb talk]Huy Do
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicyBrowsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicysubbul
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesVolkan Özçelik
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik
 

Más contenido relacionado

La actualidad más candente

Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
Brubeck: The Lightning Talk
Brubeck: The Lightning TalkBrubeck: The Lightning Talk
Brubeck: The Lightning TalkJames Dennis
 
Web development basics (Part-7)
Web development basics (Part-7)Web development basics (Part-7)
Web development basics (Part-7)Rajat Pratap Singh
 
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attackDistributed computing in browsers as client side attack
Distributed computing in browsers as client side attackIvan Novikov
 
Javascript debugging
Javascript debuggingJavascript debugging
Javascript debuggingaudiodog
 
Web development basics (Part-4)
Web development basics (Part-4)Web development basics (Part-4)
Web development basics (Part-4)Rajat Pratap Singh
 
PHP BASIC PRESENTATION
PHP BASIC PRESENTATIONPHP BASIC PRESENTATION
PHP BASIC PRESENTATIONkrutitrivedi
 
Web development basics (Part-6)
Web development basics (Part-6)Web development basics (Part-6)
Web development basics (Part-6)Rajat Pratap Singh
 
Web Application Development using PHP Chapter 1
Web Application Development using PHP Chapter 1Web Application Development using PHP Chapter 1
Web Application Development using PHP Chapter 1Mohd Harris Ahmad Jaal
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSPerfectial, LLC
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Krzysztof Kotowicz
 
Web Development with Python and Django
Web Development with Python and DjangoWeb Development with Python and Django
Web Development with Python and DjangoMichael Pirnat
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= TOWASP EEE
 
NoSQL for great good [hanoi.rb talk]
NoSQL for great good [hanoi.rb talk]NoSQL for great good [hanoi.rb talk]
NoSQL for great good [hanoi.rb talk]Huy Do
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicyBrowsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicysubbul
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 

La actualidad más candente (20)

Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEF
 
Brubeck: The Lightning Talk
Brubeck: The Lightning TalkBrubeck: The Lightning Talk
Brubeck: The Lightning Talk
 
Web development basics (Part-7)
Web development basics (Part-7)Web development basics (Part-7)
Web development basics (Part-7)
 
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attackDistributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
 
Javascript debugging
Javascript debuggingJavascript debugging
Javascript debugging
 
Web development basics (Part-4)
Web development basics (Part-4)Web development basics (Part-4)
Web development basics (Part-4)
 
PHP BASIC PRESENTATION
PHP BASIC PRESENTATIONPHP BASIC PRESENTATION
PHP BASIC PRESENTATION
 
Php
PhpPhp
Php
 
Web development basics (Part-6)
Web development basics (Part-6)Web development basics (Part-6)
Web development basics (Part-6)
 
Web Application Development using PHP Chapter 1
Web Application Development using PHP Chapter 1Web Application Development using PHP Chapter 1
Web Application Development using PHP Chapter 1
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORS
 
Web programming
Web programmingWeb programming
Web programming
 
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
Biting into the forbidden fruit. Lessons from trusting Javascript crypto.
 
Web Development with Python and Django
Web Development with Python and DjangoWeb Development with Python and Django
Web Development with Python and Django
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T
 
NoSQL for great good [hanoi.rb talk]
NoSQL for great good [hanoi.rb talk]NoSQL for great good [hanoi.rb talk]
NoSQL for great good [hanoi.rb talk]
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicyBrowsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 

Similar a Jinx - Malware 2.0

External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesVolkan Özçelik
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Going on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceGoing on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceAdam Norwood
 
Optimization of modern web applications
Optimization of modern web applicationsOptimization of modern web applications
Optimization of modern web applicationsEugene Lazutkin
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 
Usersnap and the javascript magic behind the scenes - ViennaJS
Usersnap and the javascript magic behind the scenes - ViennaJSUsersnap and the javascript magic behind the scenes - ViennaJS
Usersnap and the javascript magic behind the scenes - ViennaJSUsersnap
 
RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.Rainer Gerhards
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror StoriesEC-Council
 
Pune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCDPune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCDPrashant Rane
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
Ratpack Web Framework
Ratpack Web FrameworkRatpack Web Framework
Ratpack Web FrameworkDaniel Woods
 
AD113 Speed Up Your Applications w/ Nginx and PageSpeed
AD113 Speed Up Your Applications w/ Nginx and PageSpeedAD113 Speed Up Your Applications w/ Nginx and PageSpeed
AD113 Speed Up Your Applications w/ Nginx and PageSpeededm00se
 
Sahi Principles and Architecture
Sahi Principles and ArchitectureSahi Principles and Architecture
Sahi Principles and ArchitectureTyto Software
 
Streams API (Web Engines Hackfest 2015)
Streams API (Web Engines Hackfest 2015)Streams API (Web Engines Hackfest 2015)
Streams API (Web Engines Hackfest 2015)Igalia
 

Similar a Jinx - Malware 2.0 (20)

External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Going on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web PerformanceGoing on an HTTP Diet: Front-End Web Performance
Going on an HTTP Diet: Front-End Web Performance
 
Optimization of modern web applications
Optimization of modern web applicationsOptimization of modern web applications
Optimization of modern web applications
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
Usersnap and the javascript magic behind the scenes - ViennaJS
Usersnap and the javascript magic behind the scenes - ViennaJSUsersnap and the javascript magic behind the scenes - ViennaJS
Usersnap and the javascript magic behind the scenes - ViennaJS
 
RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.RSYSLOG v8 improvements and how to write plugins in any language.
RSYSLOG v8 improvements and how to write plugins in any language.
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
01 java intro
01 java intro01 java intro
01 java intro
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror Stories
 
Pune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCDPune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCD
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming Language
 
Ratpack Web Framework
Ratpack Web FrameworkRatpack Web Framework
Ratpack Web Framework
 
AD113 Speed Up Your Applications w/ Nginx and PageSpeed
AD113 Speed Up Your Applications w/ Nginx and PageSpeedAD113 Speed Up Your Applications w/ Nginx and PageSpeed
AD113 Speed Up Your Applications w/ Nginx and PageSpeed
 
Sahi Principles and Architecture
Sahi Principles and ArchitectureSahi Principles and Architecture
Sahi Principles and Architecture
 
JavaScript Event Loop
JavaScript Event LoopJavaScript Event Loop
JavaScript Event Loop
 
Streams API (Web Engines Hackfest 2015)
Streams API (Web Engines Hackfest 2015)Streams API (Web Engines Hackfest 2015)
Streams API (Web Engines Hackfest 2015)
 

Más de Itzik Kotler

In Plain Sight: The Perfect Exfiltration
In Plain Sight: The Perfect ExfiltrationIn Plain Sight: The Perfect Exfiltration
In Plain Sight: The Perfect ExfiltrationItzik Kotler
 
Goodbye Data, Hello Exfiltration
Goodbye Data, Hello ExfiltrationGoodbye Data, Hello Exfiltration
Goodbye Data, Hello ExfiltrationItzik Kotler
 
Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Itzik Kotler
 
Sounds Like Botnet
Sounds Like BotnetSounds Like Botnet
Sounds Like BotnetItzik Kotler
 
Turbot - A Next Generation Botnet
Turbot - A Next Generation BotnetTurbot - A Next Generation Botnet
Turbot - A Next Generation BotnetItzik Kotler
 
The Day of the Updates
The Day of the UpdatesThe Day of the Updates
The Day of the UpdatesItzik Kotler
 

Más de Itzik Kotler (6)

In Plain Sight: The Perfect Exfiltration
In Plain Sight: The Perfect ExfiltrationIn Plain Sight: The Perfect Exfiltration
In Plain Sight: The Perfect Exfiltration
 
Goodbye Data, Hello Exfiltration
Goodbye Data, Hello ExfiltrationGoodbye Data, Hello Exfiltration
Goodbye Data, Hello Exfiltration
 
Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)
 
Sounds Like Botnet
Sounds Like BotnetSounds Like Botnet
Sounds Like Botnet
 
Turbot - A Next Generation Botnet
Turbot - A Next Generation BotnetTurbot - A Next Generation Botnet
Turbot - A Next Generation Botnet
 
The Day of the Updates
The Day of the UpdatesThe Day of the Updates
The Day of the Updates
 

Jinx - Malware 2.0

  • 1. Jinx – Malware 2.0 We know it’s big, we measured it! Itzik Kotler Yoni Rom
  • 2. This is how your browser looks like before Jinx has loaded …
  • 3. This is how your browser looks like after Jinx has loaded …
  • 4. Did you see the difference? • The pixel on the 31337th row has changed from white to black… just kidding ;-) • Javascript by nature is GUI-less thus it will not alter the browser interface (unless you explicitly ask it to).
  • 5. 10 seconds on Javascript • High level scripting language commonly used for client-side web development. • “Natively” supported by Browsers, no need for additional components (e.g. ActiveX’s). • Javascripts do not need any special security privileges prior to execution. • Capable of using some of the hottest Web 2.0 features such as AJAX.
  • 6. Exit Assembly, Enter Javascript • Cross platform – Malware is oblivious to the underlaying OS. • Architecture independent – Malware is oblivious of the CPU. • Unified – Malware uses constant standard API. • Comprehensive – Malware doesn’t need any external modules.
  • 7. Sharpen Your Pencil and Take out a Clean Sheet of Paper. No, this isn't a quiz, It's your first Javascript malware programming class!
  • 8. Entry Point (Mozilla Design Flaw) • hiddenWindow.html – The hidden window is similar to a regular window, but unlike any other window, it is available the whole time the application is running, but isn't visible to the user. • Paths – %ProgramFiles%Mozilla FirefoxreshiddenWindow.html – /opt/firefox/res/hiddenWindow.html – /usr/share/iceweasel/res/hiddenWindow.html
  • 9. Typical hiddenWindow.html • Includes something like this: – <html><head><title></title></head><body></ body></html> • Document base URI is set to: – resource://gre/res/hiddenWindow.html • Loaded only once (not per instance). • Globally used (not per profile).
  • 10. Welcome to ChromeWindow • The Window object and initial scope of hiddenWindow.html • A very restricted object, both in methods (read only properties) and in access to files. • Not a very interesting place to be stuck in for a long time …
  • 11. Escaping from resource:// • What changes a document restriction is the URL from which it was invoked. • hiddenWindow.html can be invoked through different base URI … file:/// • So if hiddenWindow.html is invoked through file:/// URL it is basically free of resource:// and is no longer considered to be a resident of Chrome.
  • 12. Jailbreak Javascript Style … <script> if (location.search) { alert(“Hello World!n”); } else { location.href = “file://<path>/hiddenWindow.html?homefree”; } </script> …
  • 13. Javascript and Files • After the jail break, we’re running from file:/// and as such we are capable of accessing files and reading their data. • Files on the target computer and mapped share’s are accessible through file:/// URI • Let’s start reading some files then …
  • 14. Hello C:BOOT.INI & IFRAME • IFRAME allows us to open BOOT.INI through: file:///C:/boot.ini • Since our document also originates from file:/// we are completely bypassing the same origin policy enforcement. • Works almost perfectly and is completely scalable.
  • 15. Reading Files through IFRAME … <iframe id=“foobar” src=“file:///C:/boot.ini “></iframe> <script> alert(document.getElementById(‘foobar’).co ntentDocument.body.innerHTML); </script> …
  • 16. Problems with IFRAME • Accessing the IFRAME content needs to be synchronous, as rendering takes time. • When trying to access a FILE which has a registered URI (e.g. Word Document) instead of returning the .innerHTML, an application will be launched (e.g. Word). • IFRAME is so 90’s ;-)
  • 17. Exit IFRAME, Enter AJAX • AJAX is not emotionally or mentally attached with URI’s, thus it won’t launch any associated applications. • AJAX can be synchronous thus eliminating the waiting period. • AJAX is a Web 2.0 pioneer.
  • 18. DIR-a-like through AJAX … <script> var http = new XMLHttpRequest(); http.open("GET", "." ,false); http.send(null); </script> …
  • 19. Implementing pwd() through AJAX … <script> .. // Initialization of AJAX socket (as before) http.responseText.substring(http.responseT ext.indexOf(' '), http.responseText.indexOf('n')); </script> …
  • 20. = getHiddenWindowPath • AJAX allow us to automatically locate hiddenWindow.html and thus we no longer require any “static” paths. • Did we already mention that we’re cross platform? ;-)
  • 21. AJAX’s addiction to text • AJAX always assumes the data is TEXT, this is due to the default charset which doesn’t support binary/high ASCII values. • Lucky this issue can be easily bypassed through overriding the default charset with something that supports high ASCII values.
  • 22. Overriding AJAX’s default charset … <script> // assume AJAX socket is declared as ‘file’ file.overrideMimeType('text/plain; charset=x- user-defined'); file.send(null); </script> …
  • 23. Let’s put the O in OUTPUT • Data is coming in through IFRAME and/or AJAX but how does it go out? • We can’t submit it through FORM as it would require us to leave the file:/// document in favor of the http:// document and a http:// document can’t go back to file:/// ... • AJAX won’t allow us to do POST since we’re violating the same origin domain policy …
  • 24. We’re simply going to GET it! • GET supports up to 2k of data passed through URL (depend on the server). • IFRAME partially ignores the same origin domain policy as it will perform the request but won’t let us peek in to the result. • Simple PHP on the server side will quickly reassemble the data back into a single file.
  • 25. When one (byte) becomes four • GET doesn’t support binary characters, so how are we going to push it out? • Encoding methods (ratio byte to byte): – BASE64 1:0.5..3 (e.g., YQ==) – ESCAPE 1:1||1:3 (e.g., A, %20) – HEX 1:2 (e.g. 41)
  • 26. Keep it quiet (CPU Usage) • Javascript was never really designed to work with so much buffers and allocated memory and it shows. • A solution to this problem is to redesign the malware to be preemptive and instead of being linearly executed (blocking), it should be event driven, by pre-scheduled events (non-blocking).
  • 27. setInterval() & document.hash • Javascript supports an alarm()-like function that’s called setInterval(). • Anchors (aka. hashes) can be set and changed without reloading the document, this could be a good place to store the states the malware is going through (State Machine 101)…
  • 28. = Scheduler ... <script> If (self.jinx_id) { clearInterval(self.jinx_id); } try { jinx_dispatch(); } catch (e) { … } self.jinx_id = setInterval(‘jinx_schd()’, 1500); </script> …
  • 29. = Dispatch … <script> If (!location.hash) { location.hash = ‘#idle’; } If (location.hash == ‘#idle’) { … } If (location.hash == ‘#start_task’) { … } </script> …
  • 30. Build me a framework … • Every X seconds we’re invoking the scheduler function, which in turn calls the dispatch function. • The calling of the dispatch function is wrapped by a try and catch clause to prevent errors from breaking the run cycle. • Tasks can be queued and the queue can be changed on the fly.
  • 31. From Malware to Bot • Jinx will accept commands from a master (e.g. files to retrieve, result of queries) and obey. • If we would like to load a document (through an IFRAME) we still couldn’t access it’s content due to the same domain policy …
  • 32. <script> ? • Funny as it may sound, there is no problem at all to use the src attribute in order to fetch a remote Javascript. • I know, I know … but believe me, it works and we can directly load functions and variables from a remote site without violating any policies or triggering any alarms. • But … this is BlackHat right?
  • 33. *0DAY* (Design Flaw) • CSS links are also protected by same origin policy, thus we can’t access elements in CSS directly (An exception will be raised). • Legacy properties in DOM elements bypass this thus opening up 15 bytes that can be loaded from a remote CSS.
  • 34. CSS-bypassing-same-origin-policy … <script> document.fgColor; // 3 bytes document.bgColor // 3 bytes document.alinkColor; // 3 bytes document.linkColor; // 3 bytes document.vlinkColor; // 3 bytes </script> …
  • 35. What can be done with 15 bytes? • 15 bytes are equal to 120 bits • We can reserve 5 bits for an opcode, that leaves us with ~14 bytes for payload and 32 possible opcodes • Since those bytes are represented by RGB there is no wrong or right (even NULL bytes are allowed to party!)
  • 36. So? • We have demonstrated that it is possible to create a fully functional bot using only Javascript. • Please see the proof of concept and the supplied source code of our dearly beloved Jinx, a fully working Javascript malware.
  • 37. The Future • Using Google AJAX API to make malware that can search for it’s master website (eliminate the single point of failure) • Exploiting different URI handlers to launch applications. • Con people in to solving CAPTCHA through fake popup windows.
  • 38. Links/References • Working with windows in chrome code – http://developer.mozilla.org/en/docs/Working_ with_windows_in_chrome_code
  • 39. Q&A … <script> alert(“Hello World!n”); </script> …