Browser Rootkits

One of the big stories that hit the security field in the last couple of months, was the debate whether virtualization-based malware can be detected or are they 100% invisible to the systems they infect. Joanna Rutkowska, the researcher behind the Blue Pill rootkit and the whole ghost in the system movement, has done some amazing work on this subject, which is greatly appreciated, although I would have taken the research into a completely different direction - browser rootkits.

The browser rootkit is a completely different type of malware which many underestimate. Why? Because researchers believe that rootkits in the browsers wont give the same level of control they can otherwise obtain by simply installing an application which hooks to important kernel interfaces. I find this assumption wrong and believe that we will see more browser based malware in the future as Web technologies continue to grow and mature.

Browser Rootkits advantages

IMHO, one of the strongest points which support my statement is the fact the browser rootkits are in general closer to the data. "The closer to the data the better!" - as I often say. The e-crime economy have been drastically changing since its early days. In the past attackers were after owning the box. Today they are after your data because after all, the data is the ultimate goal of most of the break-ins. The browser is a middleware - a platform between the user, the private and corporate assets. Therefore, it seams to be the best choice for a compromising backdoor.

On the other hand, browser rootkits cannot be easily detected by modern antivirus and antispyware agents. This is mainly due to the way browsers function. Lets take Firefox for example. Firefox is a complex, dynamic project which is subjected to regular updates. A big portion of the browser is written in scripted languages such as JavaScript and Python and supporting formats such as XML, RDF, XUL, XHTML and others. Given the fact that any of these components can be modified to serve the rootkit purpose, the antivirus agents need to be capable of understanding the technologies involved in Firefox in order to prevent or ensure the malware detection. Though, such features can easily get out of scope and therefore may not be implemented.

Some of you may argue that antvirus and antispyware agents could detect potential infections by relying on the same old signature matching techniques. This is also doomed to fail mainly because prototype based languages such as JavaScript can be easily mutated. XML, the key supporting format of Firefox, is also quite dynamic and has some strong polymorphic characteristics which can be easily taken advantage of with something as simple as XSLT (Extensible Stylesheet Language Transformations).

Let's not forget the fact that the browser is a key business software which is usually allowed to get out (surf the Web), directly or via a Web proxy. The browser is configured to communicate by default. This ensures that the rootkit software can always get out and also let the rootkit master in, circumventing any restriction that may exist in between. There is no other technology that matches the same level of interoperability and communication power.

Last but not least, browser rootkits are portable when the browser itself is available to more then one platform. Firefox, again, is one of the most vivid examples. Firefox extensions, which can be easily turned into rookits, are OS independent. A single rootkit can infect Windows, Linux and MacOS at the same time without the need for reorganization of the source code. This feature makes browser rookits the perfect malware.

Closer look at the Browser Rootkits

Those familiar with the way browsers work may already have ideas how browser rootkits are written and what they can do. I am sure that most of you think about Firefox extensions or Internet Explorer components, but there is a lot more then that.

The rootkit author can take on many different strategies. The following listing shows some of the things that are possible:

As you can see, browser rootkits are probably the future of malware. In the wrong hands, browser technologies are power tools that can be used to keep unaware puppets on a string. I am planning to follow up this post with a more detailed example of how browser rootkits are developed and show some interesting functionalities which can enable attackers to go so deep, no other has ever been.