Vegan eats BeEf, gets hooked

Bad taste still lingers

Botnet slaughterer Brian Wallace has created a module to detect when attackers are using the popular browser-busting BeEF hacking framework.

The Chrome extension codenamed Vegan allows victims to detect when attackers have hooked their web browser instances using the enormously powerful Browser Exploit Framework.

Vegan could detect and block BeEF but not entirely stop it, Wallace (@botnet_hunter) says.

"In order for BeEF to gain control over a browser, the browser must be tricked to execute malicious JavaScript code [which] can happen on any website that the attacker can control, or even in malicious advertisements, and tends to occur transparently to the affected user," Wallace says.

"I decided to build my protection (Vegan) into Chrome browser so I could easily deploy it to devices regardless of the OS, handle HTTPS seamlessly with HTTP and approach the problem from the chokepoint.

"While a detection method is important, it really only tells the user they are now at the will of the attacker, and there is not much the victim can do." Victim machines that run the malicious JavaScript will connect to BeEF's control panel allowing hackers to execute highly-capable attacks and gather further user information.

Vegan in action.

Wallace says the alternative to Vegan is messy, complicated, and unreliable. Targets could configure their Snort intrusion detection systems to look for the BEEFHOOK cookie which may signal a BeEf attack, but that method could be subverted if attackers modify those values or simply employ HTTPS.

Wade Alcorn, BeEF creator and director of Brisbane-based Alcorn Group, welcomes the extension saying it is valuable for raising awareness.

"It is an awesome name," Alcorn says.

"Almost a decade ago, I started the BeEF project to provide a method to raise awareness of client-side attack vectors and to create a tool to evaluate an organisation's security posture.

"I am hopeful the Vegan extension will provide another opportunity to increase education among those responsible for their organisation's security."

Alcorn says the security community has a way to go before such threats are sufficiently mitigated.

"It is a positive sign to see the awareness of client-side risks is increasing." ®

Similar topics

Other stories you might like

  • The ‘substantial contributions’ Intel has promised to boost RISC-V adoption
    With the benefit of maybe revitalizing the x86 giant’s foundry business

    Analysis Here's something that would have seemed outlandish only a few years ago: to help fuel Intel's future growth, the x86 giant has vowed to do what it can to make the open-source RISC-V ISA worthy of widespread adoption.

    In a presentation, an Intel representative shared some details of how the chipmaker plans to contribute to RISC-V as part of its bet that the instruction set architecture will fuel growth for its revitalized contract chip manufacturing business.

    While Intel invested in RISC-V chip designer SiFive in 2018, the semiconductor titan's intentions with RISC-V evolved last year when it revealed that the contract manufacturing business key to its comeback, Intel Foundry Services, would be willing to make chips compatible with x86, Arm, and RISC-V ISAs. The chipmaker then announced in February it joined RISC-V International, the ISA's governing body, and launched a $1 billion innovation fund that will support chip designers, including those making RISC-V components.

    Continue reading
  • FBI warns of North Korean cyberspies posing as foreign IT workers
    Looking for tech talent? Kim Jong-un's friendly freelancers, at your service

    Pay close attention to that resume before offering that work contract.

    The FBI, in a joint advisory with the US government Departments of State and Treasury, has warned that North Korea's cyberspies are posing as non-North-Korean IT workers to bag Western jobs to advance Kim Jong-un's nefarious pursuits.

    In guidance [PDF] issued this week, the Feds warned that these techies often use fake IDs and other documents to pose as non-North-Korean nationals to gain freelance employment in North America, Europe, and east Asia. Additionally, North Korean IT workers may accept foreign contracts and then outsource those projects to non-North-Korean folks.

    Continue reading
  • Elon Musk says Twitter buy 'cannot move forward' until spam stats spat settled
    A stunning surprise to no one in this Solar System

    Elon Musk said his bid to acquire and privatize Twitter "cannot move forward" until the social network proves its claim that fake bot accounts make up less than five per cent of all users.

    The world's richest meme lord formally launched efforts to take over Twitter last month after buying a 9.2 per cent stake in the biz. He declined an offer to join the board of directors, only to return asking if he could buy the social media platform outright at $54.20 per share. Twitter's board resisted Musk's plans at first, installing a "poison pill" to hamper a hostile takeover before accepting the deal, worth over $44 billion.

    But then it appears Musk spotted something in Twitter's latest filing to America's financial watchdog, the SEC. The paperwork asserted that "fewer than five percent" of Twitter's monetizable daily active users (mDAUs) in the first quarter of 2022 were fake or spammer accounts, which Musk objected to: he felt that figure should be a lot higher. He had earlier proclaimed that ridding Twitter of spam bots was a priority for him, post-takeover.

    Continue reading

Biting the hand that feeds IT © 1998–2022