Long Live Puppetnets!

Our project report is available here.

Our first malicious userscript targets the Google login page and tries to capture the usernames and passwords submitted to Google.

Read the rest of this entry »

Once we get our malicious userscript running on every page the victim loads in the browser, we will want to collect some data and send it to our server. However, to do this we will need to perform a cross-domain request to our which is normally prohibited because of the same-origin policy. Although we could use the GreaseMonkey GM_xmlhttpRequest to perform cross-domain communication using the global context, this API is only available to the GreaseMonkey extension and is not compatible with Chrome or Opera.

So we have to use some tricks.
Read the rest of this entry »

So far we have talked about issues on the client side of a “puppet”. We also need a “puppeteer” in form of a server where to send data we collect (user credentials, cookies, etc.). Since the userscripts are written in JavaScript, we’ve decided to have the server also running JavaScript.

Introducing Akshell..

Read the rest of this entry »

So assume one can get an arbitrary executable to run on the user’s machine with full privileges using an exploit such as the one presented in the last post. What would you have to do to automatically install a userscript for the current browser?

Read the rest of this entry »

While reading about house moving scams I accessed the inconspicuous website www.aaamove.com (WARNING: do not go there!). Right after loading the homepage with my up-to-date Firefox browser, I noticed suspicious activities going on. The JVM had started running, and a weirdly named exe was running in the background. I had been infected with a virus! Luckily, although I had no anti-virus installed, I had been running Sandboxie and was able to capture and reverse engineer the culprit. The adventure begins..

Read the rest of this entry »

This project investigates the possibilities of attack using bots running as long-lived processes in the user’s browser. We attempt to achieve this using a GreaseMonkey userscript which runs on every page opened on supported browsers (Google Chrome – native, Opera – native, Mozilla Firefox – with GreaseMonkey extension), there are two phases:

1. Figure out a way to place a userscript in the required directory without the knowledge of the user
2. Use the script to implement various attacks (keylogger, cookie stealer, mouse tracker, etc.)