Protect your browser: Browser rootkits, Virtual appliances and Network Admission Control

There has been a lot of discussion this year about virtual rootkits and Blue Pill. pdp from Gnucitizens takes another approach: browser rootkits.
Criminals used to go after your system but nowadays they go after your data. Browser are just middleware. The closer to the data the better! pdp states. This is why browser rootkits make sense.

Lets take Firefox for example. Firefox is a complex, dynamic project which is subjected to regular updates. A big portion of the browser is written in scripted languages such as JavaScript and Python and supporting formats such as XML, RDF, XUL, XHTML and others. Given the fact that any of these components can be modified to serve the rootkit purpose, the antivirus agents need to be capable of understanding the technologies involved in Firefox in order to prevent or ensure the malware detection.

Let’s not forget the fact that the browser is a key business software which is usually allowed to get out (surf the Web), directly or via a Web proxy. The browser is configured to communicate by default. This ensures that the rootkit software can always get out and also let the rootkit master in, circumventing any restriction that may exist in between. There is no other technology that matches the same level of interoperability and communication power.

Last but not least, browser rootkits are portable when the browser itself is available to more then one platform. Firefox, again, is one of the most vivid examples. Firefox extensions, which can be easily turned into rookits, are OS independent. A single rootkit can infect Windows, Linux and MacOS at the same time without the need for reorganization of the source code. This feature makes browser rookits the perfect malware.

Short after this article, Joanna Rutkowska, the researcher behind Blue Pill reacted with her own view on browser rootkits.

She doesn't expect that browser rootkits will replace the OS rootkits but they will definitely become more and more an important problem.

There are some ways to avoid, or minimize the impact from browser-based rootkits. Just use two different browsers – one for sensitive and the other one for non-sensitive operations. There are more ways to achieve this. Use Firefox simultaneously with different profiles, run seperate browsers, or even use virtual appliances. Other researchers have also indicated they prefer to run browsers in a virtual 'appliance' in select cases.

After the banking Trojans in Belgium, I expect to see this browser virtualization an option in the future. Another approach might be a NAC (Network Admission Control) type of access where banks will scan your PC for Trojans and other security criteria before they allow you access. Just today, Panda launched their Panda Security for Internet Transactions.

Panda Security for Internet Transactions, an antifraud service for online
transactions to protect clients of e-banking, pay-platforms and e-commerce
against active malware. Banks and businesses will be able to scan PCs to
ensure that users launching transactions on their websites are not affected
by any malicious code. This eliminates the risk of passwords being stolen
or other fraudulent operations.

No comments: