by RSS Minh Tran  |  Sep 14, 2017  |  Filed in: Security Research

Introduction

Recently, there have been a series of high profile attacks using browser extensions. Having dealt with this threat vector in the past, we here at FortiGuard Labs decided to conduct a large-scale study of browser extensions.

Before diving into the results, we want to make a distinction between two seemingly similar browser technologies: browser plugins and browser extensions. Both are mechanisms that allow an end user to customize their browser to suit their needs, however there are some fine distinctions between them.

The former primarily deals with high performance content, like Flash, while the latter is mainly used for browser and page customization. As a result, browser plugins are typically written in languages like C++ and then compiled down to native code (for speed), while browser extensions are mostly implemented in JavaScript. Further, browser plugins interact with the browser using native APIs like NPAPI, while browser extensions invoke the browser’s services using a series of provided runtime objects (e.g.  XUL  and Components.classes). A thorough discussion of this subject matter is out of the scope of this work. But suffice is to say that since browser add-ons and extensions can access low-level APIs, and are not constrained by the same origin policy (SOP), they are highly privileged and can be exploited and/or abused by bad guys, as evidenced by the string of recent attacks. In our research we focused on browser extensions, specifically extensions from two of the most popular browsers: Google Chrome and Mozilla Firefox.

A Deep Dive into The Data Set

Extensions from Google Chrome and Mozilla Firefox share many similarities. Each browser has their own 'store' (the Chrome Web Store and "Add-ons for Firefox"), where users can select extensions. Both write extensions in JavaScript, and both include a manifest file to describe their content.

Figure 1 shows the content of a typical Chrome extension, while Figure 2 displays a Firefox extension.

Figure 1 Content of a typical Chrome extension

Figure 2 Content of a typical Firefox extension

Note that while Firefox extensions are regular Zip files, Chrome extension’s Zip files also have a special header, as shown below. This special header contains hashes and signatures for the associated ZIP file to ensure its integrity and validate its origin.

Figure 3 Chrome extension header started with magic string Cr24

Intuitively speaking, Chrome extensions are more secure than Firefox extensions thanks to the use of a permissions system (similar to Android’s) as well as a more thorough vetting process. Conversely, Firefox extensions allow for richer browser customizations (e.g. flashing a popup when a store has cashback, a password manager etc.)

To assess the risk posed by browser extensions, we gathered 6447 Google Chrome extensions and 2721 Mozilla Firefox extensions. We collected this data set during July/August of 2017 from VirusTotal (VT). In total, the size of this data set was 52,881 MB.

Once they were collected, we analyzed and ranked them according to the number of hits on VT. For reference, a hit on VT indicates that an antivirus (AV) vendor has scanned a particular extension and given it a malicious verdict. While a single verdict from an individual AV vendor may be a false positive or a false negative, VirusTotal aggregates results from a number of antivirus products, which means that according to the laws of statistics any documented VT hits are asymptotic of ground truth. Specifically, a high level of recorded VT hits is a strong indicator of maliciousness, and vice versa. Chart 1 shows the VT hits for Chrome extensions, while chart 2 is for Firefox.

Conclusions that can be drawn from these charts:

  • The majority of the samples we analyzed were benign. As can be seen in the charts above, approximately 80% of the samples for either browser had less than or equal to 3 hits on VT.
  • Malicious samples account for a relatively low percentage of total samples. In fact, when we count the number of samples that have greater than or equal to 15 hits on VT, the result is surprisingly low. For Google Chrome the result is 82 and the number is 292 for Firefox.
  • Of those malicious samples, most are PUP/adware, with many being variants of the following adware family: Mplug, Bettersurf, RelevantKnowledge, and Diplugem

One interesting family of adware is Bettersurf. We investigated this adware deeper and observed that the code pattern is the same across all the samples. It appears that the adware authors use some kind of generator in order to keep spamming the extension store. Even more interesting, we found that even though the domain (jscripts.org) has expired, new samples still continue to use the old domain. Obviously, the domain is down so the adware is not working anymore. But if it were to come back online, these now dormant adware extensions would once again become active.

Figure 4 Bettersurf

Figure 5 Expired Domain

Overall, our findings strongly suggest that during the same period of time there were more PUP attacks targeting Mozilla Firefox than Google Chrome. This conclusion further confirms our initial assumption above that Chrome extensions are more vetted, and therefore more secure than Firefox extensions. And with the introduction of extra protections  we expect that in the future there will be even fewer malicious extensions found in the Chrome store than in the Firefox store, even though Firefox has also recently some countermeasures.

Solution

FortiGuard's suite of security services are ready to handle this “new” threat vector:

  1. FortiGuard Antivirus service detects malicious browser extensions. (e.g. BetterSurf is detected as Adware/BetterSurf)
  2. Fortinet's FortiGuard Web Filtering service blocks and tags all download URLs as malicious.
  3. FortiSandbox’s customers can create customized VMs to scan unknown samples.

Conclusion

Our study shows that recently discovered malicious extensions seem to be isolated incidents and not a new threat trend. However, the bad guys always try to avoid the well-trodden paths and find creative ways to circumvent protection mechanisms. Which means that browser extensions still remain a potential vector for motivated cyber criminals. The FortiGuard Lion Team will continue monitoring this threat vector and keep everyone updated if details change.

-= FortiGuard Lion Team =-

Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.

by RSS Minh Tran  |  Sep 14, 2017  |  Filed in: Security Research