Zoltan Balazs


Zoltan Balazs

CTO at MRG Effitas


Zoltan is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing.
Before MRG Effitas, he had worked as an IT Security expert in the financial industry for 5 years and as a senior IT security consultant at one of the Big Four companies for 2 years. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie Browser Tool that has POC malicious browser extensions for Firefox, Chrome and Safari. He is also the developer of the Hardware Firewall Bypass Kernel Driver (HWFWBypass) and the Sandbox tester tool to test Malware Analysis Sandboxes. He has been invited to give presentations worldwide at information security conferences including DEF CON, SyScan360, Deepsec, Hacker Halted USA, Botconf, AusCERT, Nullcon, Hackcon, Shakacon, OHM, Hacktivity and Ethical Hacking.
Zoltan passed OSCE recently, and he is very proud of it :)

How to hide your browser 0-day

Zero-day exploits targeting browsers are usually very short-lived. These zero-days are actively gathered and analyzed by security researchers. Whenever a new 0-day becomes known by the security industry, protections against the exploit are shared, AV/IDS signatures are made, patches are deployed, and the precious 0-day loses its value. One example is when Ahmed Mansoor was targeted by an iOS 0-day exploit (August 2016). The Citizen Lab analyzed the 0-day exploit, and Apple patched the vulnerability within days (http://bit.ly/2bm8ueo). Whoever targeted Mansoor, lost a precious 0-day exploit worth hundreds of thousands of dollars.
In my research, I propose a solution for law enforcement, 0-day brokers, and advanced attackers to protect their browser exploits. The key step is to establish key agreement between the exploit server and the victim browser. After a shared key is set up, attackers can encrypt the real exploit with AES. It is recommended to encrypt both the code to trigger the exploit, and the shellcode. This idea was first published by me (http://bit.ly/2mnvfYE), and quickly adopted by exploit kit developers in-the-wild.
During my presentation, I will propose solutions for defenders to analyze these attacks, countermeasures for attackers to further complicate this kind of analysis and release a POC Ruby code which can be integrated into Metasploit. So far, no encrypted browser exploit delivery code was available in the public to test or implement these attacks.
In addition to protecting the 0-day exploits from analysis, my proposed solution is also able to stay under the radar in IDS systems or Next Generation IDS systems (a.k.a. breach detection systems, APT detection systems). This is aligned with the trend that perimeter security is becoming less effective due to mobile devices and the increasing number of encrypted channels.
back to top