Analysing a Firefox Malware browserassist.dll - FLARE-On 2018
Рет қаралды 253,097
5 жыл бұрынThis is another challenge of the FLARE-On 2018 CTF. This challenge is about analysing the functionality of a Firefox malware, but I got really lucky :D
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#MalwareAnalysis #ReverseEngineering #CTF
@liteoner 5 жыл бұрын
5:48 when a Mac/Linux user first encounters modern IE
@PwnFunction 5 жыл бұрын
LOL
@firefish111 5 жыл бұрын
I send a smile, not a frown.
@liteoner 5 жыл бұрын
@@Anti-i25 Microsoft does this in many products, including Office
@TimLF 5 жыл бұрын
Firefox had the smile feature for a long time...
@k1ngjulien_ 5 жыл бұрын
windows users too, noone opens IE on purpose :D
@Hans5958 5 жыл бұрын
Linux user being paranoid on Internet Explorer
@kirschitz64 3 жыл бұрын
stop WINEing
@a8552bc 3 жыл бұрын
@@kirschitz64 isn’t that the apt package that lets you execute windows programs?
@zombie_pigdragon 3 жыл бұрын
@@a8552bc Yes, though it's just a program, not an apt package (apt does package it though).
@gersomwastaken 2 жыл бұрын
:eyes:
@bumbixp 5 жыл бұрын
The funniest thing about that IE smiley is the keyboard shortcut for sending a frowny face.
@aumpalosa 5 жыл бұрын
Man, I don't know, but something in the way you explain things, the way you organize your thoughts, or maybe the way you confidently talk, makes your videos fun to watch. Not to mention the actual great information that you learn from them. Keep it up. You are really up for something great.
@CarlvanEijk 2 жыл бұрын
man, I was thinking exactly the same thing!!
@rootabeta9015 5 жыл бұрын
5:51 LiveOverflow: "Is this a virus?"
@sashimisub8536 Жыл бұрын
Lol
@cy8berpunk831 5 жыл бұрын
"I decided to approach it again with logic" 😂👍
@chylex 5 жыл бұрын
Maybe it was an NPAPI plugin, those stopped being supported in FF 52.
@oisins.6066 5 жыл бұрын
All new addons have to use the WebExtensionsApi now, which is quite limiting in some ways, so they probably wrote the addon on the old api
@samfoxman7046 5 жыл бұрын
For some reason, the malware prevents itself from running if firefox is newer than version 55. Probably, the developers wanted to make the challenge more difficult.
@alfoncejean8826 5 жыл бұрын
6:00 *open IE *see the smile thing *OK this actually exist!
@richardp7412 5 жыл бұрын
It would be amazing if you started a 0 to hero series explaining the basics of reverse engineering malware, as someone who also enjoys malware I find your videos fascinating but I would always love to learn more from you.
@TB-tv2zf 5 жыл бұрын
Vouch
@martysh1226 Жыл бұрын
a bit late, but check out his binary exploitation videos. this should get you started.
@anishagrawal7068 5 жыл бұрын
ur videos are amazingggg!!Thanks for bringing such quality content
@zecekobold2140 5 жыл бұрын
Well... This is neat. Not entirely sure why youtube decided this is my jam, but I do appreciate a good explanation and seeing someone put a lot of effort towards something.
@zanidd 5 жыл бұрын
wow, didn't know about flare vm! Might get into analysing malware soon as well! thanks for the great video, as always!
@adfadff6361 5 жыл бұрын
There is a function to get version of ur firefox in that .dll file. Btw, ur way to solve this challenge is awesomeeeee =]] i never imagine u can solve this challenge in ur way =]]]] amazing video
@lonelycount1 5 жыл бұрын
I dont understand shit here but i feel a lot smarter now, thanks @LiveOverflow.
@TymoteuszCzech 5 жыл бұрын
12:37 laughed my head off :D
@user-vn7ce5ig1z 5 жыл бұрын
Sadly, he's right. Adults ain't got time for solving problems and enjoying the challenge of it; we've got stuff to get done!
@MasterNoxob 5 жыл бұрын
your content is great, looking forward to see the next one!
@justfaysou738 5 жыл бұрын
This is very complex but interesting, ty for your contents
@RobinObinray 5 жыл бұрын
Ty😠 LEECHERS!!!!!
@asafcohen3562 5 жыл бұрын
This not that complicated look at his other stuff
@kiritsu9582 3 жыл бұрын
i have little to no idea what youre talking about but im loving every second of it
@abgehn7869 4 жыл бұрын
This video gave me the missing clue to solve my first CTF (a different one of course) on my own! Thanks a lot! :D
@mistsu1171 5 жыл бұрын
I watch this video with no knowledge of hacking, but I really feel entertained and educated by your content ;'3
@strategyoracle 5 жыл бұрын
What was the mechanism by which the browserassist.dll got loaded into the Firefox process? Did I miss something?
@LiveOverflow 5 жыл бұрын
I have no clue 🤷♀️
@strategyoracle 5 жыл бұрын
@@LiveOverflow SPOILER ALERT: blog.attify.com/flare-on-5-writeup-part2/ "This method adds browserassist.dll to the AppInit_DLLs registry key. The AppInit_DLLs are a set of Dynamic Linked Libraries (DLL) that are loaded upon startup into the address space of every executable that links with user32.dll. Essentially, this means everytime a GUI application is run, browserassist.dll"
@kathipaw 5 жыл бұрын
It's like LD_PRELOAD on Linux, just using the registry :)
@kathipaw 5 жыл бұрын
@@tripplefives1402 I was saying that it's the same principle. It both instructs the dynamic linker to load certain modules, no matter the scope
@yellowcrescent 5 жыл бұрын
@@tripplefives1402 There is a similar feature on Linux that works globally-- /etc/ld.so.preload -- I've seen Linux malware utilize this to hide themselves from process and file listings.
@Zooiest 5 жыл бұрын
You can try shutdown -a when you boot the VM. Also Ctrl + Alt + Del when shutting down and opening task manager from there actually interrupts the shutdown... I found the last one myself testing the very combination on shutdown
@vergil9397 5 жыл бұрын
Wow your analysis skill is so good bro
@IAMFeelings 5 жыл бұрын
I don't understand most of the things you say but I'm sitting here enjoying your videos hoping one day I do understand.
@mal-nr3ym 5 жыл бұрын
firefox changed the way they deal with addons in quantum, including dropping support for (i believe) dll/native code based plugins (java, flash, etc.)
@danielkrajnik3817 3 жыл бұрын
this is such a great content!
@KidJV 4 жыл бұрын
you deserve more subscribers. subscribed!
@amrojjeh 5 жыл бұрын
Microsoft does the smiley thing with ALL of their windows products (And some open source ones too) as far as I am aware.
@citroenboter 4 жыл бұрын
Ye I think I saw it in Excel as well. It kind of tickled my virey-sense but apparently it belongs there.
@kisame_5331 5 жыл бұрын
I love your work!
@itscarve 5 жыл бұрын
I'm sure you're busy.. but... You should totally still make your handwriting into a font ❤
@_crimson1624 4 жыл бұрын
wow! what valuable material 👍👍👍👍
@Mindflayer86 4 жыл бұрын
6:45 Hmm. First thing which came to my mind after I heared that the challenge surrounds around a Firefox maleware was: "Better use an older firefox version for the analysis. They might have patched something"
@longcat666 5 жыл бұрын
I love this chall, because like in real case technique at banking malware, it will injection with external dll, which means it hooking the PR_Write function and this only work at old firefox version, CMIIW
@stephanodennielpineda6414 5 жыл бұрын
Nice content! Kudos
@cocosloan3748 5 жыл бұрын
Congrats ! You are one smart puppy :)
@TheoParis 5 жыл бұрын
This was really interesting!
@HugeDisgrace 5 жыл бұрын
Holy shit that was awesome. There is so much out there that i don't know!
@mimizdani8194 4 жыл бұрын
i am addicted to watching your videos
@RicardoUngureanu 5 жыл бұрын
The installer drops the dll and sets a registry key. My educated guess is that newer Firefox versions does not take that registry key into consideration when loading dlls, whereas the older version does. I solved the entire challenge statically, it was interesting to bypass a few checks and analyze all the dll requests. If I recall correctly, the dll has some checks then it does 2-3 HTTP requests, retrieves some encrypted data and after a few decryption stages and data manipulation it is possible to extract the javascript inserted into the browser alongside the JSON you observed in the stack trace. At this point, I manually injected the javascript code into my browser (after deobfuscation), ran the commands and got the flag. :)
@ukaszMarianszki 5 жыл бұрын
The registry key is used by all windows software. (iirc user32.dll injects these dlls from the registry) the dll simply checks the firefox version
@shans2408 5 жыл бұрын
how can you people check a whole pe file statically? :/ I give up if it is longer than two screen-fulls. teach me, sensei!!
@Retrovergo 5 жыл бұрын
Great Job man
@Broughman9 5 жыл бұрын
Really enjoy your videos despite not really getting everything. Guess I need to start learning c#, .net etc. I follow along but I would really get stuck if it was me doing the task.
@kbhasi 5 жыл бұрын
4:45 Oh wow, the old Office 2003 UI kit thing. -5:57-- That was there since Windows 8, and I believe Internet Explorer is still in Windows 10 only for backward compatibility with older applications that use the Trident engine (which IE uses) in order to render Web content.- 6:15
@AmaroqStarwind 5 жыл бұрын
I like puzzles. I want to obfuscate a whole bunch of code that, when deobfuscated, literally just congratulations you for solving the puzzle.
@m42d 5 жыл бұрын
I got such a nostalgic feeling when you opened PEid.
@OthmanAlikhan 5 жыл бұрын
Thanks for the video =)
@pavelmisik4303 5 жыл бұрын
Nice video....I love your videos...
@JonJon2040 5 жыл бұрын
I think that if you find what is the vulnerability by analyzing the dll, you can search for something like "dll injection Firefox", etc. And you'll see approximately in what version it was fixed.
@jamesmadlangtuta3156 4 жыл бұрын
Right since every infection has a condition to meet.
@Mochi-kane 5 жыл бұрын
Very Thanks !!
@RogerBarraud 4 жыл бұрын
Impressive :-) Thanks!
@FamilienSoelberg 5 жыл бұрын
Flare-on 2018 was so hard. The hardest ever :-0. Took me a month to complete.
@overratedpancake9034 5 жыл бұрын
That was awesome! I'd love to be able to de this some day, is there a place where I can start learning the basics?
@jazminakarainy 5 жыл бұрын
idk w a single thing in this video but they are fun to watch
@syedumararfeen8146 5 жыл бұрын
I'm a simple man. I get notification of LiveOverFlow uploading a video. I watch.
@syedumararfeen8146 5 жыл бұрын
PS ~ F
@martinpaul3383 5 жыл бұрын
Same here.
@MoBeigi 4 жыл бұрын
Off the top of my head, maybe using the latest Firefox version matching any datestamp found inside the binaries/strings?
@therealb888 5 жыл бұрын
Damn that’s such a complex challenge! Feeling dumb :( But at least learnt something. Gong to need a few more attempts to learn this well...
@blueelvis2698 5 жыл бұрын
As I remember the dll hooking some function to inject the javascript. In newer version of firefox those functions don't exist so it failed :)
@xseman Жыл бұрын
So if you update your Firefox because of some vulnerability, the old injected code may work on the latest version? It sounds like the upgrade should clear the cache every time you upgrade.
@mugundhanbalaji 5 жыл бұрын
@LiveOverflow you might already know this, to solve complicated key comparisons/generation, we can use Z3
@LiveOverflow 5 жыл бұрын
modelling this in z3 would have taken the at elast the sameamount or longer ;) Also: kzbin.info/www/bejne/iqHHdaRra7B7Z6s
@mugundhanbalaji 5 жыл бұрын
@@LiveOverflow ok, i was practicing z3 this week, totally forgot about that video, thanks again
@ducphanduy534 5 жыл бұрын
I don't recall the exact details of the code but the DLL does do version check of Firefox. If I recall correctly, it's any version before or equals to 40 that works. After the check, the DLL downloads the encrypted javascript from a pastebin and decrypts it.
@cone16v 5 жыл бұрын
1001000 1101111 1110100 1100101 1101100 111111 100000 1010100 1110010 1101001 1110110 1100001 1100111 1101111
@jamesmadlangtuta3156 4 жыл бұрын
Can you include all the softwares and tools you used there in the vid description? Thanks a lot 😁
@Masterrunescapeer 5 жыл бұрын
@LiveOverflow doesn't work in newer FF as web extensions don't allow JS injection (from FF Quantom on-wards). Was actually one of the big motivations of why we moved over. Too bad FF Quantum messed up multiple tab handler, it is annoying. We're finally getting it backed in.
@Kong_plays 5 жыл бұрын
Dont really understand, but it was interesting :)
@Calumg89 5 жыл бұрын
Could you have just set the model root to 1 and bypassed the need for reversing the password, or did the dll inject the extra stuff after the password was right?
@shersanginov1792 5 жыл бұрын
What are some other websites you guys recommend for challenges like flare-on.com?
@gcanary562 5 жыл бұрын
overthewire.org, hackthebox.eu
@user-hv5kk8tb7u 5 жыл бұрын
root-me.org is also great
@shersanginov1792 2 жыл бұрын
o
@elihillman8758 3 жыл бұрын
Me, a Firefox user: *I'm in danger*
@spruhspruhknallbummmann9724 5 жыл бұрын
Hey, ich studiere auch an der TU und wollte fragen ob du bei der IT-Sicherheits AG? Jeden Dienstag im TEL-Gebäude. Ich glaube die AG heißt Enoflag. Wäre richtig cool dich zu sehen :D
@videosambo01 4 жыл бұрын
Umm is this normal on ie because i have some kind of smiley in ie and avast or malvare bytes does not reconize it?
@redd_cat 5 жыл бұрын
A reminder that IE is not broken per se. It's designed like that.
@Android480 5 жыл бұрын
This stuff looks really fun, but totally out of my skill level at the moment. Do you have / know of any places to find beginner reverse engineering challenges?
@Kenny-xz4gw 5 жыл бұрын
vulnhub.com hackthebox.eu are good places to start. Helps to know basic linux commands and a little kali knowledge.
@derrickberg2825 5 жыл бұрын
Do you have a Discord channel? You should definitely make one!
@eventhorizon8014 3 жыл бұрын
10:00 'su' doesnt mean switch user, it means super user (root). The Linux command which switches to the root user. That's why sudo runs a command as root (super user do).
@qwertyqwerty-jp8pr 3 жыл бұрын
Yes but su can switch to other user too. It doesn't need to be root
@qwertyqwerty-jp8pr 3 жыл бұрын
Also, su stands for substitute user
@270jonp 5 жыл бұрын
I cant speak for the .exe as i skipped that during my run. However there was no easy way to figure out the version needed for the .dll other than realizing that it must have been patched. Personally I found twitter to be fairly useful and not really giving away anything.
@UrbanaticLemonade 5 жыл бұрын
nothing understood, but super cool video
@asailijhijr 3 жыл бұрын
Does the requirement for the older version relate to Firefox x64 vs x86 ?
@ErikUden 4 жыл бұрын
I could imagine someone just had the old Firefox because he didn't use a virtual machine as advised.
@Menaceirl 5 жыл бұрын
Would you please make a video (or post) at least listing all the software you use? (and preferably what you find them most useful for)
@Mxmnt 5 жыл бұрын
bit late, but laughed that it uses ConfuserEx to obfuscate the application. Easy to tell by the "ConfusedByAttribute" as well as the decrypting, decompressing method. Also, dnspy is a lot better for reversing .NET applications. It has a clean GUI, stable, gets updated a bit, a IL Viewer; which can be handy in removing anti-debugging calls, such as CheckRemoteDebuggerPresentEx, and more functionality.
@somedudeonyoutubefrfr 5 жыл бұрын
Hallöle ^^ Ich interessiere mich schon seit einigen Jahren für das Thema... Nun, da ich jetzt weiß, dass man "einfach" an solchen CTF's teilnehmen kann: Könntest du mir "Beginner"-CTF's vorschlagen, um in das Thema noch besser rein zu kommen? Mit freundlichen Grüßen, R00T
@djrick1999 5 жыл бұрын
Heard on some other video that an older version of firefox had an java injection leak
@melihcelik9797 2 жыл бұрын
Can someone explain why the dll was loaded to Firefox's memory map? I mean surely firefox did not request that dll and that dll wasn't even in the firefox folder. How does it get loaded with firefox?
@neontiger2007 3 жыл бұрын
JAJJAAJAJAJAJ 11:21 "Awghh... F!" so funny. I'm just discovering your videos! All of these things you explain are amazing! Even to devs like with some years on the back! :D Super pedagogical, fun, talking pretty advanced shit (I come from the XSS video series you made, so rad) looks like a pretty deserved subscribe, that material must be assimilated by my mind. Greetings from Argentina!
@h3xad3cimaldev61 4 жыл бұрын
5:48 me laughing my ass off knowing that I have been using Windows for years
@BarryMcCock 5 жыл бұрын
What is your current computer setup?
@centdemeern1 5 жыл бұрын
A trainer wants to battle: You were challenged by elder Internet Explorer
@kamilgowacki568 5 жыл бұрын
5:16 >this entry point It must be encrypted
@Sollace Жыл бұрын
My guess is they knew you needed to use an older version of Firefox because the malware is installed as an extension and in one of their updates Mozilla removed support for most of the old extension apis.
@mircoheitmann 5 жыл бұрын
what would we do if the web shell didn't have sl
@RobinObinray 5 жыл бұрын
Google for solutions?
@user-qe3fh9lw5y 4 жыл бұрын
Any good suggestions of a good /r/ for this community?
@Sollace Жыл бұрын
Weird. I've never seen someone exploring the start menu links with the file explorer before. People normally just use the start menu to look at start menu entries.
@mirteb.1788 5 жыл бұрын
So is this exploit for Firefox universally, like on Linux or Mac. Cuz I'm worried now
@mirteb.1788 5 жыл бұрын
Nvm probably not
@LiveOverflow 5 жыл бұрын
no, it's a malware.
@Janrupf 5 жыл бұрын
Well, I think it would be possible todo this on other platforms too, however, its not very likely to happen: 1. It was a Windows only Software 2. Its not that easy (for an application, ofcourse there are the PRELOAD variables on Mac and Linux) to inject some code into firefox 3. Looks like that has been patched in firefox or at least the injection doesn't work anymore. Still, it is possible
@LiveOverflow 5 жыл бұрын
There is nothing firefox can do to prevent this. The reason why it doesn’t work in a newer firefox versions are certainly just compatibility issues. The malware was not written to support these changes.
@grave0x 5 жыл бұрын
@@LiveOverflow exactly. Firefox still loads user32.dll which is the injection point
@DMWatchesYoutube 5 жыл бұрын
Doesn't that mean you could use older versions of Firefox to mess with the newer versions?
@gamechannel1271 5 жыл бұрын
*Sees ".dll" in the title* - oh, you mean Firefox for Windows. Gotcha. *Continues to only use Linux.*
@spooles 4 жыл бұрын
The DLL loading behaviour if due to Firefox dropping support for native NPAPI (Netscape) style plugins. You cannot load them anymore since Firefox 52 I think. Browser extensions nowadays are written in JS.
@LiEnby 3 жыл бұрын
but there is still Adobe Flash capability back then .. so how does that work?
@LiEnby 3 жыл бұрын
but there is still Adobe Flash capability back then .. so how does that work?
@chrisw1462 4 жыл бұрын
You say Character correctly, so why the blank do you use a soft 'ch' for functions NAMED AFTER THAT WORD????
@xTunio 5 жыл бұрын
15:06 When you have watched entire Taran Van Hemert's BIG TUTORIAL
@DarkGT 5 жыл бұрын
He is missing the multiple layers of effects and transitions and his screen looks much cleaner.
@TheActualTed 5 жыл бұрын
Can someone explain the part of code with XOR statement? I thought ^ is the symbol for AND / conjuction and don't really understand how it works.
@LiveOverflow 5 жыл бұрын
In programming languges ^ is often XOR. It doesn’t follow the mathematical logic notation. An AND would be &&
@no-trick-pony 5 жыл бұрын
It depends on the programming language - in JavaScript ^ is the XOR operator (as it's in many other languages). XOR is just another logical operator like AND/OR/NOT and is the "either/or"-function. Look up the truth table for it. ^^ It is a very intersting function, because its inverse is XOR too. So, if you XOR two bits and get a third one, you can XOR this third one with any of the other two to retrieve the third one. This concept is very useful and used for RAIDs to duplicate data.
@LKD70 5 жыл бұрын
The smiley face got me LOL
@dracenmarx 2 жыл бұрын
Why does Firefox load a DLL that is stored in Internet Explorer's folder?
@seanscon 5 жыл бұрын
bruteforce all the versions ?
@filipstamcar6553 5 жыл бұрын
How that malware works? Why is it stored in Internet Explorer DLL file? Does old Firefox versions use it? Why it does not work in newer versions of Firefox and Chrome?
@RichterVonFuchs 5 жыл бұрын
How does it work? There's a library called user32.dll, a very basic windows library that is used in GUI programs. There's a registry key in charge of what libraries get loaded with user32.dll and the malware injects browserassist.dll into that registry to be called when a program uses user32.dll. The reason why it affects older version of firefox because the malicious software is specifically checking every software that uses user32.dll and if that program is firefox.exe it'll check what version it is and if it's version 55 or below it'll run the rest of the code. Most likely it only affects those version because they programmed the exploit to only effect those because it was fixed after version 55 or firefox became too different for their code to work after 55 or 55 was the latest version when the malware was made. At this point the malware was modified to have custom injection exclusively for flare-on.
@filipstamcar6553 5 жыл бұрын
So theoretically it could also attack new versions or other browsers?