An exploit in Mozilla Firefox may be enlisting thousands of PCs into a botnet that scours the Web for vulnerable pages that can be targeted later on by automated SQL injection attacks. The issue is a malicious Firefox extension that masquerades as a legitimate add-on. Although discovered only recently, the botnet may have been active since May 2013.
Automated SQL injection remains one of the top risks to application security, and the Firefox exploit is an innovative twist on old tactics. Essentially, an SQL injection attack takes advantage of weaknesses in Web applications to send malicious code to the databases behind a user-facing website. After that, the attackers can steal sensitive information from the compromised repositories, or turn the site’s pages into hosts for drive-by malware attacks that propagate the infection.
Although many developers are becoming more aware of how to prevent and contain SQL injection attacks, the recent discovery is a reminder that security professionals must encourage Web browsing best practices. Users should always update Web browsers, utilize anti-malware software and scrutinize every extension that they download. Additionally, programmers must continue to do everything possible to keep SQL server access away from end users, since it permits requests that can fetch anything stored on that server.
Similar recent incidents underscore the importance of staying on top of browser security. Last summer, an exploit that took advantage of outdated Firefox versions exposed users of the anonymous TOR network. Alongside the botnet, this exploit demonstrates how desktop Web browsing is still a weak point in many security perimeters and deserves more attention even as businesses shift more attention to mobile computing.
Malicious browser extensions require more attention from security vendors
Browser extensions have really taken off over the past few years, with Google Chrome, Apple Safari and Mozilla Firefox leading the way. However, many Web technologies still don’t have adequate defenses against exploits hiding in these extensions, and the Firefox botnet is but one example of an emerging trend.
For example, financial fraud prevention programs, sandboxing software and some security suites neither seek out nor block malicious extensions. Although some of them provide good security overall, their detection signatures can be circumvented with minimal modifications to the malicious software.
Some vendors have been slow to catch on to the dangers of extensions, especially in Firefox, which has been not implemented a sandbox similar to the one in Chrome. Social engineering attacks can prod users to install malicious Firefox extensions that change Internet proxy settings and then install fake root certificates in Windows. In this context, the recent botnet exploit reveals the work that remains to be done in securing Firefox from rogue extensions.
Advanced Power botnet has enlisted thousands of PCs via Firefox extension
The Firefox extension in question taps into a botnet called Advanced Power. Once installed, it catalogs all sites that the user visits and relays them to the botnet, which scans them for vulnerabilities.
“[T]he purpose of this botnet seems to be using the compromised Windows desktops as a distributed scanning platform for finding exploitable Web sites,” explained security researcher Brian Krebs. “According to the botnet’s administrative panel, more than 12,500 PCs have been infected, and these bots in turn have helped to discover at least 1,800 Web pages that are vulnerable to SQL injection attacks.”
Krebs also noted that the extension is installed on systems with Mozilla Firefox that have already been infected by Advanced Power. The mechanics of this initial infection are unclear, although it’s possible that social engineering and/or phishing tactics are involved. The malicious extension is called “Microsoft .NET Framework Assistant,” which is the name of a legitimate Firefox tool. Mozilla has since added this extension to the blocked list.
Advanced Power includes a tool for stealing credentials and sensitive data from infected machines. However, this component has not been activated, and the botnet itself has continued to limit its targets to the 1,800 Web pages rather than the Internet at-large.
Advanced Power takes SQL injection attacks to different level
For cybercriminals, the basic problem with conducting SQL injection attacks is detecting actual vulnerabilities. Attackers often don’t have visibility into a site’s functions, and they often need proper requests to gain more insight. As a result, manually probing websites for weaknesses is a time-consuming process, but Advanced Power provides a way to test variables automatically and at much greater scale.
“[T]he hackers are using valid requests within many sites that end-users themselves are feeding them,” explained Alex Holden, chief information security officer at Hold Security. “This is a much bigger sample than you would normally get. By no means it is a full regression test, but it is a deep and innovative approach.”
In a way, Advanced Power is a malicious variant on some Firefox extensions that passively test for SQL vulnerabilities. Site administrators may use these tools to gauge their exposure to SQL injection, which is a persistent threat to retail websites in particular. Some of these pages are under constant attack, and developers have taken notice.
Writing for InformationWeek, Jeff Williams stated that the Open Web Application Security regards SQL injection attacks as the number one risk to Web application security. However, a group of 1000 developers that participated in the recent Secure Coder Analytics study were much more well-versed in preventing these types of attacks than others.
Advanced Power adds a new wrinkle to SQL injection attack strategy, but Web developers and security teams will be able to build upon a solid base of knowledge to keep up with it. The professionalization of cybercrime, as demonstrated by highly coordinated campaigns such as this Firefox botnet, raises the stakes for due diligence toward database and Web application security. Since operating system patches alone cannot rectify these browser vulnerabilities, teams must encourage vigilance on the Web and select security solutions that scan and block a wide range of threats, including malicious extensions.