High Performance Network Security, Enterprise and Data-Center Firewall

High Performance Network Security, Enterprise and Data-Center Firewall

An Anti-Virus Analyst's Day (or Hour) into Firefox OS

by RSS Axelle Apvrille  |  July 30, 2012  |  Category: Security Research

crackme main firefoxos

I had always wanted to look into Firefox OS. It's done. I created my first application. What kind of application does a reverse engineer write as first app? A CrackMe of course. You can try it: the sources are available here. But, honestly, it is really a very (very) simple CrackMe, as my real goal was to get acquainted with Firefox OS, and understand the possible risks in terms of malware.

We, anti-virus analysts, won't need disassemblers or decompilers for Firefox OS malware

That's cool, isn't it (although part of the mystery of our job is disassembling and reading hexadecimal as a mother tongue)? We won't need disassemblers because Firefox OS applications do not use or introduce any executable format. Apart from resources (images, icons...), applications are only made of human-readable elements: HTML5 web pages, Javascript and a manifest. They can be distributed as "packaged applications", which consists in zipping of all those elements, or as "hosted applications". In that case, the components of the applications are served from a website.

Malware authors are going to re-use their HTML and Javascripts malware

Typically we're going to face IFrames and Javascript redirectors. IFrames are inline frames, i.e an HTML document embedded in an HTML document. Malware authors have been using them for a long time to inject and hide malicious code in a genuine web page(e.g JS/Iframe.HH!tr).

Hello phishing!

Web-based applications also means a good opportunity for malware authors to use phishing: a minor modification in a web address, which redirects the victim to a malicious website instead of the real one. For example, imagine domain squatting of Facebook. If Facebook hosts its application as hxxp://facebook.firefox.os.application.com, then there are chances malware authors will host their malware at hxxp://facebook.firefox.os.applications.com (have you spotted the difference?) etc.

Beware infested icons

Finally, another option malware authors might contemplate is the use of malicious resources. As an anti-virus analyst, I'll make sure at least to run a 'file' command on application's images. Just in case 'icon.png' actually holds an executable. That hidden executable could be launched from the malware's javascript (e.g oShell.ShellExecute(commandtoRun, commandParms, ..)).

Oh? My neighbour has installed Accuweather...

As I said previously, everything is web-based. So, unless the communication is secured by HTTPS, all your actions end up in clear text in HTTP requests. For instance, anybody with access to a network sniffer will know which applications I installed. In the screenshot below, I installed Accuweather. The log shows I am retrieving the application's manifest. I am surprised that Firefox OS is not requiring use of a secure protocol for installations. Android authenticates communications with Google Play. Why not at least do the same? Why not take advantage of HTTPS? I was expecting more privacy from an OS which emanates from Mozilla :(

firefoxos accuweather

To conclude, I'm disappointed by Firefox OS. This "web for all" strategy does not suit me (I like not 'depend' on Internet). On a security and privacy point of view, we already had a hard time securing the web and Javascript is certainly not renowned for its security... Why then base all Firefox OS applications on the Web + Javascript? It looks to me we're going down the wrong path.

-- the Crypto Girl

by RSS Axelle Apvrille  |  July 30, 2012  |  Category: Security Research
comments powered by Disqus

FortiGuard Labs on the Web

search results hidden links