Hackers target browsers as possible nests for attack to user systems. Having in mind average Internet users and surfers and their (our) lack of caution while surfing and visiting various Web sites, there are very good chances and possibility for various exploits.
Interesting article about Adobe Reader which affects Windows XP SP2 with IE7 and Adobe Reader 8.1, 8.0 and 7 appeared at ZDNet blog. Petko D. Petkov wrote very interesting article browser rootkits at GNUCITIZEN. Joanna Rutkowska also wrote article about this problem on her blog. Joanna’s article has been inspired by Petkov’s.
I will quote here some of Petko D. Petkov’s ideas.
The rootkit author can take on many different strategies. The following listing shows some of the things that are possible:
- Obscure browser extensions – the most common place a rootkit may exploit. The extension will be visible to the system and the user but at the same time will remain hidden by tricking the user into believing that it is an important browser component.
- Hidden browser extensions – rootkits masters can hide the presence of malicious extensions from the user. This is the default behavior of Internet Explorer components. Firefox extensions can also be made hidden by suppling a special field with the value of true in the Install manifest file.
- Extension of an extension rootkits – these types of rootkits take a form of an extension for a browser extension (i.e. userscripts for Greasemonkey). They can be trivially installed and can hook on external XSS proxies from where they can be controlled.
Petko in his post gives several ideas of how browser-based malware could be created and I’m sure that we will see more and more such malware in the near future (I would actually be surprised if it didn’t exist already). His main argument for creating “Browser Rootkits” is that they would be “closer to the data”, which is, of course, undisputable.
The other argument is the complexity of a typical browser like e.g. Firefox or Internet Explorer. It seems like we have a very similar situation here to what we have with “classic” operating systems like e.g. Windows. Windows is so complex that nobody (including Microsoft) can really spot all the sensitive places in the kernel where a rootkit might “hook” – thus it’s not possible to effectively monitor all those places. We have a similar problem with Firefox and IE because of their extensible architecture (think about all those plugins, add-ons, etc) – although we could examine the whole memory of firefox.exe process, we still would not be able to decide whether something bad is there or not.
Nice reading for those interesting in Internet security and privacy. It is likely that much more is to come on this topic very soon.