Browser Rootkits presented at HackLu 2008

by Julien Lenoir, Christophe Devaux,

Summary : For a few years now, people have learnt to configure firewalls. Very few ports are allowed to exit the network. One found very commonly in the web (HTTP and HTTPS). Hence, all applications are now configured to run over HTTP(S). These changes in behaviors have made the web browser a central piece of information systems in a user's day to day work. They are therefore present on most machines and are, by definition, allowed to access networks (the internet but also specific applications on the Intranet). Hence, a typical browser sees a great deal of critical data, like username/password credentials for applications, webmails, and even bank accounts.
In order to support all the needed new features (plug-ins / extension, virtual machines / interpreters, ...), web browsers have become more and more complex, thus less and less secure. They are often prone to important flaws allowing arbitrary code execution on the host system or a necessary vector for human based attacks like phishing.
As such, browsers are now a critical target for malicious attackers, and we thus designed specific rootkits. A "browser rootkit" is malicious code that targets a web browser instead of the operating system. In this way, post-exploitation steps of a flaw in made with very few assumption, e.g. we will not need more privileges than the ones given by the browser itself.