Saturday, February 19, 2011

BrowserCheck - Malware Driven Retrospective

Recently, we came across the new browser security tool released by QUALYS termed as BrowserCheck . In general, this tool scrutinizes and verifies the state of plug-ins in Mozilla browser. As stated in the information week article "Less-than-current browser and plug-in versions can leave your browsing unnecessarily vulnerable to web-based attacks... and make latest-and-greatest-based web sites harder or impossible to use, but Qualys' free BrowserCheck can help."

Well, in general the tool is designed as a simple version based signature tool. However, the tool uses a PHP based version verifier script that runs on server side. An appropriate XMLHttpRequest is used to send the browser based information which we termed as User Agent Based Fingerprinting (UABF).

Conversely, this technique is used in the wild by all the classes of malware to detect the state of browsers (version, addons, plug-ins etc). Apart from this, malware is served based on the type of version running. A similar plug-in detection script can be compiled using navigator object as

Further, it is also detected that the tool is using JavaScript + XMLHTTPRequest collectively to find the information from client machine. During the course of testing, we conducted a small test in order to scrutinize whether Java applet is loaded in the system or not in order to verify the semantics of tool. Generally, Java plug-in version can be checked by using a simple Java applet as follows

import java.applet.*;
import java.awt.*;
public class JavaVersionDisplayApplet extends Applet
{ private Label m_labVersionVendor;
public JavaVersionDisplayApplet() //constructor
m_labVersionVendor = new Label (" Java Version: " +
" from "+System.getProperty("java.vendor"));

The Java client side environment is not triggered on the test machine which clearly indicates that fingerprinting is done using simple tactics. While running the tool on one of our test bed machines, we found that the data is transferred as

{"Platform":"Microsoft Windows Vista Home Premium Edition, 64-bit Service Pack 2","Browser":"Mozilla Firefox 3.6.13","AgentVer":"","SADllVer":"","InstanceId":"72904d0d-a58e-409d-afa3-922d1c8a71cd","ScanId":"5"},

"ScanResults":[{"Status":"Up To Date","ItemType":"Browser","ItemName":"Mozilla Firefox","FoundVer":"3.6.13","ProductVer":"3.6.13","RequiredVer":"",

{"Status":"Up To Date","ItemType":"Browser Extra","ItemName":"Adobe Flash Player","FoundVer":"","InstalledFile":"c:\\windows\\syswow64
\\macromed\\flash \npswf32.dll","ProductVer":"","RequiredVer":"",

{"Status":"Up To Date","ItemType":"Browser Extra","ItemName":"Adobe Reader","FoundVer":"","InstalledFile":"c:\\program files
(x86)\\adobe\\reader 10.0\\reader\\browser \\nppdf32.dll","ProductVer":"","RequiredVer":"",

{"Status":"Up To Date","ItemType":"Browser Extra","ItemName":"Java Runtime","FoundVer":"1.6.0_22","ProductVer":"1.6.0_22",
"RequiredVer":"1.6.0_24","RecommendedVer":"Latest Version of Java","AddonType":"Plugin","FixInfo":""},

{"Status":"Up To Date","ItemType":"Browser Extra","ItemName":"Microsoft Silverlight","FoundVer":"4.0.60129.0","InstalledFile":"c:\\program files (x86)\\microsoft silverlight\\4.0.60129.0\\npctrl.dll","ProductVer":"4.0.60129.0","RequiredVer":"4.0.60129.0",

{"Status":"NA","ItemType":"Browser Extra","ItemName":"Microsoft
Windows Presentation Foundation","FoundVer":"3.5.30729.1","InstalledFile":"",

{"Status":"Up To Date","ItemType":"Browser Extra","ItemName":"Microsoft
Windows Media Player","FoundVer":"11.0.6002.18311","InstalledFile":"C:\\Windows\\system32\\wmp.dll","ProductVer":"11.0.6002.18311",

This scan info completely leverages the working stature of the tool. However, the technique is not new but one can notice that signature based tools are still widely used.

The next question is to see the way this tool reacts when a malicious plug-in (having updated version information) is installed in the browser.