X hits on this document





6 / 11

Proceedings of the 7th Australian Information Security Management Conference

Table 1 - Basic dynamically loaded libraries (DLLs) files installed by Trojan browser extensions (F-Secure Corporation,


DLL File


CertGrabber.dll ExeLoader.dll FFGrabber.dll

Collects certificates from the system certificate storage. Executes files. Mozilla Firefox HTTP requests sniffer implemented as XML user interface language (XUL) extension module.

IECookieKiller.dl IEFaker.dll IEGrabber.dll IEMod.dll IEScrGrabber.dll IETanGrabber.dll NetLocker.dll ProxyMod.dll PSGrabber.dll


Removes cookies from the Internet Explorer cache. Rewrite URLs. The fake addresses are controlled remotely by the attacker. IE HTTP request sniffer. Installs as a BHO and allows other modules to hook on Internet connections. Capture IE screenshots. Redirects internet connections. Gets/sets a list of system Layered Service Providers (LSP). Starts HTTP and Socks proxies on a random port. Collects miscellaneous credentials from the system such as email accounts.

These add-ons are installed in the %System%\ directory and automatically start up the next time a customer opens the browser. They can bypass digital signing as they rely on the user opening an executable program file (.exe) by the Windows operating system, not on the default browser installer (.xpi) (Krebs, 2006).

Table 2- Files inserted by Trojan Nuklus.a (ScanSpyware, 2008)

Dynamically loaded libraries (DLLs) files

Registry keys

%systemdir%\mt_32.dll IEMod.dll IEFaker.dll %systemdir%\taskmang.exe ProxyMod.dll FFGrabber.dll IEGrabber.dll PSGrabber.dll %systemdir%\ExeLoader.dll %systemdir%\CertGrabber.dll IEScrGrabber.dll %systemdir%\IETanGrabber.dll browsearch.dll %systemdir%\netd.dll mshtmllib.dll %systemdir%\mscert.dll %systemdir%\fdeploy.ocx %systemdir%\ptco.dll %systemdir%\clfsw.dll browserui.dll protect.dll \out.exe

{3BF77FF3-E054-4728-ADD0-B21EF95EECE1} {24A1E1CC-4393-941E-B765-2264A695D4E3} {3BF77FF3-E054-4728-ADD0-B21EF95EECE1} {24A1E1CC-4393-941E-B765-2264A695D4E3} {3BF77FF3-E054-4728-ADD0-B21EF95EECE1} {24A1E1CC-4393-941E-B765-2264A695D4E3} {3BF77FF3-E054-4728-ADD0-B21EF95EECE1} {24A1E1CC-4393-941E-B765-2264A695D4E3} Taskmng Taskmng Taskmng LEGACY Taskmng LEGACY Taskmng LEGACY Taskmng

_ _ _

Firefox Trojan add-on example Firefox extensions, written in JavaScript, display on clients’ web pages and cannot directly address the browser’s memory (Louw & Lim, 2008). A malware author can install the malicious extension software into a user input form or when a web page completes loading. It can record keystrokes, or it can intercept all form data that is being submitted. Furthermore, the extensions can also alter the contents of a page by accessing its DOM representation (Raffetseder et al., 2007). “DOM starts with the browser itself, then the windows and tabs. When you load a page, the browser builds a hierarchy of all the things on the page, such as forms, titles, and headings” (Croll & Power, 2009, p. 299). DOM also contains a browser version and a window size and allows JavaScript to modify the entire webpage where details are stored, such as cookies associates with a site (Croll & Power, 2009). The Trojan that infected in the Firefox extension such as the Trojan.PWS.ChromeInject.A was identified by BitDefender in 2008. It registers itself as an impersonator of the Greasemonkey toolbar and installs into Firefox's add-on directory to search a user’s hard drive for the passwords, login details, account information, and the library card numbers (Hruska, 2008). Users can be attacked by opening attachments, accepting ActiveX or JavaScript, or downloading malware-ridden code that attached in the movie (Hruska, 2008). In the directories below are the examples of the file npbasic.dll in the Firefox plug-in folder and the file browser.js

114| P a g e

Document info
Document views16
Page views16
Page last viewedThu May 26 22:20:49 UTC 2016