Last year researcher Bosko Stankovic found a way to exploit an older and essentially outdated file extension called .scf. Ever heard of it? Me neither.
It’s like an early predecessor of the .lnk shortcut link. If you’re security savvy, you may recall the Stuxnet breach which attempted to destroy Iran’s nuclear program. This was done through powerful malware which got into the system via a malicious .lnk file. Yes, a malicious shortcut file. Crazy, isn’t it?
Stankovic found that because Chrome will download known safe file types without asking, it will download a .scf file. You may think that you still need to run malicious files, right? What’s even more exciting about this is that… well you know when you visit a folder in explorer and it creates cool little icons for each file?
A .scf file can specify the location of that icon which means without executing anything Explorer will go to the location to find it and that location doesn’t have to be on your computer. It can be remote. If the remote computer pretends to be an SMB server, the Server Message Block (SMB) protocol works will initiate the NTLM (NT Lan Manager) challenge/response authentication mechanism.
Stankovic proved that this allows a remote agent to capture the windows credentials which could be used for all sorts of nasty ends.
Let’s consider for a moment browser extensions
Do you use any?
In Firefox, I used to have one called DownloadThemAll. In Chrome I have a few like Adobe Acrobat, Cisco Webex, and Evernote Clipper. You might have Chrome extensions and not even realise it. It’s a worth a check. In Chrome, under the vertical (…) on the far right, navigate to “more tools” and “extensions.” Make sure you recognise everything there. Be sure when you add an extension that you are happy with the privileges you give it. It can even be worth removing and re-adding an extension to see what it asks for if you’ve had it for a while and can’t remember what you agreed to upon installing it.
For a recent example of what’s possible, in February 2018, a company called TextHelp had their BrowseAloud plugin (plugin = extension) hacked, so that anyone using it (more than 5,000 websites) ended up running some malware/crypto-jacking software known as Coinhive. Coinhive takes advantage of the processing power of a your computer or device to mine the cryptocurrency Monero.
What was interesting about that effort to mine currencies on behalf of the bad guys is that, technically you don’t really have to hack anything to make that happen.
Also, consider that anyone can write an extension for Chrome or Firefox and make it available. It’s worth noting that a bit more like Apple, Chrome only downloads extensions from its own store which could be considered much safer. However, very much like some of the applications available in the Google Play store for Android phones aren’t actually safe or well-intended, the same goes for browser extensions.
While writing a new malicious extension is possible, getting it into the store could reveal some much desired anonymity. What seems to be a more typical route for extension hackers is to use that old classic, phishing emails, to try to compromise the developer group working on the extension or plugin to gain access to their Chrome Web Store. If they can gain those credentials, they can simply swap out a known trusted (there’s that word again) extension for a similar but different version with malicious intent.
Plugin breaches could have done so much more – Cue Blockchain
Let us think about what you can do with the power of distributed computing, which is all the rage with blockchain technologies at the moment.
The next chink in the browser armour (if you imagine armour made of lettuce or origami birds) is advertising or, malvertising as it’s come to be known. Even simpler non web-app sites are allowing for remote advertising servers to inject advertising code which displays advertising onto their page. For high-profile and reputable websites, there is an opportunity to bypass firewalls and blacklists to undermine even the most cautious user.
In 2015, malvertising was responsible for the deployment of the CryptoWall Ransomware which took $1 million of ransom money by infecting over 600,000 computers.
Malvertising can inject code to exploit the user locally (like crypto-miners) or something to abuse the trust of the host site and lure you to a too-good-to-be-true offer on a remote malicious site.
URLs for websites can have a ton of extra tokens and cookies that make it hard to understand. Sometimes there are simple parameters on the URL line like look a bit like ?language=French. That’s a good example because lots of sites are language specific.
I would hope we don’t have to worry about that as most modern sites are designed to avoid this vulnerability by sanitising inputs OR just avoiding URLS like this completely. I guarantee some older sites though are definitely not and it can be a fun afternoon surfing around to find some.
Steve Giguere is a lead sales engineer at Synopsys
Image Credit: 377053 / Pixabay