One of the big stories that hit the security field in the last couple of months, was the debate whether virtualization-based malware can be detected or are they 100% invisible to the systems they infect. Joanna Rutkowska, the researcher behind the Blue Pill rootkit and the whole ghost in the system movement, has done some amazing work on this subject, which is greatly appreciated, although I would have taken the research into a completely different direction - browser rootkits.
The browser rootkit is a completely different type of malware which many underestimate. Why? Because researchers believe that rootkits in the browsers wont give the same level of control they can otherwise obtain by simply installing an application which hooks to important kernel interfaces. I find this assumption wrong and believe that we will see more browser based malware in the future as Web technologies continue to grow and mature.
Browser Rootkits advantages
IMHO, one of the strongest points which support my statement is the fact the browser rootkits are in general closer to the data. "The closer to the data the better!" - as I often say. The e-crime economy have been drastically changing since its early days. In the past attackers were after owning the box. Today they are after your data because after all, the data is the ultimate goal of most of the break-ins. The browser is a middleware - a platform between the user, the private and corporate assets. Therefore, it seams to be the best choice for a compromising backdoor.
Let's not forget the fact that the browser is a key business software which is usually allowed to get out (surf the Web), directly or via a Web proxy. The browser is configured to communicate by default. This ensures that the rootkit software can always get out and also let the rootkit master in, circumventing any restriction that may exist in between. There is no other technology that matches the same level of interoperability and communication power.
Last but not least, browser rootkits are portable when the browser itself is available to more then one platform. Firefox, again, is one of the most vivid examples. Firefox extensions, which can be easily turned into rookits, are OS independent. A single rootkit can infect Windows, Linux and MacOS at the same time without the need for reorganization of the source code. This feature makes browser rookits the perfect malware.
Closer look at the Browser Rootkits
Those familiar with the way browsers work may already have ideas how browser rootkits are written and what they can do. I am sure that most of you think about Firefox extensions or Internet Explorer components, but there is a lot more then that.
The rootkit author can take on many different strategies. The following listing shows some of the things that are possible:
- Obscure browser extensions - the most common place a rootkit may exploit. The extension will be visible to the system and the user but at the same time will remain hidden by tricking the user into believing that it is an important browser component.
- Hidden browser extensions - rootkits masters can hide the presence of malicious extensions from the user. This is the default behavior of Internet Explorer components. Firefox extensions can also be made hidden by suppling a special field with the value of true in the Install manifest file.
- Extension of an extension rootkits - these types of rootkits take a form of an extension for a browser extension (i.e. userscripts for Greasemonkey). They can be trivially installed and can hook on external XSS proxies from where they can be controlled.
As you can see, browser rootkits are probably the future of malware. In the wrong hands, browser technologies are power tools that can be used to keep unaware puppets on a string. I am planning to follow up this post with a more detailed example of how browser rootkits are developed and show some interesting functionalities which can enable attackers to go so deep, no other has ever been.