Scribd
Upload
76 views36 pages

The Listening

This document summarizes a presentation about creating a backdoor in the Thunderbird email client using extensions. It describes how the backdoor would check for encrypted commands in images attached to emails, execute commands on the system by hiding output in email messages, and avoid detection through techniques like modifying existing extensions and bypassing extension updates. The goal is to achieve persistence and covert communication by taking advantage of users' trust in their email client and installed extensions.

Uploaded by

omar2022
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
76 views36 pages

The Listening

This document summarizes a presentation about creating a backdoor in the Thunderbird email client using extensions. It describes how the backdoor would check for encrypted commands in images attached to emails, execute commands on the system by hiding output in email messages, and avoid detection through techniques like modifying existing extensions and bypassing extension updates. The goal is to achieve persistence and covert communication by taking advantage of users' trust in their email client and installed extensions.

Uploaded by

omar2022
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 36

The Listening

Email Client Backdoor

Esteban Guillardoy
[email protected]

1
Introduction

This presentation will focus on a backdoor


implementation based on Thunderbird 3.x

Different approach taking advantage of the


addon/extension features

How to make it persistant and hide the C&C by


using steganography

2
Demo

How cool is this presentation?


It is starting with a demo :)
3
How all this started
Never leave the office without locking
your session - FAIL!

Malicious Brainstorming...

4
Adapting the idea

Web Browsers are


commonly targeted

But Email Clients are not

Why not using this as a


real backdoor?

5
The challenge
Targets go on and off
Covertness without losing reliability
Routing the data

Stealthiness

Resistance to traffic analysis


No suspicious open ports
Avoid antiviruses & scanners
Thinking of future trojans
6
Why an email client
Don't you use one? Is it Thunderbird?

7
Email Client Extensions

Only Thunderbird 3.x for now


multiplatform backdoor out of the box

Trusted code

Full access to all client functions

Program execution

Easy development

Solve us part of the challenge

8
Backdoor controlled by
simply sending emails

9
Features

Doesn't require user interaction

Hidden C&C using steganography on images

Encryption using public & private key

Processes every email that arrives to the client

Predefined Actions

Command execution with output retrieval

10
11
Mozilla Addons/Extensions

Basic structure:
/components/*
/content or /chrome/content
/defaults/preferences/*.js
/chrome.manifest
/install.rdf

12
Development
Must have tools
Firebug + ChromeBug Extension Developer
Chrome List Extension Manager Extended
Console2 Inspector Widget
DOM Inspector MozRepl
Event Spy XPCOMViewer

13
How it works

14
Email Check

Listener on notification service


Components.classes["@mozilla.org/messenger/msgnotificationservice;1"];
notificationService.addListener(this, notificationService.msgsClassified);

Our method gets called with each new email

Filter messages by checking attachments

attachment.contentType.match(/image\/png/) != null

15
Encryption

Private & Public key algorithm (PGP)

Used to send commands & output

Implementation in Javascript

Wrapper around gnupg in Python

16
Hiding Information

Steganography on images to hide the info


Who applies steganalysis on every image
attached on an email?
Common approach is to avoid external images
from loading

Message: INFILTRATE 2011

Original Modified

17
Hiding Information
Least Significant Bit (LSB) algorithm

0 1 1

0 1 1 0 0 0 0 1 = a

We need 3 pixels per byte to hide


If image is greyscale we could use more than
1 bit per pixel

18
Hiding Information

Python Implementation
Using Python Imaging Library (PIL)
Some bitwise operations and we are ready

Javascript Implementation
Hidden iframe to create a HTML5 canvas element
Retrieve pixel info with:
var context = canvas.getContext('2d');
var data = context.getImageData(0,0,canvas.width,canvas.height);

19
Execution

Using XPCOM interfaces nsIProcess or nsIProcess2

Fix arguments to redirect output to temp file

Read temp file and then delete it

20
Getting Output
1) XMLHttpRequest

2) Sending an email
New email:
Components.classes["@mozilla.org/messengercompose;1"]
Components.classes["@mozilla.org/messenger/account-manager;1"]
Send it:
Components.classes["@mozilla.org/messengercompose/compose;1"]
Delete it from Sent folder

21
Deployment
Discover profiles by reading profiles.ini:
Windows, usually in %AppData% \Thunderbird\
Linux, usually in ~/.thunderbird/ or
~/.mozilla-thunderbird/
Mac OS X, usually in ~/Library/Thunderbird/

22
Deployment - Injecting
Existing Addon
1) Installed addons in %profile-dir%/extensions.ini
2) Copy backdoor into %selected-addon%/content/
3) Edit chrome.manifest
overlay chrome://messenger/content/messenger.xul
chrome://selected-addon/content/backdoorOverlay.xul

Hard to detect
User trusts installed addons
Addon updates are a problem

23
Deployment - New Addon

1) Copy backdoor into TB extensions folder


2) Create a file with random name (an uuid)
3) write the path to backdoor folder

May be easily detected by looking a the


Extensions Manager

But we can use a trick to hide it

24
25
Deployment alternatives
Install Manifest (install.rdf)
<em:updateURL>
<em:updateKey>

Mozilla Addons Updates


1) Update manifest retrieved in a secure fashion
Through SSL
Signed Update Manifests
2) Update package retrieved matches
Through SSL
File Hashes

Publishing on Mozilla Addon Site (AMO)


Policies & Review Process
Sandbox then public
Blocklist 26
Deployment alternatives
MITM to deliver fake updates

(P)Owning widely used addon sites (?)

Become a reviewer for a long time (?)

Using Mozilla cert to sign updates #comodogate :P

Zamboni project (new AMO site)


Source code available
https://github.com/jbalogh/zamboni
https://github.com/mozilla/zamboni

Audit the code and test you said?


Master visible on https://preview.addons.mozilla.org
Next branch visible on https://next.addons.mozilla.org
27
Avoiding detection
<em:hidden> deprecated since Gecko 1.9.2

Hooking Extensions Manager


Overlay for
chrome://mozapps/content/extensions/extensions.xul
Some javascript code to filter our extension
chrome://mozapps/content/extensions/extensions.js

28
Avoiding detection

Skip updates by editing install.rdf file:


<em:updateURL>FAKE URL HERE</em:updateURL>
This url could also be used to update our backdoor

Disabling extensions updates globaly:


extensions.update.enabled
extensions.update.interval
extensions.update.url

29
Capabilities Demo

30
Getting PGP Information

Enigmail Addon commonly used

Hook enigMessageDecrypt

Prompt for passphrase twice

EnigGetSecretKeys &
enigmailSvc.extractKey FTW

Match passphrase with ID

31
Improvements

Better steganography algorithms

Unicode steganography

Inject all addons

More methods to get output

32
Alternative uses

Building a SPAM controlled botnet

others?

33
Conclusion

Complete SDK to develop

Global scope useful for us

Multiplatform backdoor

Hijacked extensions are hard to detect

Execution with common user but..

Further research on other email clients

34
Reference & Similar work

Mozilla Develper Network


mozillaZine KB & Forum
StackOverflow questions

Immunity PINK Framework


Abusing Firefox Addons at Defcon17
Digninja twitter botnet (unicode steg)
IronGeek steg botnet

35
The End

Thank you for your time

Questions?

Esteban Guillardoy
[email protected]
@sagar38

36

You might also like