Recently, there have been a series of high profile attacks using browser extensions. Having dealt with this threat vector in the past, we here at FortiGuard Labs decided to conduct a large-scale study of browser extensions.
Before diving into the results, we want to make a distinction between two seemingly similar browser technologies: browser plugins and browser extensions. Both are mechanisms that allow an end user to customize their browser to suit their needs, however there are some fine distinctions between them.
A Deep Dive into The Data Set
Figure 1 shows the content of a typical Chrome extension, while Figure 2 displays a Firefox extension.
Figure 1 Content of a typical Chrome extension
Figure 2 Content of a typical Firefox extension
Note that while Firefox extensions are regular Zip files, Chrome extension’s Zip files also have a special header, as shown below. This special header contains hashes and signatures for the associated ZIP file to ensure its integrity and validate its origin.
Figure 3 Chrome extension header started with magic string Cr24
Intuitively speaking, Chrome extensions are more secure than Firefox extensions thanks to the use of a permissions system (similar to Android’s) as well as a more thorough vetting process. Conversely, Firefox extensions allow for richer browser customizations (e.g. flashing a popup when a store has cashback, a password manager etc.)
To assess the risk posed by browser extensions, we gathered 6447 Google Chrome extensions and 2721 Mozilla Firefox extensions. We collected this data set during July/August of 2017 from VirusTotal (VT). In total, the size of this data set was 52,881 MB.
Once they were collected, we analyzed and ranked them according to the number of hits on VT. For reference, a hit on VT indicates that an antivirus (AV) vendor has scanned a particular extension and given it a malicious verdict. While a single verdict from an individual AV vendor may be a false positive or a false negative, VirusTotal aggregates results from a number of antivirus products, which means that according to the laws of statistics any documented VT hits are asymptotic of ground truth. Specifically, a high level of recorded VT hits is a strong indicator of maliciousness, and vice versa. Chart 1 shows the VT hits for Chrome extensions, while chart 2 is for Firefox.
Conclusions that can be drawn from these charts:
- The majority of the samples we analyzed were benign. As can be seen in the charts above, approximately 80% of the samples for either browser had less than or equal to 3 hits on VT.
- Malicious samples account for a relatively low percentage of total samples. In fact, when we count the number of samples that have greater than or equal to 15 hits on VT, the result is surprisingly low. For Google Chrome the result is 82 and the number is 292 for Firefox.
- Of those malicious samples, most are PUP/adware, with many being variants of the following adware family: Mplug, Bettersurf, RelevantKnowledge, and Diplugem
One interesting family of adware is Bettersurf. We investigated this adware deeper and observed that the code pattern is the same across all the samples. It appears that the adware authors use some kind of generator in order to keep spamming the extension store. Even more interesting, we found that even though the domain (jscripts.org) has expired, new samples still continue to use the old domain. Obviously, the domain is down so the adware is not working anymore. But if it were to come back online, these now dormant adware extensions would once again become active.
Figure 4 Bettersurf
Figure 5 Expired Domain
Overall, our findings strongly suggest that during the same period of time there were more PUP attacks targeting Mozilla Firefox than Google Chrome. This conclusion further confirms our initial assumption above that Chrome extensions are more vetted, and therefore more secure than Firefox extensions. And with the introduction of extra protections we expect that in the future there will be even fewer malicious extensions found in the Chrome store than in the Firefox store, even though Firefox has also recently some countermeasures.
FortiGuard's suite of security services are ready to handle this “new” threat vector:
- FortiGuard Antivirus service detects malicious browser extensions. (e.g. BetterSurf is detected as Adware/BetterSurf)
- Fortinet's FortiGuard Web Filtering service blocks and tags all download URLs as malicious.
- FortiSandbox’s customers can create customized VMs to scan unknown samples.
Our study shows that recently discovered malicious extensions seem to be isolated incidents and not a new threat trend. However, the bad guys always try to avoid the well-trodden paths and find creative ways to circumvent protection mechanisms. Which means that browser extensions still remain a potential vector for motivated cyber criminals. The FortiGuard Lion Team will continue monitoring this threat vector and keep everyone updated if details change.
-= FortiGuard Lion Team =-
Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.