Vegan and BeEF clash shows how cyber arms race never stops

Cyber attackers and defenders are caught in a permanent to-and-fro dance, coming up with new solutions that break the last one created by their adversaries.

An example of this never-ending arms race has been demonstrated perfectly by researcher and developer Brian Wallace and the developers of Browser Exploit Framework (BeEF), an open-source attack and penetration testing tool.

“In order for BeEF to gain control over a browser, the browser must be tricked to execute malicious JavaScript code,” Wallace explained in a blog post published on Thursday. “This can happen on any website that the attacker can control, or even in malicious advertisements, and tends to occur transparently to the affected user. This JavaScript code connects back to the BeEF control panel, which is essentially a highly interactive command and control panel. The attacker then has the option to run a myriad of attacks or information gathering tools.”

Wallace, not satisfied with the fact that the only existing – and very limited – method for detecting BeEF attacks is a Snort rule that can be easily bypassed by tech-savvy attackers that know how to modify the toolkit’s configuration file, decide to create a Google Chrome extension to defeat BeEF (and he called it “Vegan”).

“I decided to build my protection into Chrome browser so I could easily deploy it to devices regardless of the OS, handle HTTPS seamlessly with HTTP and approach the problem from the chokepoint,” he noted.

In the hopes of inspiring other defenders, he described the process he went through in detail in his blog post. In short: he noted BeEF’s specific cookie setting and unsetting behavior, and made the extension block any domain attempts to perform such an action, effectively preventing the browser from being able to communicate with the BeEF panel.

But he added that BeEF developers can easily, if they wished, change the code to avoid detection by the Vegan extension. And so they did, a mere half a day later:

“As a security researcher, I wish to maintain the balance between offensive and defensive research, so even smaller defensive projects like this provide a benefit,” Wallace explained his ultimate goal. “If more security researchers worked on open source defensive projects/research, we could, as an industry, tip the scales back into balance.”