SlideShare una empresa de Scribd logo

The Listening: Email Client Backdoor

Michael Scovetta
Michael Scovetta
Tecnología
1 de 36
Descargar para leer sin conexión
The Listening Email Client Backdoor Esteban Guillardoy esteban@immunityinc.com 1
Introduction ● This presentation will focus on a backdoor implementation based on Thunderbird 3.x ● Different approach taking advantage of the addon/extension features ● How to make it persistant and hide the C&C by using steganography 2
Demo How cool is this presentation? It is starting with a demo :) 3
How all this started ● Never leave the office without locking your session - FAIL! ● Malicious Brainstorming... 4
Adapting the idea ● Web Browsers are commonly targeted ● But Email Clients are not ● Why not using this as a real backdoor? 5
The challenge ● Targets go on and off ● Covertness without losing reliability ● Routing the data ● Stealthiness ● Resistance to traffic analysis ● No suspicious open ports ● Avoid antiviruses & scanners ● Thinking of future trojans 6
Why an email client Don't you use one? Is it Thunderbird? 7
Email Client Extensions ● Only Thunderbird 3.x for now ● multiplatform backdoor out of the box ● Trusted code ● Full access to all client functions ● Program execution ● Easy development ● Solve us part of the challenge 8
Backdoor controlled by simply sending emails 9
Features ● Doesn't require user interaction ● Hidden C&C using steganography on images ● Encryption using public & private key ● Processes every email that arrives to the client ● Predefined Actions ● Command execution with output retrieval 10
11
Mozilla Addons/Extensions Basic structure: /components/* /content or /chrome/content /defaults/preferences/*.js /chrome.manifest /install.rdf 12
Development ● “Must have” tools ● Firebug + ChromeBug ● Extension Developer ● Chrome List ● Extension Manager Extended ● Console2 ● Inspector Widget ● DOM Inspector ● MozRepl ● Event Spy ● XPCOMViewer 13
How it works 14
Email Check ● Listener on notification service Components.classes["@mozilla.org/messenger/msgnotificationservice;1"]; notificationService.addListener(this, notificationService.msgsClassified); ● Our method gets called with each new email ● Filter messages by checking attachments “attachment.contentType.match(/image/png/) != null” 15
Encryption ● Private & Public key algorithm (PGP) ● Used to send commands & output ● Implementation in Javascript ● Wrapper around gnupg in Python 16
Hiding Information ● Steganography on images to hide the info ● Who applies steganalysis on every image attached on an email? ● Common approach is to avoid external images from loading Message: “INFILTRATE 2011” Original Modified 17
Hiding Information ● Least Significant Bit (LSB) algorithm 0 1 1 0 1 1 0 0 0 0 1 = “a” ● We need 3 pixels per byte to hide ● If image is greyscale we could use more than 1 bit per pixel 18
Hiding Information ● Python Implementation ● Using Python Imaging Library (PIL) ● Some bitwise operations and we are ready ● Javascript Implementation ● Hidden iframe to create a HTML5 canvas element ● Retrieve pixel info with: var context = canvas.getContext('2d'); var data = context.getImageData(0,0,canvas.width,canvas.height); 19
Execution ● Using XPCOM interfaces nsIProcess or nsIProcess2 ● Fix arguments to redirect output to temp file ● Read temp file and then delete it 20
Getting Output 1) XMLHttpRequest 2) Sending an email ● New email: Components.classes["@mozilla.org/messengercompose;1"] Components.classes["@mozilla.org/messenger/account-manager;1"] ● Send it: Components.classes["@mozilla.org/messengercompose/compose;1"] ● Delete it from Sent folder 21
Deployment ● Discover profiles by reading profiles.ini: ● Windows, usually in %AppData% Thunderbird ● Linux, usually in ~/.thunderbird/ or ~/.mozilla-thunderbird/ ● Mac OS X, usually in ~/Library/Thunderbird/ 22
Deployment - Injecting Existing Addon 1) Installed addons in %profile-dir%/extensions.ini 2) Copy backdoor into %selected-addon%/content/ 3) Edit chrome.manifest overlay chrome://messenger/content/messenger.xul chrome://selected-addon/content/backdoorOverlay.xul ● Hard to detect ● User trusts installed addons ● Addon updates are a problem 23
Deployment - New Addon 1) Copy backdoor into TB extensions folder 2) Create a file with random name (an uuid) 3) write the path to backdoor folder ● May be easily detected by looking a the Extensions Manager ● But we can use a trick to hide it 24
25
Deployment alternatives ● Install Manifest (install.rdf) <em:updateURL> <em:updateKey> ● Mozilla Addons Updates 1) Update manifest retrieved in a secure fashion Through SSL Signed Update Manifests 2) Update package retrieved matches Through SSL File Hashes ● Publishing on Mozilla Addon Site (AMO) Policies & Review Process Sandbox then public Blocklist 26
Deployment alternatives ● MITM to deliver fake updates ● (P)Owning widely used addon sites (?) ● Become a reviewer for a long time (?) ● Using Mozilla cert to sign updates #comodogate :P ● Zamboni project (new AMO site) Source code available ● https://github.com/jbalogh/zamboni ● https://github.com/mozilla/zamboni Audit the code and test you said? Master visible on https://preview.addons.mozilla.org Next branch visible on https://next.addons.mozilla.org 27
Avoiding detection ● <em:hidden> deprecated since Gecko 1.9.2 ● Hooking Extensions Manager ● Overlay for chrome://mozapps/content/extensions/extensions.xul ● Some javascript code to filter our extension chrome://mozapps/content/extensions/extensions.js 28
Avoiding detection ● Skip updates by editing install.rdf file: <em:updateURL>FAKE URL HERE</em:updateURL> This url could also be used to update our backdoor ● Disabling extensions updates globaly: ● extensions.update.enabled ● extensions.update.interval ● extensions.update.url 29
Capabilities Demo 30
Getting PGP Information ● Enigmail Addon commonly used ● Hook “enigMessageDecrypt” ● Prompt for passphrase twice ● EnigGetSecretKeys & enigmailSvc.extractKey FTW ● Match passphrase with ID 31
Improvements ● Better steganography algorithms ● Unicode steganography ● Inject all addons ● More methods to get output 32
Alternative uses ● Building a SPAM controlled botnet ● others? 33
Conclusion ● Complete SDK to develop ● Global scope useful for us ● Multiplatform backdoor ● Hijacked extensions are hard to detect ● Execution with common user but.. ● Further research on other email clients 34
Reference & Similar work ● Mozilla Develper Network ● mozillaZine KB & Forum ● StackOverflow questions ● Immunity PINK Framework ● Abusing Firefox Addons at Defcon17 ● Digninja twitter botnet (unicode steg) ● IronGeek steg botnet 35
The End Thank you for your time Questions? Esteban Guillardoy esteban@immunityinc.com @sagar38 36

Recomendados

Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade Machines
Michael Scovetta
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
Michael Scovetta
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State Machines
Michael Scovetta
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
GangSeok Lee
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
Shota Shinogi
 
Windows internals Essentials
Windows internals EssentialsWindows internals Essentials
Windows internals Essentials
John Ombagi
 

Recomendados

Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade Machines
Michael Scovetta
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
Michael Scovetta
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State Machines
Michael Scovetta
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
GangSeok Lee
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
Shota Shinogi
 
Windows internals Essentials
Windows internals EssentialsWindows internals Essentials
Windows internals Essentials
John Ombagi
 
One Year of Porting - Post-mortem of two Linux/SteamOS launches
One Year of Porting - Post-mortem of two Linux/SteamOS launchesOne Year of Porting - Post-mortem of two Linux/SteamOS launches
One Year of Porting - Post-mortem of two Linux/SteamOS launches
Leszek Godlewski
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализа
Positive Hack Days
 
Android Variants, Hacks, Tricks and Resources
Android Variants, Hacks, Tricks and ResourcesAndroid Variants, Hacks, Tricks and Resources
Android Variants, Hacks, Tricks and Resources
Opersys inc.
 
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Igor Korkin
 
Linux as a gaming platform, ideology aside
Linux as a gaming platform, ideology asideLinux as a gaming platform, ideology aside
Linux as a gaming platform, ideology aside
Leszek Godlewski
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
VeilFramework
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game Programming
Leszek Godlewski
 
Why kernelspace sucks?
Why kernelspace sucks?Why kernelspace sucks?
Why kernelspace sucks?
OpenFest team
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
RootedCON
 
Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012
Opersys inc.
 
Embedded Android Workshop at ELC Europe
Embedded Android Workshop at ELC EuropeEmbedded Android Workshop at ELC Europe
Embedded Android Workshop at ELC Europe
Opersys inc.
 
Linux as a gaming platform - Errata
Linux as a gaming platform - ErrataLinux as a gaming platform - Errata
Linux as a gaming platform - Errata
Leszek Godlewski
 
Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013
Opersys inc.
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
CTruncer
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
Luis Grangeia
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
egypt
 
Android Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConIIAndroid Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConII
Opersys inc.
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
Shakacon
 
Pentester++
Pentester++Pentester++
Pentester++
CTruncer
 
Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)
Michael Scovetta
 
DMI Summer 2010 - Final Presentations
DMI Summer 2010 - Final PresentationsDMI Summer 2010 - Final Presentations
DMI Summer 2010 - Final Presentations
Digital Methods Initiative
 

Más contenido relacionado

La actualidad más candente

Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализа
Positive Hack Days
 
Why kernelspace sucks?
Why kernelspace sucks?Why kernelspace sucks?
Why kernelspace sucks?
OpenFest team
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
egypt
 
Android Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConIIAndroid Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConII
Opersys inc.
 

La actualidad más candente (20)

One Year of Porting - Post-mortem of two Linux/SteamOS launches
One Year of Porting - Post-mortem of two Linux/SteamOS launchesOne Year of Porting - Post-mortem of two Linux/SteamOS launches
One Year of Porting - Post-mortem of two Linux/SteamOS launches
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализа
 
Android Variants, Hacks, Tricks and Resources
Android Variants, Hacks, Tricks and ResourcesAndroid Variants, Hacks, Tricks and Resources
Android Variants, Hacks, Tricks and Resources
 
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
 
Linux as a gaming platform, ideology aside
Linux as a gaming platform, ideology asideLinux as a gaming platform, ideology aside
Linux as a gaming platform, ideology aside
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game Programming
 
Why kernelspace sucks?
Why kernelspace sucks?Why kernelspace sucks?
Why kernelspace sucks?
 
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...
 
Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012
 
Embedded Android Workshop at ELC Europe
Embedded Android Workshop at ELC EuropeEmbedded Android Workshop at ELC Europe
Embedded Android Workshop at ELC Europe
 
Linux as a gaming platform - Errata
Linux as a gaming platform - ErrataLinux as a gaming platform - Errata
Linux as a gaming platform - Errata
 
Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
 
Android Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConIIAndroid Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConII
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
 
Pentester++
Pentester++Pentester++
Pentester++
 

Destacado

E diasporas atlasnovember2010
E diasporas atlasnovember2010E diasporas atlasnovember2010
E diasporas atlasnovember2010
TIC-Migrations
 
A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...
A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...
A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...
annehelmond
 
Systematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesSystematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android Smartphones
Michael Scovetta
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking For
Michael Scovetta
 

Destacado (20)

Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)
 
DMI Summer 2010 - Final Presentations
DMI Summer 2010 - Final PresentationsDMI Summer 2010 - Final Presentations
DMI Summer 2010 - Final Presentations
 
E diasporas atlasnovember2010
E diasporas atlasnovember2010E diasporas atlasnovember2010
E diasporas atlasnovember2010
 
TIC-Migrations
TIC-MigrationsTIC-Migrations
TIC-Migrations
 
Migration stories in a digital era.
Migration stories in a digital era.Migration stories in a digital era.
Migration stories in a digital era.
 
E-diasporas Atlas
E-diasporas AtlasE-diasporas Atlas
E-diasporas Atlas
 
A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...
A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...
A Protest’s Web: The Cross-Syndication Practices of G20 Toronto Summit Online...
 
Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)
 
Systematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesSystematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android Smartphones
 
High Assurance Systems (Fisher)
High Assurance Systems (Fisher)High Assurance Systems (Fisher)
High Assurance Systems (Fisher)
 
Attacking the WebKit Heap
Attacking the WebKit HeapAttacking the WebKit Heap
Attacking the WebKit Heap
 
Smooth CoffeeScript
Smooth CoffeeScriptSmooth CoffeeScript
Smooth CoffeeScript
 
Anomaly Detection at Multiple Scales (Waltzman)
Anomaly Detection at Multiple Scales (Waltzman)Anomaly Detection at Multiple Scales (Waltzman)
Anomaly Detection at Multiple Scales (Waltzman)
 
The Ceylon Type System
The Ceylon Type SystemThe Ceylon Type System
The Ceylon Type System
 
Introducing the Ceylon Project
Introducing the Ceylon ProjectIntroducing the Ceylon Project
Introducing the Ceylon Project
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking For
 
National Cyber Range (Ranka)
National Cyber Range (Ranka)National Cyber Range (Ranka)
National Cyber Range (Ranka)
 
Strategic Surprise
Strategic SurpriseStrategic Surprise
Strategic Surprise
 
Stackjacking
StackjackingStackjacking
Stackjacking
 
HTML5 Web Security
HTML5 Web SecurityHTML5 Web Security
HTML5 Web Security
 

Similar a The Listening: Email Client Backdoor

Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slides
Bakry3
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Opersys inc.
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
Nico Meisenzahl
 
HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key
Linaro
 
CSCAMP2013 - Introduction to pwnCore
CSCAMP2013 - Introduction to pwnCoreCSCAMP2013 - Introduction to pwnCore
CSCAMP2013 - Introduction to pwnCore
Anwar Mohamed
 

Similar a The Listening: Email Client Backdoor (20)

Headless Android
Headless AndroidHeadless Android
Headless Android
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
 
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
Headless Android at AnDevCon3
Headless Android at AnDevCon3Headless Android at AnDevCon3
Headless Android at AnDevCon3
 
Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slides
 
Leveraging Android's Linux Heritage
Leveraging Android's Linux HeritageLeveraging Android's Linux Heritage
Leveraging Android's Linux Heritage
 
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
The BlackBox Project: Safely store secrets in Git/Mercurial (originally for P...
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
 
Go at Skroutz
Go at SkroutzGo at Skroutz
Go at Skroutz
 
Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3Leveraging Android's Linux Heritage at AnDevCon3
Leveraging Android's Linux Heritage at AnDevCon3
 
Headless browser: puppeteer and git client : GitKraken
Headless browser: puppeteer and git client : GitKrakenHeadless browser: puppeteer and git client : GitKraken
Headless browser: puppeteer and git client : GitKraken
 
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
GitLab Commit DevOps: How GitLab Can Save your Kubernetes environment from Be...
 
Modest Maemo Summit 09
Modest Maemo Summit 09Modest Maemo Summit 09
Modest Maemo Summit 09
 
Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011Leveraging Android's Linux Heritage at ELC-E 2011
Leveraging Android's Linux Heritage at ELC-E 2011
 
Integrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperationsIntegrating Puppet and Gitolite for sysadmins cooperations
Integrating Puppet and Gitolite for sysadmins cooperations
 
HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key HKG15-407: EME implementation in Chromium: Linaro Clear Key
HKG15-407: EME implementation in Chromium: Linaro Clear Key
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Truemotion Adventures in Containerization
Truemotion Adventures in ContainerizationTruemotion Adventures in Containerization
Truemotion Adventures in Containerization
 
CSCAMP2013 - Introduction to pwnCore
CSCAMP2013 - Introduction to pwnCoreCSCAMP2013 - Introduction to pwnCore
CSCAMP2013 - Introduction to pwnCore
 

Más de Michael Scovetta

Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013
Michael Scovetta
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
Michael Scovetta
 

Más de Michael Scovetta (9)

Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
Consumer Password Worst Practices
Consumer Password Worst PracticesConsumer Password Worst Practices
Consumer Password Worst Practices
 
A collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsA collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programs
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)
 
Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)
 
PROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal VerificationPROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal Verification
 
Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)
 
DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

The Listening: Email Client Backdoor

  • 1. The Listening Email Client Backdoor Esteban Guillardoy esteban@immunityinc.com 1
  • 2. Introduction ● This presentation will focus on a backdoor implementation based on Thunderbird 3.x ● Different approach taking advantage of the addon/extension features ● How to make it persistant and hide the C&C by using steganography 2
  • 3. Demo How cool is this presentation? It is starting with a demo :) 3
  • 4. How all this started ● Never leave the office without locking your session - FAIL! ● Malicious Brainstorming... 4
  • 5. Adapting the idea ● Web Browsers are commonly targeted ● But Email Clients are not ● Why not using this as a real backdoor? 5
  • 6. The challenge ● Targets go on and off ● Covertness without losing reliability ● Routing the data ● Stealthiness ● Resistance to traffic analysis ● No suspicious open ports ● Avoid antiviruses & scanners ● Thinking of future trojans 6
  • 7. Why an email client Don't you use one? Is it Thunderbird? 7
  • 8. Email Client Extensions ● Only Thunderbird 3.x for now ● multiplatform backdoor out of the box ● Trusted code ● Full access to all client functions ● Program execution ● Easy development ● Solve us part of the challenge 8
  • 9. Backdoor controlled by simply sending emails 9
  • 10. Features ● Doesn't require user interaction ● Hidden C&C using steganography on images ● Encryption using public & private key ● Processes every email that arrives to the client ● Predefined Actions ● Command execution with output retrieval 10
  • 11. 11
  • 12. Mozilla Addons/Extensions Basic structure: /components/* /content or /chrome/content /defaults/preferences/*.js /chrome.manifest /install.rdf 12
  • 13. Development ● “Must have” tools ● Firebug + ChromeBug ● Extension Developer ● Chrome List ● Extension Manager Extended ● Console2 ● Inspector Widget ● DOM Inspector ● MozRepl ● Event Spy ● XPCOMViewer 13
  • 15. Email Check ● Listener on notification service Components.classes["@mozilla.org/messenger/msgnotificationservice;1"]; notificationService.addListener(this, notificationService.msgsClassified); ● Our method gets called with each new email ● Filter messages by checking attachments “attachment.contentType.match(/image/png/) != null” 15
  • 16. Encryption ● Private & Public key algorithm (PGP) ● Used to send commands & output ● Implementation in Javascript ● Wrapper around gnupg in Python 16
  • 17. Hiding Information ● Steganography on images to hide the info ● Who applies steganalysis on every image attached on an email? ● Common approach is to avoid external images from loading Message: “INFILTRATE 2011” Original Modified 17
  • 18. Hiding Information ● Least Significant Bit (LSB) algorithm 0 1 1 0 1 1 0 0 0 0 1 = “a” ● We need 3 pixels per byte to hide ● If image is greyscale we could use more than 1 bit per pixel 18
  • 19. Hiding Information ● Python Implementation ● Using Python Imaging Library (PIL) ● Some bitwise operations and we are ready ● Javascript Implementation ● Hidden iframe to create a HTML5 canvas element ● Retrieve pixel info with: var context = canvas.getContext('2d'); var data = context.getImageData(0,0,canvas.width,canvas.height); 19
  • 20. Execution ● Using XPCOM interfaces nsIProcess or nsIProcess2 ● Fix arguments to redirect output to temp file ● Read temp file and then delete it 20
  • 21. Getting Output 1) XMLHttpRequest 2) Sending an email ● New email: Components.classes["@mozilla.org/messengercompose;1"] Components.classes["@mozilla.org/messenger/account-manager;1"] ● Send it: Components.classes["@mozilla.org/messengercompose/compose;1"] ● Delete it from Sent folder 21
  • 22. Deployment ● Discover profiles by reading profiles.ini: ● Windows, usually in %AppData% Thunderbird ● Linux, usually in ~/.thunderbird/ or ~/.mozilla-thunderbird/ ● Mac OS X, usually in ~/Library/Thunderbird/ 22
  • 23. Deployment - Injecting Existing Addon 1) Installed addons in %profile-dir%/extensions.ini 2) Copy backdoor into %selected-addon%/content/ 3) Edit chrome.manifest overlay chrome://messenger/content/messenger.xul chrome://selected-addon/content/backdoorOverlay.xul ● Hard to detect ● User trusts installed addons ● Addon updates are a problem 23
  • 24. Deployment - New Addon 1) Copy backdoor into TB extensions folder 2) Create a file with random name (an uuid) 3) write the path to backdoor folder ● May be easily detected by looking a the Extensions Manager ● But we can use a trick to hide it 24
  • 25. 25
  • 26. Deployment alternatives ● Install Manifest (install.rdf) <em:updateURL> <em:updateKey> ● Mozilla Addons Updates 1) Update manifest retrieved in a secure fashion Through SSL Signed Update Manifests 2) Update package retrieved matches Through SSL File Hashes ● Publishing on Mozilla Addon Site (AMO) Policies & Review Process Sandbox then public Blocklist 26
  • 27. Deployment alternatives ● MITM to deliver fake updates ● (P)Owning widely used addon sites (?) ● Become a reviewer for a long time (?) ● Using Mozilla cert to sign updates #comodogate :P ● Zamboni project (new AMO site) Source code available ● https://github.com/jbalogh/zamboni ● https://github.com/mozilla/zamboni Audit the code and test you said? Master visible on https://preview.addons.mozilla.org Next branch visible on https://next.addons.mozilla.org 27
  • 28. Avoiding detection ● <em:hidden> deprecated since Gecko 1.9.2 ● Hooking Extensions Manager ● Overlay for chrome://mozapps/content/extensions/extensions.xul ● Some javascript code to filter our extension chrome://mozapps/content/extensions/extensions.js 28
  • 29. Avoiding detection ● Skip updates by editing install.rdf file: <em:updateURL>FAKE URL HERE</em:updateURL> This url could also be used to update our backdoor ● Disabling extensions updates globaly: ● extensions.update.enabled ● extensions.update.interval ● extensions.update.url 29
  • 31. Getting PGP Information ● Enigmail Addon commonly used ● Hook “enigMessageDecrypt” ● Prompt for passphrase twice ● EnigGetSecretKeys & enigmailSvc.extractKey FTW ● Match passphrase with ID 31
  • 32. Improvements ● Better steganography algorithms ● Unicode steganography ● Inject all addons ● More methods to get output 32
  • 33. Alternative uses ● Building a SPAM controlled botnet ● others? 33
  • 34. Conclusion ● Complete SDK to develop ● Global scope useful for us ● Multiplatform backdoor ● Hijacked extensions are hard to detect ● Execution with common user but.. ● Further research on other email clients 34
  • 35. Reference & Similar work ● Mozilla Develper Network ● mozillaZine KB & Forum ● StackOverflow questions ● Immunity PINK Framework ● Abusing Firefox Addons at Defcon17 ● Digninja twitter botnet (unicode steg) ● IronGeek steg botnet 35
  • 36. The End Thank you for your time Questions? Esteban Guillardoy esteban@immunityinc.com @sagar38 36