>>Hi everyone! I am Tomer Cohen. Eh I work at Wix dot com currently leading the uh the R&D security team. Eh me and my team are responsible for all wix’s productions systems, operations, security eh including infrastructure uh applications eh practically everything. Um and I am here to eh to talk to about how to create botnet by abusing chrome extensions. Or browser extensions in general. So I’m gonna start with my personal experience with bots the first challenge that me and my team had had with bots was on April 2016. It was a regular day in the office. Uh when suddenly the Sign-up Graph.. eh eh [pause] just a second, [pause] yeah okay I’m good. So suddenly the Sign-up graph which eh eh, indicates that a lot of users eh new users sign up to wix. It had a dramatic eh increase now we’re familiar with these with these kind of attacks so we checked and we saw that the requests are not originated in one address or one country but in a lot of eh sources and this is what we call a bot attack. Now a word about bots. So according to Imperva bots make, eh bots make the majority of the traffic eh on the internet today and most of the bots are bad bots and most of the bad bots are impersonators. Impersonators are bots that come to eh weblications and fake a real and eh f-f-fake the activity of real humans. Eh this causes a lot of headaches to eh internet companies cause these eh these bots they are very hard to distinguish between these bots and and and and legit traffic. Yeah we were there. Ok, so. After, eh after seeing the eh eh the sign that we were under a bot attack, we started to investigate and we saw three things. The first thing eh that we saw was that most of the increases originated in Latin America eh countries and all these clients come with chrome browser. Now this is weird, and we kept investigating. The next we saw we’ve noticed is that for some reason the sign-up requests to our server come from a frame eh wix eh fr-fr-from that that loading wix sign-up form, from within facebook. For some reason we didn’t know yet what was the reason for that - we see in a second. The third thing that we’ve noticed is that um now just a word about wix, wix is a uh uh is a website creation platform everyone can come and uh create their own website for free. So what we’ve noticed is that these eh eh suspicious users they’ve sign-up to wix, to a new account and then only 10 seconds after the sign-up event we see that they publish a new wix website. Now this is obviously weird because people don’t tend to design their website in 10 seconds and publish it. So now we had a pattern we knew what to look for so we went to one of these eh eh accounts and saw that the website that was published and this was the website that was published in all these accounts. And here it is in English uh this page says that um if you want to see who viewed your profile on facebook, the same old scam, you can eh click on start and download eh eh download the chrome extension for doing that. Now if we click start, we actually get to the real original google web store and see this extension eh called Viad30 something. So we we had we start to understand we understand that there is a connection between the bot attack that we’re experiencing and this eh this malicious extension or this extension at the time. So we start investigating what’s inside the extension it was very hard cause the code was highly sophisticated, we got help from other guys including from [inaudible] it’s a bot protection eh eh eh um company that we work with. And this is what we found - this is what the extension does. Firstly it injects code into facebook tabs now co-extensions with pop up emissions have the ability to inject javascript code to any open tab by user and also to control to help create new tabs and everything and in this case the attackers used it to inject code into the facebook tab. Why facebook tab? I guess because everyone is on it and uh all the reasons that we’ve seen second. The next thing eh the extension does is open a wix iframe inside using the injected code to facebook inside facebook eh it opens a frame and loads wix sign-up form from this frame from within the frame it sends the sign-up request to our server. Now why, my question here is why would they need to open a frame? Why wouldn’t they just inject the code and send the sign-up request to wix? Eh co-extension are not enforced eh eh with the eh eh same origin policy they can send a request from facebook to wix. Now the answer here is that, is that eh here at wix we do have bot protection mechanisms eh and it has um eh eh some features, so if that [inaudible] if we just send the sign-up form from just any tab this would fail because you don’t have the right cookies, headers, tokens whatever that you need to fetch from the signup form before you send the actual sign-up requests. However if you somehow eh open eh eh frame with the sign-up form, like with our case, inside facebook. And you send the sign-up request from within this frame it succeeds. So the attackers actually did that to bypass our bot protection mechanisms cause they knew that they wouldn’t be able to send a request straight from other tabs, the open frame. Now I mind you that this frame is transparent and the victim user does not notice anything while he signed-up to wix and he published a new website. Ok let's go back to the extension course of action eh we already saw that it injects code into facebook tab and then it sign-ups eh to wix. Next thing it does, is like we saw, its it from the account eh eh created in wix, it publishes a new wix website now all these websites lead to the same page, the attack page that we saw earlier. Um now what it does, it takes the newly created eh website URL of the wix website that was created and sends it using facebook messages to all the victim’s friends on facebook. This is how the malware is distributed. Lastly these guys were rude enough to grab the victim’s google authorization token and submit a review in the google chrome exten-en-ension webstore of 5 stars. [laughter] So they have really good reputation for their malicious extension. [pause] Cool. Now my next question is why would this attacker even need wix on the way I mean why wouldn’t he just inject the code to facebook and then use facebook messenger to distribute the URL of his attack page? I mean he has already an attack page why would he need wix on the way? So the answer here is that wix was used um to distribute a bot um it wix wix was actually here as supplier of disposable URL’s, I mean, um every victim that um is is infected eh creates a new website an new attack URL that leads to wix. And then it was much harder for facebook to detect this attack because all the URL’s were different there was, there wasn’t a common eh eh popular URL malicious URL that uh was sent in this requests. So the attacker basically used wix reputation in order to distribute his malware. And what we’ve discussed so far um is only the infection phase of this attack, of of this attack.Obviously these bots have been used for a lot of fake things that they, that they all eh eh lead to the same result. Money for the bot masters. So after they infect all these bots eh using wix or other platforms they can use them later, these bots, they have a command and control for these bots we’ll see in a second. They can send add, eh they run these attacks, send spam um and run other-other attacks they can also put these bots for rent and then gain money for the service for these attacks as a service. [pause] We just saw a campaign infect infection, a bot infection using chrome extensions let’s see another one. So we at wix stopped, it took us some time, but we stopped this attack and 2 months later there were news about a new attack eh and this is how it looked like. It says ‘Facebook comment tagging malware spreading via google chrome. If you receive a facebook notification regarding a friend tagging you - be very cautious about it um now this eh this attack was eh was called was named tag me if you can by eh eh conspiracy lab’s researcher Ido Naor and when I read his report, it is a very detailed report, I knew that it were the same attackers that attacked wix 2 months before. How did I know? Let’s see how this attack worked. So first, a victim gets a notification on facebook saying that eh eh s-some friend of his of him tagged him in eh in eh comment. When the victim clicks this notification eh after a small warning on facebook saying that you are going out of facebook a JSE file is immediately downloaded to the victim’s browser. Now J-J-JSE files are eh ex-like executable eh in windows in all windows machines so after if the victim clicks on this JSE file a malware is running causing google chrome to crash. Then it copies the google chrome process file, the exit file, and create a new chrome exit file with a chrome extension installed on it. This is a malicious extension. Similar to what we saw before in wix. After the chrome is reopened the extension is uploading a new instance of the JSE file to the victim’s google drive. Then it takes the URL of the newly uploaded eh file and send this URL using fa-facebook eh [inaudible] a create notifications of tagging all the friends of the victim. One of the victim’s friends see’s a notification and the whole thing runs again and we’ve got exponential growth infection process. Now how did these guys manage to eh create a notification on facebook that lead to a download of a JSE file? That’s a good question, I’m sure you’re all asking yourselves that. Eh but it’s too, it’s too, it’s too long for for this lecture so you can find mo-more details in this eh talks white paper or in Ido Naor’s eh eh report about tag me if you can attack. Now this um I knew that this were sh the same attackers because there's eh eh eh a very small pattern here in this bot attacks eh and this is the pattern, it always starts with the user clicking on facebook on something. Next thing that happens is that somehow an extension is installed on his browser in the wix attack it was from the google webstore [cough] [clears throat] sorry - in the facebook attack it was using as an executable JSE file. After the extension is-is installed, somehow a new payload of the mali eh eh a new malic a new instance of the malicious payload is is created it can be a wix website leading to the attack page or just a JSE file that was uploaded uploaded to the google drive. Unless the extension takes the URL of the newly created instance and send it somehow in messages or comments notifications eh to all the facebook friends, one of the friends clicking it and then we’ve got the whole thing running again. Now these two cyber attacks had more common and more mutual eh eh eh effects eh eh eh um for example there were a lot of [inaudible] snippets that were similar and also eh the attackers used the same domains so it’s clearly was the same attacker. Um now I want to say that the companies that were abused in these two campaigns are not minor companies these magical bots somehow comes and defeats facebook google and wix dot com eh bot eh bot protection services and all the services all all that that we were talking about facebook messaging, google drive, uploads and everything has uh um has bot protection mechanisms in place. So why common bots fail to bypass these mechanisms and our bot succeeds? So let’s ask ourselves for a second what makes a good bot? So the goal for good bots is actually to look like human right? The bot wants, the bot wants eh eh eh the website that he’s visiting to think that he is a human that is sitting on a computer and surfing the internet using a web browser right? So the first thing th-that this bot has to cope with is javascript challenges. Now th-this is a lot of uh this is uh eh practical eh eh known practice in detecting bots you give them the right javascript calculation and they cannot eh cope with it. In our case our bot is actually running inside chrome. So you can challenge it with any javascript that you want and he will cope with it successfully. Great! Alright so second thing here is what I call human context. Um human context is is to look, to look like a human when you come to do eh eh some action for example you don’t sign up to wix or any other service before you pass through the sign up form right? I mean, eh eh eh a bot that sends, sends like the request sim-s-s-s-straight to the server is not a good bot. Now in here we have the ability in our bot to enter inside the context of the user because chrome extensions has the ability to inject javascript code into active user tabs. So if I’m search-s-s-surfing facebook the extension can inject javascript code into facebook that will send the facebook messages from within the facebook window and this way eh eh eh it has a lot of powers in mimicking the eh the regular the the human behavior. This makes browser extensions the perfect bot. It can run in the context of a user and javascript. To understand the full capabilities of such extension let’s have a look at the manifest file of the extension, the malicious extensions we just saw attacking wix. So this is the manifest file of this extension you can see in the red frame eh eh that the uhhh the name of the extension Viad30 it’s name already of extension that was already exists in the webstore I guess the attackers understood that this way eh they can easily bypass the google screening process to google webstore. Now what we see here under the permissions section is this is the most important eh eh eh permission of this extension, it allows the extension to run a cross-origin eh request to any eh to any destination it wants it also gives that extension the ability to inject javascript code into all the tabs. What else? So we can also snatch the eh eh the us-the-victim’s cookies eh this by the way includes http only cookies. And what else we see here there’s a background script now tha-thats background script runs all the time in the background um it doesn’t matter where what that you work on and let's have a look at the background script of this extension. This is actually the command and control system of this extension. Why? Let’s see what it does. First, it adds a listener eh to to any tab that is updated. Any tab that is updated runs this code. It goes to eh the attacker's server download a file called data js. This file eh includes the commands for the bot. Then it takes this eh the the the eh it takes data js and executed using tabs execute script on the tab that was updated. Now this is very important because it allows the attacker full flexibility with his bots. His bot is not static it it does not have static logic, I mean, it’s not doing the same all the time. Every time the attacker want to change the behavior of the bot he’s able to do it. For example, after in the wix attack after we no we noticed that we that we that there website that are published only 10 seconds after sign up event. We started unpublish eh eh websites that were were that that were eh eh eh um that that had this behavior eh um and it stopped the attack for about a half and hour and after half an hour the attacker using that changed the the logic of the bot and from this from this point bots use randomized time out between sign up event and the site publish. Also I can I can create eh eh eh a script which is tailored for each active tab so if I’m if I’m on facebook I can send commands that send facebook messages if I’m on google drive I can set commands that upload files to google drive. Great, so we know that that we now know that eh eh ehmm extension, browser extensions are very powerful tools for bot masters. But this campaigns that you just saw are very complicated and I want to ask you guys how can we make it easier? Um because smuggling an extension to google webstore and convincing a victims to install this extension or running EXE or JSE files or EXE on the on on on on victim’s devices is very hard and demands of course a lot of effort. I wanna s-s think for a second how we make, how can we make it easier. So the thing here is that in order to get the abilities of a an extension we only have to have the ability to run ex-execute javascript in the context of the extension. Um and for this we can go to the same old [inaudible] that we all know and love. XSS. Um now XSS an extension is not a good is not new thing. I mean guys have shown it in Black Hat in 2012 um but I want to share with you today first I need to show you that that there still extensions that are still vulnerable secondly to show you, to share with you the idea of using these vulnerabilities in order to form a botnet. Um the first example is the adobe ac eh eh ac adobe acrobat extension XSS. Um it allows eh users to convert any page any webpage to a PDF file. Now in general 2016 well it had 30 million installations, that’s a crazy number, um 6 days eh eh what they did is is they automatically installed their extensions on all devices that had a adobe acrobat installed on them. And only 6 days after this eh eh google project zero researcher Tavis Ormandy found an XSS ability in this extension. Um this is the bot and inside this bot you can see the POC of the exploitation code. And what we see here uh is basically that there is page called frame dot html that if we send to it’s payload in a [inaudible] you will execute it. And this is how it looks from the frame side eh it’s pretty pretty straight forward it actually says here’s our paylo-payload and it creates a message that goes to eh your status and then from there eh it adds html to the title of the page. The problem here is it’s too easy it’s that easy that actually [inaudible] eh blocks it because it’s an inline script. Now a word about CSP, eh in 2013 google eh enforced CSP cont default cont-content security policy on all extensions this was a very important move move because it saved us from a horror scenario of excess extensions and what it does it prevents common JavaScript injection injections like inline scripts eval functions and you can only load scripts for whitelist uh source sources or at least it sources. So the problem he-here is that CSP is a generic policy and developers that tend to to be very creative in the way that they create XSS in their software. And let’s see another example so I wanna show you the AVG web tuneup extension eh it aims to protect users when surfing the internet when in fact it has eh XSS and actually allows hacking this user allowed eh this extension is is eh is patched and um when I’m going to talk about the vulnerable version of it. Um the same guy Tavis Ormandy from eh google project zero eh found XSS in it and in this case CSP fails and I wanna show you how or I wanna show you why. Um uh uh uh I’ll show a demo in which uh there’s an attack page. Now we look, there is a victim that comes to this attack page and open it and this victim runs the AVG uh extension on his browser um and this is why you see the extension there uh listening on the attack page. That the the extension injects javascript into that attack page into any page including our attack page that adds a listener to uh window messages. Now our attack page with which we will see in a second sends us us use window postmessage to send req-to send a message to the extension, to the, in the same page. The extension in turn transfer our payload, sorry yeah this is the payload, uh the post message and the the chrome run script in the attack page eh eh forward the our payload using chrome runtime sendmessage to it’s bad chrome script to it’s bad chrome script, the bad chrome script of the extension has access to chrome API and particularly to the chrome's tab, chrome tabs eh eh API and using the update function eh we can eh update any tab with any URL that we choose in the original message that you sent from the attack page. In our case we will use, we will use beef in order to hook just any tab off the off the user and for example face-facebook tab um yes. With the hook. So - just a second, one second. Let’s show a little demo. [pause] One second. Okay I will show it here. Okay, I’ll try to do it this way. Will be hard but I will try. [pause] Okay. What we see here is that the attack page. I’m going to turn on, this is BeEF common command system. You can see that there’s nothing here, there are no bots right now. I’m going to turn on eh the AVG extension I do with much caution ‘cause it’s vulnerable, it’s the vulnerable version of this extension. And here’s a black hat wh-what we’re going to see is the attack on black hat page. Um I’m going to refresh it to show you that there is nothing here. Now, I’m going to run the attack page, my exploitation page. And you can see that the black hat page has uh uh there’s an alert and you can see that we have a new hook eh on this tab. And you see here that that that the BeEF dot js file is downloaded from the attacker server. If I click ok I can see here that the BeEF agent started to communicate with the CNC machine and here and here we got the eh the BeEF bot on black hat dot com. [applause] So to sum up, we saw how we can hack extensions and run in the context of these extensions. And as I said before my final goal is create is use this vulnerability excess vulnerabilities in order to create a bot net and this is how we can do it. Eh eh once we have the first victim, that installed our bot, using BeEF for example. You can use, you can use him eh we can create an attack page attack page URL of the attack page and send this URL eh using facebook messages or other social means to all the f-friends on facebook of the victims. If they the extension installed a vulnerable extension we will hack them in the same way using our attack page and install BeEF on them. If they don’t have the victim the friends of the victim does not have the extension we can always refer them to google web store to download this great great antivirus tool and then hack it in the same way using our attack page. XSS. Summing up um this is what we saw so browser extensions make great bots, we saw why. Um we also saw that uh as we speak there are, there are attackers that use chrome extensions in order to uh to c-to create and control their botnets. Eh we also saw that extensions still got XSS’s and CSP is not enough in our case because there are many ways to create XSS. And the same infection campaigns that we saw in the wix and facebook attack can be achieved using eh by by exploiting chrome extensions XSS vulnerabilities. If you have any questions about this topic just approach me or you can catch me in this email. Thank you so much! [Applause]