"APT" NodeJS application warehouse fishing, large-scale intrusion of the developer computer, bulk infiltration of major companies intranet

APT] "social worker" NodeJS application warehouse fishing, large-scale intrusion of developer computers, bulk infiltration of major companies intranet

Objective

The castle is always breached from within. A powerful system can also be controlled by people. If the invasion directly from the people this link, then the strong defense, also become a device.

Here's an example of using the application repository to infiltrate a developer's system.

Application Warehouse

The application repository is no longer familiar to developers. APT-GET,BREW,YUM,NPM ... It's a command-line App Store that's handy for tools and library-dependent installations.

They have roughly the same principle. Today, the NodeJS application warehouse--NPM security test is explained.

NPM Platform

If NodeJS can only run on a single machine, it's almost WScript. Fortunately, the advent of the NPM platform allows the entire community to interact.

The developer can install the required library via NPM, and the user can also complete the installation of the project. In just a few years, tens of thousands of NodeJS projects were posted on NPM, with tens of millions of downloads per day. Is there a security risk for such a large user base?

Warehouse Tampering

The easiest thing to think about is that the NPM account was stolen. Once the password is compromised, the attacker can publish a new version of the project. Once the normal user is updated, a malicious script is installed.

However, it's easy to get a platform account. and highly active projects are tampered with and will soon be discovered.

Warehouse Fishing

Change people's things must not be reliable, it can only use their own. However, it is not popular to create a project of its own, so try to lure some users to come.

An attacker could take a name that is similar to an active project. For example, the popularity of the UGLIFY-JS, can be a cottage called Uglifyjs Li Ghost. Once the user misspelled the word, they installed a fake item.

In order not to let users find, you can directly clone the original project, so that users and normal version of the exact same use, it is difficult to find flaws in it. Then in some hidden modules to do some hands and feet, once the user runs the script, the demon is released!

Compared to traditional malicious programs, NodeJS is a very small and highly flexible language that has a much smaller defense program.

Intrusion during installation

If the user found that the wrong item was installed and uninstalled before it was run, would it be impossible to invade?

In fact, NPM provides an incredibly powerful feature that can even execute additional commands at installation time.

In the Scripts field, you can define the command extensions for each stage.

For example, Postinstall can be executed after the Warehouse pack installation is complete.

This way, the system may be compromised as long as the user shakes the NPM install XXX.

This may sound a bit of a fantasy. However, after testing, an active project of the cottage version, every day there are dozens of to hundreds of installs (the amount of false load ~). Although the number is small, not a fraction of the original, but are potentially high-quality users.

Most of them are developers, once the system is controlled, you can penetrate into the enterprise intranet.

Persistent intrusion

Once the developer's system is controlled, the consequences are far more severe than expected. In addition to the disclosure of all kinds of information, there will be more horrible things.

Take Uglify-js as an example, if the developer installs the phishing version, what happens?

Since it is a compiler-like compression tool, turn the finished source code into an unreadable black-box program-most likely the last step before you go online. If this link is manipulated by hackers, then even through the audit of the source code, it is difficult to escape the clutches.

Perhaps, the fishing tool will insert a hidden XSS in the compressed script, which is hard to see if the developer is not careful. Once the script is published, thousands of users on the line suffer.

The attacker did not pay a single soldier to attack the fortress directly from the source.

Of course, not only can infect the WEB, other clients are more likely. Some open source libraries with little attention, or header file codes, can be a hiding place for malicious code.

Fishing Promotion

After all, the user is limited by the hand error. In order to increase the amount of infection, do not rule out the attackers will actively promote their own fishing projects.

Of course, this promotion will not be too obvious, and others may not even feel the intention of it at all.

Attackers can reprint some recent popular articles, and then replace the demo address with their own fishing items. So, the onlookers came to the spectators on the unprepared situation of a trial, was quietly controlled.

or more directly, promote your project in a forum or social circle, with some bright text and cool pictures. So some curious people, just in the attacker's appetite.

Summarize

In addition to NPM, there are other application repositories that do not need to be audited, and there is a risk that a phishing project may occur.

Therefore, you should be extra careful when installing. Items that have forgotten the name must be verified and then installed.

At the same time for some unknown projects, but also carefully try. After all, installing a project and opening an application directly is actually the same!

Transferred from: http://www.cnblogs.com/index-html/p/npm_package_phishing.html

Some discussions:

#1楼2015 -03-12 17:49 Agile.zhou (Kklldog)

It's really dangerous to say so.

#2楼2015-03-12 19:02 garbled.

Mark

#3楼2015-03-12 22:28 Shing Zhu Zhu

It is therefore felt that NPM should add a security mechanism to require the user to confirm the installation before running the custom command

#4楼 [landlord] 2015-03-13 09:25 Etherdream

@ Shing's Zhu Zhu

Some of the commands are node xxx.js, and you don't know what this JS will do.

#5楼2015-03-13 12:09 Shengtenpo

It's not alarmist, risk is everywhere.

#6楼2015 -03-14 22:03 UEQT

I wrote a npmsafe.

Https://github.com/ueqt/npmsafe

After installing with NPM I npmsafe-g

You can use the Npmsafe command to completely replace the NPM command

Npmsafe will go to the white list, if not in the whitelist will be prompted the library last month's installation for reference is safe, and asked whether to continue the installation or discard the installation, continue to install can choose to write custom white list

This article "APT" NodeJS application warehouse fishing, large-scale intrusion developer computer, bulk infiltration of major companies intranet ", from: Nuclear ' ATK Network Security Research Center, this article address: http://lcx.cc/?i=4517, reprint please indicate the author and source!

"APT" NodeJS application warehouse fishing, large-scale intrusion of the developer computer, bulk infiltration of major companies intranet