So, a couple of months ago at the DC405 we were lucky enough to have Tim Skorick come and speak with the group about the dangers of browser extensions.  His talk sparked several ideas for things that a malicious individual might do to gain control of the browser and what she might do once she’s there.

Since Tim didn’t drop any sample code off (after working through this I can see why), I wondered just how difficult it might be to get from zero knowledge to a working malicious plugin.  As it turns out, it’s not difficult at all.

I sat out to make an extension that had some semi-interesting/real functionality (something that would get people to install it, maybe even on multiple machines) and then have some triggerd malicious action performed, like storing their passwords from various websites for a while and then one day tweeting them all out using captured twitter credentials.

The first order of business was to get a plugin up and running.  Following the documentation at https://developer.mozilla.org/en/Extensions gets you most of that.  It’s probably not a bad idea to install all of the “helper” extensions they list, but I was able to get by with only “Chrome List“, “Console2″ and “Extension Developer”. Read more…

Anti-malware, Code browser, Extensions, Firefox, malware

Walk with me.  Let me rap unto you a little story about how an AV detection might go.  So, your AV makes a good detection on a suspect file.  Unbelievable already right?  Say it does, but it’s using a heuristics engine and not it’s typical signature definitions.

For Symantec these heuristics are Bloodhound and files that are flagged usually get some name such as ‘Bloodhound.exploit.somenumber’.

So, is this it?  Leave it and move on to the next thing that will burn up the day?  It doesn’t have to be. Let’s dig deeper. Read more…

Anti-malware adobe, javascript, malware, pdf