Analysing a Firefox Malware browserassist.dll - FLARE-On 2018
ฝัง
- เผยแพร่เมื่อ 19 ธ.ค. 2024
- This is another challenge of the FLARE-On 2018 CTF. This challenge is about analysing the functionality of a Firefox malware, but I got really lucky :D
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#MalwareAnalysis #ReverseEngineering #CTF
Man, I don't know, but something in the way you explain things, the way you organize your thoughts, or maybe the way you confidently talk, makes your videos fun to watch.
Not to mention the actual great information that you learn from them.
Keep it up. You are really up for something great.
man, I was thinking exactly the same thing!!
Linux user being paranoid on Internet Explorer
stop WINEing
@Alfie Yes, though it's just a program, not an apt package (apt does package it though).
:eyes:
5:48 when a Mac/Linux user first encounters modern IE
LOL
I send a smile, not a frown.
@@Anti-i25 Microsoft does this in many products, including Office
Firefox had the smile feature for a long time...
windows users too, noone opens IE on purpose :D
The funniest thing about that IE smiley is the keyboard shortcut for sending a frowny face.
5:51
LiveOverflow: "Is this a virus?"
Lol
"I decided to approach it again with logic" 😂👍
Maybe it was an NPAPI plugin, those stopped being supported in FF 52.
All new addons have to use the WebExtensionsApi now, which is quite limiting in some ways, so they probably wrote the addon on the old api
For some reason, the malware prevents itself from running if firefox is newer than version 55. Probably, the developers wanted to make the challenge more difficult.
Well... This is neat. Not entirely sure why youtube decided this is my jam, but I do appreciate a good explanation and seeing someone put a lot of effort towards something.
It would be amazing if you started a 0 to hero series explaining the basics of reverse engineering malware, as someone who also enjoys malware I find your videos fascinating but I would always love to learn more from you.
Vouch
a bit late, but check out his binary exploitation videos. this should get you started.
I dont understand shit here but i feel a lot smarter now, thanks @LiveOverflow.
6:00
*open IE
*see the smile thing
*OK this actually exist!
wow, didn't know about flare vm! Might get into analysing malware soon as well! thanks for the great video, as always!
i have little to no idea what youre talking about but im loving every second of it
There is a function to get version of ur firefox in that .dll file. Btw, ur way to solve this challenge is awesomeeeee =]] i never imagine u can solve this challenge in ur way =]]]] amazing video
What was the mechanism by which the browserassist.dll got loaded into the Firefox process? Did I miss something?
I have no clue 🤷♀️
@@LiveOverflow SPOILER ALERT:
blog.attify.com/flare-on-5-writeup-part2/
"This method adds browserassist.dll to the AppInit_DLLs registry key. The AppInit_DLLs are a set of Dynamic Linked Libraries (DLL) that are loaded upon startup into the address space of every executable that links with user32.dll. Essentially, this means everytime a GUI application is run, browserassist.dll"
It's like LD_PRELOAD on Linux, just using the registry :)
@Richard Vaughn I was saying that it's the same principle. It both instructs the dynamic linker to load certain modules, no matter the scope
@Richard Vaughn There is a similar feature on Linux that works globally-- /etc/ld.so.preload -- I've seen Linux malware utilize this to hide themselves from process and file listings.
ur videos are amazingggg!!Thanks for bringing such quality content
I don't understand most of the things you say but I'm sitting here enjoying your videos hoping one day I do understand.
This is very complex but interesting, ty for your contents
Ty😠
LEECHERS!!!!!
This not that complicated look at his other stuff
I watch this video with no knowledge of hacking, but I really feel entertained and educated by your content ;'3
12:37
laughed my head off :D
Sadly, he's right. Adults ain't got time for solving problems and enjoying the challenge of it; we've got stuff to get done!
This video gave me the missing clue to solve my first CTF (a different one of course) on my own! Thanks a lot! :D
You can try shutdown -a when you boot the VM. Also Ctrl + Alt + Del when shutting down and opening task manager from there actually interrupts the shutdown... I found the last one myself testing the very combination on shutdown
firefox changed the way they deal with addons in quantum, including dropping support for (i believe) dll/native code based plugins (java, flash, etc.)
6:45 Hmm. First thing which came to my mind after I heared that the challenge surrounds around a Firefox maleware was: "Better use an older firefox version for the analysis. They might have patched something"
Microsoft does the smiley thing with ALL of their windows products (And some open source ones too) as far as I am aware.
Ye I think I saw it in Excel as well. It kind of tickled my virey-sense but apparently it belongs there.
Wow your analysis skill is so good bro
The installer drops the dll and sets a registry key. My educated guess is that newer Firefox versions does not take that registry key into consideration when loading dlls, whereas the older version does.
I solved the entire challenge statically, it was interesting to bypass a few checks and analyze all the dll requests.
If I recall correctly, the dll has some checks then it does 2-3 HTTP requests, retrieves some encrypted data and after a few decryption stages and data manipulation it is possible to extract the javascript inserted into the browser alongside the JSON you observed in the stack trace.
At this point, I manually injected the javascript code into my browser (after deobfuscation), ran the commands and got the flag. :)
The registry key is used by all windows software. (iirc user32.dll injects these dlls from the registry) the dll simply checks the firefox version
how can you people check a whole pe file statically? :/ I give up if it is longer than two screen-fulls. teach me, sensei!!
10:00 'su' doesnt mean switch user, it means super user (root). The Linux command which switches to the root user. That's why sudo runs a command as root (super user do).
Yes but su can switch to other user too. It doesn't need to be root
Also, su stands for substitute user
I think that if you find what is the vulnerability by analyzing the dll, you can search for something like "dll injection Firefox", etc. And you'll see approximately in what version it was fixed.
Right since every infection has a condition to meet.
I like puzzles. I want to obfuscate a whole bunch of code that, when deobfuscated, literally just congratulations you for solving the puzzle.
4:45 Oh wow, the old Office 2003 UI kit thing.
-5:57-- That was there since Windows 8, and I believe Internet Explorer is still in Windows 10 only for backward compatibility with older applications that use the Trident engine (which IE uses) in order to render Web content.- 6:15
I love this chall, because like in real case technique at banking malware, it will injection with external dll,
which means it hooking the PR_Write function and this only work at old firefox version, CMIIW
I'm sure you're busy.. but... You should totally still make your handwriting into a font ❤
your content is great, looking forward to see the next one!
i am addicted to watching your videos
I'm a simple man. I get notification of LiveOverFlow uploading a video. I watch.
PS ~ F
Same here.
I got such a nostalgic feeling when you opened PEid.
What are some other websites you guys recommend for challenges like flare-on.com?
overthewire.org, hackthebox.eu
root-me.org is also great
o
you deserve more subscribers. subscribed!
Flare-on 2018 was so hard. The hardest ever :-0. Took me a month to complete.
this is such a great content!
wow! what valuable material 👍👍👍👍
Me, a Firefox user: *I'm in danger*
Holy shit that was awesome. There is so much out there that i don't know!
what would we do if the web shell didn't have sl
Google for solutions?
A reminder that IE is not broken per se. It's designed like that.
As I remember the dll hooking some function to inject the javascript. In newer version of firefox those functions don't exist so it failed :)
5:48 me laughing my ass off knowing that I have been using Windows for years
So if you update your Firefox because of some vulnerability, the old injected code may work on the latest version?
It sounds like the upgrade should clear the cache every time you upgrade.
0:18
bruh so I'm vulnerable to attacks and malware just because I want to be private on the internet?
JAJJAAJAJAJAJ 11:21 "Awghh... F!" so funny. I'm just discovering your videos! All of these things you explain are amazing! Even to devs like with some years on the back! :D Super pedagogical, fun, talking pretty advanced shit (I come from the XSS video series you made, so rad) looks like a pretty deserved subscribe, that material must be assimilated by my mind.
Greetings from Argentina!
@LiveOverflow you might already know this, to solve complicated key comparisons/generation, we can use Z3
modelling this in z3 would have taken the at elast the sameamount or longer ;)
Also: th-cam.com/video/TpdDq56KH1I/w-d-xo.html
@@LiveOverflow ok, i was practicing z3 this week, totally forgot about that video, thanks again
Really enjoy your videos despite not really getting everything. Guess I need to start learning c#, .net etc. I follow along but I would really get stuck if it was me doing the task.
I don't recall the exact details of the code but the DLL does do version check of Firefox. If I recall correctly, it's any version before or equals to 40 that works. After the check, the DLL downloads the encrypted javascript from a pastebin and decrypts it.
1001000 1101111 1110100 1100101 1101100 111111 100000 1010100 1110010 1101001 1110110 1100001 1100111 1101111
idk w a single thing in this video but they are fun to watch
Umm is this normal on ie because i have some kind of smiley in ie and avast or malvare bytes does not reconize it?
A trainer wants to battle:
You were challenged by elder Internet Explorer
So is this exploit for Firefox universally, like on Linux or Mac. Cuz I'm worried now
Nvm probably not
no, it's a malware.
Well, I think it would be possible todo this on other platforms too, however, its not very likely to happen:
1. It was a Windows only Software
2. Its not that easy (for an application, ofcourse there are the PRELOAD variables on Mac and Linux) to inject some code into firefox
3. Looks like that has been patched in firefox or at least the injection doesn't work anymore.
Still, it is possible
There is nothing firefox can do to prevent this. The reason why it doesn’t work in a newer firefox versions are certainly just compatibility issues. The malware was not written to support these changes.
@@LiveOverflow exactly. Firefox still loads user32.dll which is the injection point
@LiveOverflow doesn't work in newer FF as web extensions don't allow JS injection (from FF Quantom on-wards). Was actually one of the big motivations of why we moved over.
Too bad FF Quantum messed up multiple tab handler, it is annoying. We're finally getting it backed in.
Can someone explain why the dll was loaded to Firefox's memory map? I mean surely firefox did not request that dll and that dll wasn't even in the firefox folder. How does it get loaded with firefox?
Can someone explain the part of code with XOR statement? I thought ^ is the symbol for AND / conjuction and don't really understand how it works.
In programming languges ^ is often XOR. It doesn’t follow the mathematical logic notation. An AND would be &&
It depends on the programming language - in JavaScript ^ is the XOR operator (as it's in many other languages). XOR is just another logical operator like AND/OR/NOT and is the "either/or"-function. Look up the truth table for it. ^^ It is a very intersting function, because its inverse is XOR too. So, if you XOR two bits and get a third one, you can XOR this third one with any of the other two to retrieve the third one. This concept is very useful and used for RAIDs to duplicate data.
I could imagine someone just had the old Firefox because he didn't use a virtual machine as advised.
That was awesome! I'd love to be able to de this some day, is there a place where I can start learning the basics?
This stuff looks really fun, but totally out of my skill level at the moment. Do you have / know of any places to find beginner reverse engineering challenges?
vulnhub.com hackthebox.eu are good places to start. Helps to know basic linux commands and a little kali knowledge.
Why does Firefox load a DLL that is stored in Internet Explorer's folder?
which also beg an important question, should browser update also invalidate the cache
1001000 1101111 1110100 1100101 1101100 111111 100000 1010100 1110010 1101001 1110110 1100001 1100111 1101111
5:16
>this entry point
It must be encrypted
Congrats ! You are one smart puppy :)
Dont really understand, but it was interesting :)
How that malware works?
Why is it stored in Internet Explorer DLL file? Does old Firefox versions use it?
Why it does not work in newer versions of Firefox and Chrome?
How does it work?
There's a library called user32.dll, a very basic windows library that is used in GUI programs. There's a registry key in charge of what libraries get loaded with user32.dll and the malware injects browserassist.dll into that registry to be called when a program uses user32.dll.
The reason why it affects older version of firefox because the malicious software is specifically checking every software that uses user32.dll and if that program is firefox.exe it'll check what version it is and if it's version 55 or below it'll run the rest of the code. Most likely it only affects those version because they programmed the exploit to only effect those because it was fixed after version 55 or firefox became too different for their code to work after 55 or 55 was the latest version when the malware was made.
At this point the malware was modified to have custom injection exclusively for flare-on.
So theoretically it could also attack new versions or other browsers?
Why do you have 0x80 in for loop? Why not just a regular number?
It is a regular number, or what do you mean? Also I have 0x80 in there, because 0x7F is the last valid ascii number
@@LiveOverflow I just dont understand the format of 0x80. What value does it represent and what is the benefit of using it rather than having plain number like 80?
Ah. It's a hex number. So 0x80 in hex is 128 in decimal. It's much nicer to represent byte values as hex numbers than decimal, but you have to get used to it first. The maximum byte number is 0xff, which is so much cleaner than 255.
I have a video about "hex numbers" in my binary exploitation playlist. th-cam.com/video/mT1V7IL2FHY/w-d-xo.html
Damn that’s such a complex challenge! Feeling dumb :( But at least learnt something. Gong to need a few more attempts to learn this well...
Does the requirement for the older version relate to Firefox x64 vs x86 ?
Off the top of my head, maybe using the latest Firefox version matching any datestamp found inside the binaries/strings?
Nice content! Kudos
Any good suggestions of a good /r/ for this community?
Do you have a Discord channel? You should definitely make one!
When the CTF was created the older version was the newest actually so they didn't tell about older versions.
Yeah but if you open browserassist.dll in a disassembler you will find it checks if Firefox version is higher than 55, if it is it just jumps to the end
Could you have just set the model root to 1 and bypassed the need for reversing the password, or did the dll inject the extra stuff after the password was right?
bit late, but laughed that it uses ConfuserEx to obfuscate the application. Easy to tell by the "ConfusedByAttribute" as well as the decrypting, decompressing method. Also, dnspy is a lot better for reversing .NET applications. It has a clean GUI, stable, gets updated a bit, a IL Viewer; which can be handy in removing anti-debugging calls, such as CheckRemoteDebuggerPresentEx, and more functionality.
Hey, ich studiere auch an der TU und wollte fragen ob du bei der IT-Sicherheits AG? Jeden Dienstag im TEL-Gebäude. Ich glaube die AG heißt Enoflag. Wäre richtig cool dich zu sehen :D
So if you want to still use this exploit on Firefox just write to the cache.
Good idea. I wonder it has any mechanism to prevent this. Because if you could just write your js into the cache, no exploit is needed.
I love your work!
The DLL loading behaviour if due to Firefox dropping support for native NPAPI (Netscape) style plugins. You cannot load them anymore since Firefox 52 I think. Browser extensions nowadays are written in JS.
but there is still Adobe Flash capability back then .. so how does that work?
but there is still Adobe Flash capability back then .. so how does that work?
Great Job man
so why did firefox load a dll located in the ie file location?
I think IE just likes to hook up to different browsers, or different browsers just use IE's stuff.. not 100% sure. but using windows you can see these things quite often.
15:06 When you have watched entire Taran Van Hemert's BIG TUTORIAL
He is missing the multiple layers of effects and transitions and his screen looks much cleaner.
I cant speak for the .exe as i skipped that during my run. However there was no easy way to figure out the version needed for the .dll other than realizing that it must have been patched. Personally I found twitter to be fairly useful and not really giving away anything.
Nice video....I love your videos...
15:01 German.
wieso ist firefox in deutsch?
Der Dude ist deutsch :D
This was really interesting!
Would you please make a video (or post) at least listing all the software you use? (and preferably what you find them most useful for)
0:30 damn. I started laughing hard. I’ll just say this is a joke and ethically/legally wrong. Do not exploit hardware which is not your own with our express WRITTEN consent, kids ☝🏼 your welcome
What is your current computer setup?
Can you include all the softwares and tools you used there in the vid description? Thanks a lot 😁
About using old version of firefox, just ask yourself a question - would they publish a malicous code that would be harmfull to current version of highly used browser? I think they are not that evil.
well the malware in this case seems pretty harmless- it doesnt steal your bank or anything..
The smiley face got me LOL
Definitely it's better the fridays, I can't watch this with hangover. At least I laugh at 6:26.
Y ahora me despido, adios! Tengo que arrastrarme al baño devuelta
Lol
Hallöle ^^
Ich interessiere mich schon seit einigen Jahren für das Thema...
Nun, da ich jetzt weiß, dass man "einfach" an solchen CTF's teilnehmen kann:
Könntest du mir "Beginner"-CTF's vorschlagen, um in das Thema noch besser rein zu kommen?
Mit freundlichen Grüßen,
R00T
Thanks for the video =)