Comment by josefdlange
9 years ago
Stranger is that they feel like they need to open a "hidden" browser instance to connect to the internet. A browser isn't really a necessary part of establishing a connection -- unless there's some missing context here. Is my grandmother running the CIA data ops division?
Edit: it's been made clear to me that of course this is one of few viable vectors when approaching outbound network with a really restrictive firewall (like Little Snitch). If a browser is already approved on making a given connection, then using a headless instance to do network talking is a smart way to do it. If you roll your own net code, a tool like LS will notify user and/or block. Dumb me!
Exactly. Firewalls like Little Snitch primarily filter traffic primarily based on the binary initiating the connection, and only secondarily based on the target port or address. When little snitch pops up the 10th time in 30 seconds, you will just approve all traffic from your browser, so using the browser to send all traffic is great way to avoid being caught.
As for what "injecting into little snitch" means, it could either mean injecting code into little snitch, because little snitch probably doesn't filter itself OR injecting a rule into little snitch.
Little Snitch does filter itself, but the Allow rules are there by default. I remember on a previous version, one of the steps to pirate LS was adding a rule to block it from connecting to it's servers.
They've added internal protection against this in recent versions.
Casually browsing the archive, I saw something related to injecting payloads into OSX applications. The application that did this required the latest version of XCode to compile, according to the installation and build docs.
Are you suggesting that this indicates recent activity on the project?
I mean they could just write some net code that sends packets to whatever port, but launching IE and doing everything over HTTPS or whatever is much more stealthy when it comes to network monitoring and system logs.
But why not spend ten minutes and make their net code use SSL and then avoid it altogether?
I guess one could argue that the footprint of adding SSL client behavior to a sneaky hidden tracker might be shitty to do and make it more identifiable. But also SSL libraries are typically linkable on the host system anyway, no compilation past the headers needed.
It's just a weird "workaround" on their part if that's the intention.
Consider perhaps Windows firewall. I believe it can be configured to block connection by opening program.
Perhaps bots are more easily discernible from a human user who's using a real browser. If the goal is to be stealthy, then they'd want to appear as human-like as possible.
Windows has very sophisticated firewalling and network access can be filtered on a per-process, per-network basis.
Restrictive companies will only allow pre-approved applications, for specific ports, like I.E. doing HTTP/S over ports 80 and 443, and only on approved/trusted networks.
2 replies →
Intent is to evade firewalls that allow per-application rules, such as Little Snitch (I think?) and Windows firewall.
> such as Little Snitch (I think?)
Correct. It is likely users allow their primary browser full access to all hosts on ports 80 and 443, if not all ports.
Additionally, launching the browser gives you easy access to all the tastey session cookies and access to their keychain (I assume a lot of people give their default browser on OSX keychain access).
Oh, duh. Wow, dumb me. One of those "can't see the forest for the trees" mistakes on my part. Thanks for the reality check!
I would guess that the hidden browser could have access to data (login cookies, browser history, combined with another vulnerability maybe even anything the user enters in other browser windows) that a separate program would not have accesss to.
What if they use it to establish an unsavory browsing history on a target's computer without their knowledge?
Could you imagine.
deletes browsing history
If there is a page stating the CIA can create an unsavory browsing history, let me know, just for future reference.
Lol good point. I meant to imply the history that the ISP would see, not the local one. Although a hidden browser wouldn't be necessary for that anyway. Never mind :)
1 reply →
Also it helps get you through proxies.
Hackers are going to hack (a solution).
Little Snitch will warn you (ask permission) if a new process wants to connect to the internet. If the beacon can pass information through an browser process though, I expect most people have Little Snitch rules to allow their browser to send any traffic without warnings.
fun Microsoft fact - windows firewall is preconfigured with a build-in outbound traffic backdoor. You cant filter localhost, DNSCache listens on localhost and will happily relay everything. You have to manually disable dnscache service and give up caching to plug this hole. You want to be able to ping? cant do that, ICMP traffic originates in System process, so you either let everything send ICMP packets, or filter it all out, there is no middle ground.