International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 29Copyright © 2012, IGI Globa...
30 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012Copyright © 2012, IGI Globa...
International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 31Copyright © 2012, IGI Globa...
32 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012Copyright © 2012, IGI Globa...
International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 33Copyright © 2012, IGI Globa...
34 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012Copyright © 2012, IGI Globa...
International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 35Copyright © 2012, IGI Globa...
36 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012Copyright © 2012, IGI Globa...
International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 37Copyright © 2012, IGI Globa...
38 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012Copyright © 2012, IGI Globa...
International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 39Copyright © 2012, IGI Globa...
Upcoming SlideShare
Loading in …5

Ijaci vol4 no1-maninbrowser


Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ijaci vol4 no1-maninbrowser

  1. 1. International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 29Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.Keywords: Hacking, Internet Banking, Man-in-the-Browser, Man-in-the-Middle, Security1. INTRODUCTIONIn network security terminology, “the Middle”is defined very broadly. In this sense it refersto the domain of action of Man in the Middle(MitM)attacks,inwhichanunauthorizedpartyinsertsthemselvessurreptitiouslyatsomepointalong the flow of communication between twoor more parties. This is so as to gain the abilityto monitor the information that is exchanged,and perhaps also to modify that information,generally without being discovered so doing(Tanenbaum & Wetherall, 2011). In theory, theattack can be performed at almost any pointalong the communication channel between thevictims. The Man in the Middle may attackthrough a server they control at any point alongthe data channel, or anywhere along the wirethat it is possible to arrange for a physical tap.In practice it is impractical to choose a serverorwiresomewhereintheimmediatevicinityofa targeted party, and it would be ineffective toattack from somewhere at random in the webwhere traffic is subject to fluctuating routingtables. Therefore, this approach would usuallybe commenced with a phishing attack to trickthe user into bridging the gap, which will bediscussed. If either terminating machine is us-ing a wireless connection, the Man could alsointerpose himself between that machine and itsassociated wireless router, by picking up theiroutgoing signal and then posing as the user’smachine to the router. This would also workif they have control over a LAN device on thesame bus as the user.The “Middle” described already encom-passes all points from the moment a signalleaves a machine at one end of a transactionright through until just before it reaches itsMan in the Browser AttacksTimothy Dougan, University of Ulster, UKKevin Curran, University of Ulster, UKABSTRACTMan-in-the-Browser attacks are a sophisticated new hacking technique associated with Internet crime, es-pecially that which targets customers of Internet banking. The security community has been aware of themas such for time but they have grown in ability and success during that time. These attacks are a specialisedversion of Man-in-the-Middle attack, and operate by stealing authentication data and altering legitimate usertransactions to benefit the attackers. This paper examines what Man-in-the-Browser attacks are capable ofand how specific versions of the attack are executed, with reference to their control structure, data interactiontechniques, and methods for circumventing security. Finally the authors discuss the effectiveness of counter-Man-in-the-Middle strategies, and speculate upon what these attacks tell us about the Internet environment.DOI: 10.4018/jaci.2012010103
  2. 2. 30 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.destination. However, the Man could alsobreach the integrity of the signal before it evenleaves the user’s PC, if he subjects the user toa Man in the Browser (MitB) attack. This is amore recent form of attack in which the user’sbrowser is corrupted in order to act as the tapin the information stream, an attack which“occurs at the system level, between the userand the browser, [rather than via] the protocollayer” (Litan & Allan, 2006). This, structur-ally speaking, is “a man-in-the-middle attackbetween the user and the security mechanismsof the browser” (Gühring, 2006).Therefore, in network security terms,“the Middle” is every point along the coursean information transaction between the initialinput and final output device (i.e., anythingthat is not a keyboard or a monitor etc). In thissense, the MitB attack is a special case of theMitM attack in which the intrusion occurs atthe very nearest end of the middle to the user.2. MitB IN TERMS OF MitMLet us begin by exploring the places in whichMitB differs from MitM. Firstly, MitM inter-cepts data using an inserted or compromisedpieceofhardwarethatisexternaltothetargetedsystem. MitB on the other hand gains accessthrough the software configuration on that sys-tem, generally by way of a Trojan that targetsthe web browsers on that computer.Secondly, MitM either has to deal withmessages that have already been protected bywhatever security is associated with the con-nection (and read/alter them mid-flight in bothdirectionsofcommunication),orhastopresenta plausible reason for the user to create theirconnectionwiththeattacker’sownserver.MitBdoes not need to bother with the extra workthis entails. In the outward-bound direction,it is the author of all compromised messagessent. In the inward-bound direction, it does stillhave to deal with a fully formed message, but itdoes not need to be concerned with modifyingthe message itself so as to conceal its actions.This is because MitB directly controls thebrowser, and therefore needs only to modifythe browser display to be as the user expects.Together this means that it works outside ofany client-side and server-side encryption andvalidation, and therefore does not have to beconcerned with increased latency arising fromhashing overheads or to provide dummy keysfor public key encryption.This implies another advantage of MitBover MitM, in that MitM is only guaranteedto be able to handle public key encryption(and this only up to a point as discussed in thesection “Trust”), whereas MitB is “immune” toall forms of encryption, including symmetrickey, by being external to it. Finally, MitM isonlytrulyeffectiveadirectedorlocation-basedattack, whereas MitB can be spammed to asmany computers as its Trojan is able to infect.If the access point of MitM were somewhere atrandom in the Internet, it is unlikely for it to beable to extract valuable data or make modifica-tions undetectably. This is because packets canbe routed independently, so any data gleanedwill probably be fragmentary, and repliesto any fraudulent modified messages wouldnot be guaranteed to pass through the samecompromised point as the outgoing message,making concealment of modifications almostimpossible. To maintain constant contact, theMitM attacker must either be physically closeenough to the victim to capture their outgoingdatabeforeithastheopportunitytobifurcate,ortrickthevictimintonavigatingtotheattacker’sown server that will act as a stable mid-point.Thiscompelstheattackertoeitherdirectlytarget or in some other way reach out to indi-viduals or groups, and means that this attackdoes not scale very well. On the other hand, theonly such limitations on MitB are around thelevel of security that is installed on the systemsit attacks or is practiced by the people who usethem, and it scales very well. Where MitM islimited to a chosen few targets at a time (mosteffectively spread by mass spam emails withlinks to compromised sites), individual MitBTrojans are known to have compromised be-tween hundreds and hundreds of thousandsof users’ security concurrently (Finjan, 2009;
  3. 3. International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 31Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.Stone-Gross et al., 2009; RSA Fraud ActionResearch Labs, 2008; Murchu, 2009).Although their underlying technicalstructures are very different, this is not to saythat MitB has little in common with MitM.Besides being based on the same principle ofthe addition of concealed third parties into theflow of transactions, both also have the samecapabilities once inside the security provisionsof a transaction and both are carried out forsimilarends.However,itisfairtosaythatMitBexceeds MitM in many ways.3. MitB CAPABILITIESLeavingMitMbehindfornow,andleavinghowMitB technically accomplishes what it doesuntil later, let us now consider MitB’s generalcapabilities (some of which may or may not beincluded in a given version of the attack, andwhich between versions will vary in method ofimplementation). These can be broadly classi-fied under five categories. MitB can:3.1. Steal DataMitB’s control over the browser gives it theability to collect information both passivelyby keylogging, and actively by phishing. Anydata entered into the compromised browser ispotentially available to the attacker, with theabilityforthemtoselectpreferreddatatostealasdescribed below. In addition, and to get aroundthe way in which many security consciouswebsiteslimittheamountofsensitivedatatheyrequestfromtheuser,MitBcanpromptforextradata by using its ability to modify the structureof pages displayed in the browser.3.2. Modify HtmlThisisreferredtoashtmlinjectionanditallowstheattackertoalterthehtmlofapagebeforeitissenttothebrowserforinterpretation.Typically,this would be used in two ways – firstly, to addextra data entry fields that prompt the user toenter private information in excess of what isnormally requested by a page, and secondly tomodify server responses. Data field additionallowsformuchmorepowerfuldatacollection,especially if there are data entry fields that areusually obfuscated by a secure site with theintention of defeating keyloggers. Rather thantry to defeat a virtual keyboard or a jumbledand/orpartialcharacter-by-characterpasswordentry system (i.e., “enter the 3rd, 1stand 5thletter of your password”), this instead allowsMitB to alter the login procedure so that thepassword is enteredin the clear, from whence itcan be lifted directly as per the previous abilitydiscussed. Modifying server responses allowsMitB to cover its tracks by making the serverresponseappeartoagreewiththeusersoriginalintentions, which MitB may need to do, as itwill sometimes modify data sent by the clientto the server.3.3. Modify Outgoing DataJust as MitB can modify the html that is shownto the user, its level of access also allows it totamper with outgoing form data the user issubmitting to a server. This allows for variousfraudulent actions (usually in the context ofinternet banking) with the added advantage ofthe request originating with, and being largelycomposed by, the legitimate user of a web ser-vice. This makes the fraud very much harderto detect and therefore very much more likelynot only to initially succeed, but also to remainundiscovered for long enough for the attackerto take advantage of it.3.4. Choose TargetsAll of the foregoing is useful only if the MitBTrojan is able to identify what data it shouldtamper with or steal. Each version of MitBmakes a list of items of interest available to itsbrowser monitoring services. The members ofthis list will typically be used to select two dif-ferent types of data – either individual fields ofinterest by their proximity to certain keywords,or entire pages of interest by their residing in achosendomain.Thedomain-targetedattacksarechosen for their value, and this targeting allowsthe fraud to be tailored to the specifications of
  4. 4. 32 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.each chosen domain. For instance, is clearlynot of use to perform html injection attacksas discussed above without knowing what toinject and where to do so. Attackers cannotexpect inserting a “Please enter password/email/D.O.B.” field at random into every pagetobeverysuccessful.ThereforetheTrojanmustkeep a catalogue of particular domains to payextra attention to, which must include instruc-tionsastowhereandhowwithinthosedomainsit should carry out its more sophisticated theftsand manipulations.This level of specificity, combined withinstructions to limit non-explicit data theft todata fields that are labelled “Password”, “UserName”, “Email” etc acts to limit the amountof non-valuable data that is stolen. Such aprovision is useful because, as implied above,individualimplementationsofMitBattackscanbe actively stealing data from many thousandsof users concurrently. This becomes an issuewhen you consider that all stolen data must becommunicated back to the owner of the attackover a finite amount of available bandwidth.3.5. Communicate with HQThere is no point in stealing data without hav-ing some way to retrieve it, so therefore it is abasic requirement of a data-stealing MitB at-tack is that there be a means whereby to extractstolen data.With this requirement of the abilityto communicate externally a given, there aremany other uses such a connection can be putto. Designating a command server and givingthat server control over individual infectedmachines is a particularly valuable second-ary use of this ability as it allows for remotemodification of the Trojan’s parameters andfor the software version of the infection to beupdated.This in turn enables MitB domain andfield targeting to be improved, and provides aprocedurebywhichnewfeaturesandtechniquescan be added as they are devised. Furthermore,it may be useful to provide access to a serverthat carries modified security scripts to replacethose that protect data in a secure site, tailoredcorporate image files if a phishing page is be-ing built from scratch, or precise instructionsas to how the subsequent steps of the attackare to be carried out. This could be in orderto facilitate more elaborate phishing attacksfor Trojan implementations that do not havesufficient control over the browser to suppress“mixed content” warnings (that alert the userto the presence in a page of files coming fromsomewhere not covered by the certificate ofthe business site they are visiting), or simplyto reduce overheads. It is more efficient to dothis than to provide a Trojan with a library ofinstructions, scripts and images suitable toevery eventuality.4. HOW MitB IS PERFORMEDWe move now into the specifics of how theseattacks are carried out. It is important to note atthis point that a MitB attack is only one com-ponent in the arsenal of modern Trojans. TheseTrojans combine different techniques to gainaccess to and control over systems, maintainthemselves and remain undetected. To discusshowaMitBattackiscarriedout,wewillexaminethe MitB component of some well-known andwidespread Trojans, with reference to the fivecategoriesdescribedabove.TheTrojanswewilluse as examples are all botnets, which suits theremote-controlstyleallowedbyMitB.Theyare:1. URLzone (a.k.a. Bebloh) – a sophisticatedTrojan from the Ukraine focused on Ger-man banking (Finjan, 2009)2. Torpig (a.k.a. Sinowal) – a flexible botnetthat steals data mainly in the USA andEurope (Stone-Gross et al., 2009)3. Zeus (a.k.a. Zbot, Kneber) – a very wide-spread Botnet that has also been very wellcovered by the media (Falliere & Chien,2009)I will discuss each one with regard to thefiveaspectsexplained,andthenbrieflyhighlightnotable features at the end.
  5. 5. International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 33Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.4.1. URLzoneStealing DataURLzone is focused more on directly stealingmoney from victims, rather than stealing theirdata to sell or to use to commit fraud lateron. Such data is still collected however, and Isuppose why not? It will “log credentials andactivitiesofbankaccounts,[...]takescreenshotsof webpages, [and] log and report on other webaccounts (e.g., Facebook, PayPal, Gmail) andbanks from other countries” (Finjan, 2009). Itmonitors the system, and when a new instanceof an application it knows how to attack be-gins, it uses API hooking to inject a DLL intothe process and intercept system messages. Itsprimary targets were German banks, but givenits level of access there was no reason for it notto steal available data while it was installed. “Itlimits itself to collect data that is sent by theuser using POST method with less than 2,000bytes” (Chechik, 2009) so as to evade noticeby security applications, and only becomesactive when the data returned to it are fromspecified domains.Modifying htmlURLzone makes most of its money throughlive modification of outgoing data, but thiscauses a problem for it.The fraudulent transac-tions it makes need to remain in place for longenough for the money to be transferred to asafe location, but if the customer notices that amodification has been made they will report itto the bank as fraud, which will in turn revokethe transaction. Therefore, the modificationmust be disguised from the victim, so that theserver response will appear as they expect it to.More powerful versions of the data-selectionscripts are used here to not only to recognizethe critical fields in transaction logs, but alsoto substitute over these fields ex tempore inthe raw html, injecting a copy of the originaluser submitted value of the field in place ofthe new and fraud-revealing value returned bythe server. This requires that the Trojan havean excellent working knowledge of the formatof the banking pages it targets, since there willbe many fields per transaction, or transactionsaltogether, from which it must select one.Modifying Outgoing DataWhen the Trojan reports captured data from atargeted domain to its controller, the controllerhas the option to specify that an attack shouldbe carried out. This decision is handled byautomation at the server side, and is the onlyway in which URLzone will perform an activeattack – the Trojan itself has no capacity tocarry out this kind of attack on its own. Thisis beneficial in two ways – firstly it avoids theneed for the Trojan to use local CPU cycles tocompose attacks, and secondly it allows all at-tacks to be made with the latest specifications.That is to say, specifications can be altered atthe server in immediate response to changesmade in the target sites, and will be used im-mediatelywithoutrequiringtheTrojantoupdateits configuration files.Thespecificmodificationsmadearechosenverycarefullysoastomaximizetheprobabilitythat the attack will succeed. Two data it willsteal are the account balance and the maximumtransaction allowed. From these it determinesan amount that is close to (but slightly lessthan) the lesser of these two data, including afactor of randomization to deceive anti-fraudsystems designed to notice suspicious patternsintransactions.ThisdeterminedamountisthenreturnedfromtheservertotheTrojanalongwitha holding account controlled by the attacker towhich this amount should be sent. These twofields overwrite those in the original form thevictim intended to post, and then the form senton to the bank, which is none the wiser as tothe alteration.Choosing TargetsThe targeting is in two parts – selecting whichfield values to steal as determined by a localconfiguration file, and which site transactionstoactivelyattackasdeterminedremotelybytheC&C server. Once again, this remote operation
  6. 6. 34 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.allows the time taken to perform complex cal-culations to be independent of local hardwareconstraints, and any reduction in client-sideprocessing will help the Trojan remain unde-tected by client-side security software. Lo-cally determined target fields are selected bycomparing the originating domain of the stolenPOST data to a list of domain name masks – ifit matches, then the data is chosen and stolen.Communicating with HQ“The communication between the Trojan andthe C&C server is conducted over HTTP, hav-ing the data XOR-encrypted” (Finjan, 2009).After initial configuration, all communicationfrom the Trojan is triggered by the domainmatching described. Unlike Torpig and Zeus,there is no regular contact with the server, andalso unlike Torpig & Zeus, that server is hardcoded(MCRC,2009)–alessflexibleapproachas we shall see.4.2. TorpigStealing DataTorpig “can inspect all the data handled by[programsoncompromisedmachines,includingweb browsers] and identify and store interest-ing pieces of information, such as credentialsfor online accounts and stored passwords”(Stone-Gross,etal.,2009)byusingDLLs,againinjected through hooking. This is passive datatheft in the same manner as used by URLzone,although not restricted to POST data, and in-cludingdataextractedfrombrowsers’passwordmanager services and miscellaneous systemdata including Windows user account loginpasswords. Active data theft is also carried outbywayofphishingattacks,externallycontrolledasdescribedbelow.Theseattackstaketheformof novel pages injected to replace pages on thetargetdomain,whichrequestuserdatainexcessofthatwhichwouldberequestedbyalegitimatesecurity conscious site. This goes beyond site-specific passwords, and may include personaldetails and multi-factor security components.These will be sent to C&C without any encryp-tion or input obfuscation; another advantage ofcreatinganewpageratherthanliftingdatafromfields in current legitimate pages.Modifying html & ModifyingOutgoing DataSince Torpig is solely concerned with datatheft, it does not modify outgoing data. Sinceit does not modify outgoing data, it does notneed to hide its tracks, and only html modifica-tion it makes is to create phishing pages. Thiscan be achieved trivially, since the injectionserver returns to the Trojan a URL to a fullyformed version of the novel page, which canthen be directly substituted for the content ofthe legitimate page it is replacing.Choosing TargetsTargets are chosen in the same way as Torpigpicks what POST data to steal – domains ofinterest are listed in the configuration file ob-tained from the C&C server, and all data theuser enters there is stolen.Communicating with HQThe bot sends the accumulated data it has sto-len at fixed intervals, and all communicationbetween Torpig C&C and its bots is carried outover HTTP POST messages encrypted withTorpig’s own base64 + XOR encryption algo-rithm, using a symmetric key sent in the clear(Stone-Grossetal.,2009).Torpigisparticularlynotable, and follows a current trend, in that itdoes not report to a static server in the sameway that URLzone did. Based on an algorithmthat uses different pieces of date information itgenerates a list of addresses of potential C&Cservers. It then starts from the top of the listsendingrequeststotheseputativedomainsuntilitreceivesavalidC&Cresponse,atwhichpointtherespondingserverbecomesthecontrolserverforthatbotuntilthenextscheduledswitchover.The attackers have the means to generate thesame list, and can register some or all of thedomains listed in advance, which is very cleverbecause it removes the single point of failure
  7. 7. International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 35Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.that was exposed by URLzone. The addressescan be linked to a physical server of the at-tacker’s choosing, and if one address is takendown,Torpigwillautomaticallyrunthroughtherest of the list until it reaches the next domainattached to a C&C server. Likewise, if a C&Cserver is taken down, the currently registeredaddresses can be assigned to a new server andthe botnet can continue about its business inthe same way.14.3. ZeusStealing DataZeus steals data according to both hard-codedgeneral practices and configurable selection.It will lift passwords stored in insecure localrepositories such as Windows Protected Stor-age, and any login data that is handled in aninsecure manner, i.e., sent without encryption.The configuration will additionally allow theattacker to nominate domains from which Zeusshould intercept all user input prior to encryp-tion, which can then be forwarded to C&C. Inthis way, it is like a middle ground betweenURLzone and Torpig. It has some extra capa-bilities as well, in that it can be configured tocapture screenshots upon mouse click eventson pages in target domains, and has “a special-ized routine that allows you to configure matchpatterns to search for transaction numbers indatapostedtoonlinebanks.Thematchpatternsinclude values such as the variable name andlength of the TAN.” (Falliere & Chien, 2009)This latter is especially powerful, asTANs(TransactionAuthenticationNumbers)areoftenused to provide the second part of two-factorauthentication, which has been successful inpreventing fraud from credential theft, sinceeach TAN expires after a single use. Attacksthat steal this data must have some way ofdealing with its expiration, and so will usuallyreplacetheuser’sTANwitharandomlychosenincorrect alternative – I cannot find a sourceto confirm that this is true also for Zeus, butit seems likely that is how it operates. Whatmakes this “TANGrabber” routine particularlyuseful is that Zeus does not need explicit dataabout where it should expect to find the TANin user input, but rather can identify TANs bycertain shared attributes and harvest as manyas it comes across.Modifying htmlZeus performs html injection in the same waythat URLzone does, and for the same reasonthat Torpig does. Based on a configured basicunderstanding of pages on targeted sites, Zeusinserts single or multiple fields into otherwiselegitimate pages. The way it does so is fullycustomizable, and has the benefit of brevity inthat only a small change is required, rather thanhavingtorequestanentirepageofhtmlfromaninjection server – the overhead is low enoughthat it can be carried out client-side. The fieldwillusuallybesetuptorequestextraauthentica-tion data such as sought by Torpig, which willbe input in the clear and can be siphoned offdirectly to C&C. It can also “modify or hijackJavaScript that is used for client side securitypurposes” (Falliere & Chien, 2009) in the sameway, in order to bypass a site’s security.Modifying Outgoing DataZeus, like Torpig, is only concerned with datatheft, and so does not perform any real-timeattacks.Theonlyminoroutgoingdatamodifica-tion it makes is substitution of chosen URLs inDNS requests in order to carry out traditionalphishing attacks.Choosing TargetsAll targeting is handled through two librariesof filters, which it compares against the URLsvisited by the browser in a similar manner asin Torpig’s target selection. These are eithergeneral masked domain names from whichall user data is lifted (“WebFilters”), or URLmasks associated to pieces of text that must bepresent in a user submission for Zeus to selectit for appropriation.
  8. 8. 36 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.Communicating with HQZeuscommunicateswithC&CviaPOSTedmes-sagessimilarlytoTorpig,butdoessowheneverit has data to send as well as at timed intervals– it does not allow data to accumulate at clientside. Server responses from Torpig offer somecontrol over its bots, but Zeus has a great dealmore. It can order various functions from C&Cvarying from stealing extra files, through to re-bootingtheinfectedmachine,andevendeletingWindows’system322.Thiscontrolcomesmorefrom Zeus’ aspect as a full botnet suite ratherthan anything pertaining to MitB, but says alot about how evolved and powerful Zeus is.Combined with the wideness of its infection,thisisprobablywhyZeushasreceivedsomuchmore media attention than other botnets.4.4. General Characteristics& TechniquesIt should be clear from the limited sample ex-plored that a great many different techniquesare available to support, carry out and takeadvantageofMitBattacks.Onequestionraisedby this array of tools and techniques againregards definitions. At what points does MitBbegin and end? Many of the functions carriedoutinfurtheranceoftheattackdonottakeplace“in the Browser”, and the ways in which thebrowser can be compromised (though touchedononlylightlyhere)aremanyandvaried.Theyinclude API hooking and custom scripting asdiscussed,DocumentObjectModelexploitationvia Browser Helper Objects and Extensions,and even full virtualization (although this isonly speculated by Gühring and seems not tohave occurred in practice yet.) Because of this,it is probably fairer to see MitB as a Trojan toolrather than a Trojan type.Most of what these MitB implementationshave in common are intentions, and generalabstract concepts under which to perform theirattacks (substitution, misdirection, intelligentselection etc). Where they differ is in terms oftechnical execution as in the preceding para-graph,andinwhereandwhomtheytarget.Bank-ing customers in Europe and North Americaare definitely the primary targets, but the longtail of less profitable data theft extends acrossa broad range of other private data, which caneither be abused directly or sold.5. HOW MITB CANBE STOPPEDDespite being perhaps the most important sec-tion in this paper, it will also be the shortest, asthereisonlyonecurrentlylong-termguaranteedway to defend against MitB, and even that willcease to be so in time. Different companiesendorse different (proprietary) methods of de-tection and prevention. Entrust (2010) advisethe use of behaviour monitoring tools that candetect suspicious user actions, but this can bedefeated by intelligent MitB programmingthat includes pseudorandom and conservativedecision trees. More sophisticated monitoringwould lead to more sophisticated decisiontrees, an arms race in which many would notbe protected whenever attackers temporarilygained the upper hand. TriCipher (Litan &Allan, 2006) offers multifactor authentication,which has already been defeated in one form oranother by all three Trojans of the case studies.Arcot(2010)offersdigitalsigningembeddedinAdobe Systems clients (which will inevitablytransfertheproblemfromMan-in-the-Browserto Man-in-the-Adobe) and Virtual Private Ses-sions that rely on returning confirmation in ahuman-readablebutobfuscatedstateinanimagefile. This latter may or may not work for now,butwillalsoinevitablybeovercomeasmachinereading improves and cracks are found in theirproprietary security.The only thing guaranteed to work, ad-mirable also for its simplicity, is out of bandconfirmation. The Arcot whitepaper trashesOOB authentication via passcode, but does notallow for OOB reporting (via either automatedphonecallortextmessage)thatprovidestheuserwith a précis of all transactions their accountsattempt,andpreferablytheoptiontoconfirmorreject.Therearetwoproblemswiththis(setting
  9. 9. International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 37Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.aside the possibility that attackers could stealphone details and then hack personal phones,but if that has happened to you then you havebiggerproblemsthanbankingfraud),whichare:1. It costs money, and unlike other paid-forsolutions, this cost scales with the level ofuse.2. It takes Internet banking (and whateverother forms of Internet transaction youwish to protect) at least partially off theInternet, which rather defeats the pointof having them on the Internet in the firstplace.It is probably reasonable to hope for anintelligent and satisfying solution at sometime in the future, but one does not appear tobe available at this time. Of course, if web us-ers did not get malware infections then therewould not be an issue, but this is unlikely toever come about.6. CONCLUSIONS &CONSEQUENCESThereissomeconfusionofterminologyaroundMitB. Some sources (Entrust, 2010; Mushaq,2010) define MitB as any attack that usesbrowser infection. This occurs even thoughMitB may only account for one facet of amulti-part attack, one technique in the arsenalof a Trojan. Others (Falliere & Chien, 2009;Stone-Gross et al., 2009) tend to brush overthe MitB aspect of a piece of malware, or useit as another word for phishing. It is in any casea subtle and powerful technique, which givescriminals access to a great deal of opportunityfor profit.Furthermore, the sophistication of MitBattacks has grown over time, and can beexpected to continue to grow as time passes(Imperva, 2010). Security solutions will needto improve similarly, and meanwhile, manypeople are going to be swindled. The best wayto improve security until the industry catchesup is to practice good computer hygiene and ifpossible to keep valuable transactions at leastpartially off the Internet.In short, an improved level of user edu-cation regarding the dangers of the Internetwould be effective at preventing most types ofclient-side attack, but such caution as wouldbe taken in response to education is lackingamong many. On the one hand, you could seethe increasing general aptitude among manywho access the Internet at providing basicdata sanitation for their devices as a sign thatimproved understanding over time will solvethis problem. On the other hand, you could ac-cept that no amount of education will provideprotection to the percentage of people who arenot willing or able to keep up with changingtrends and practices in computing. It followsthat these people are exactly the ideal targetsfor this type of fraud – in effect, distributionof aptitude focuses the attacks upon those leastabletoprotectthemselvesagainstthem.Generalunderstanding must and will improve, and willhelp, but will not be a solution.One of the consequences of MitB can beseen by contrast to the effectiveness of onetechniquesuccessfulindefeatingMitM–certi-fication.Thisworksbyallowingcommunicationbetweenclientandservertobeencryptedusingpublic key cryptography, based on keys fromcertificates provided by the server, which arethemselves issued by CertificationAuthorities.These authorities are themselves certified byother bodies, which are in turn also certified,creating a chain of trust that leads back to asmall number of internationally recognised(and browser hard-coded) authorities that canusually be relied upon (Hallam-Baker, 2011) tovouch only for trustworthy servers. However,certification of this type only protects a datastream after it leaves the user’s browser, anddoesnothaveanycontroloverhowthatbrowserdisplays any server response. MitB bypassesthis security entirely, since it has access to databefore encryption, and has control over whatthebrowserdisplaysafteraserverresponsehasbeen decrypted.MitBunderminesthereliabilityofsecurityinthiswaywithregardstoalloftheotherforms
  10. 10. 38 International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.of security ineffective against it. It is clear thatthe possibility of MitB weakens the trust that auser can have in the integrity of their system,but it also weakens the trust that the server canhave in the authenticity of messages receivedfrom clients. This two way weakening is anobstacle that will need to be overcome in thefuture, since the establishment of mutual trustis one of the main impediments to growth inthe utility of the Internet.“Cybercriminals” are getting better atcybercrime, especially as Computer Scienceeducation spreads in 2ndand 3rdworld countrieswith less than stringent Internet law enforce-ment. The examples taken above all seem tohave originated in Soviet Bloc countries, butsimilar attacks have been identified from allover the world, including even the well known“Nigerian Prince” scam. A consequence of theInformationEconomy,insofarasinformationisveryeasytomovefromplace,isthattraditionalborderstothescalabilityofsometypesofcrimewill be eroded in the same way as has happenedfortheborderstosometypesoflegitimatebusi-ness.Therefore, we can expect to see a superiorsuccessor in some form to MitB as MitB wasto MitM, and thence onward – also we canexpect these attacks to become increasinglysuccessful and costly.REFERENCESArcot. (2010). Protecting Online Customers fromMan-in-the-BrowserandMan-in-the-MiddleAttacks.Retrieved from Arcot Resources - Briefs and WhitePapersforOnlineIdentityFraudProtectionwebsite: Protection_from_MITM_&_MITB_Attacks_White_Paper.pdfChechik,D.(2009,September30).MalwareAnalysis– Trojan Banker URLZone/Bebloh. Retrieved April5, 2011, from M86 Security Labs website: 2009/09/malware-analysis-trojan-banker-urlzonebebloh/Entrust. (2010). Defeating Man-in-the-Browser.Retrieved April 3, 2011, from Internet Securityand Encryption White Papers website:, N., & Chien, E. (2009). Zeus: King of enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdfFinjan.(2009,July).CybercrimeIntelligenceReport,Issue no. 3. Retrieved March 20, 2011, from M86Securitywebsite:ühring, P. (2006, September 12). Concepts againstMan-in-the-Browser Attacks. Retrieved March 3,2011, from website:, P. (2011, March 23). The RecentRA Compromise. Retrieved March 25, 2011, fromComodo Blogs website: (2010, November 16). Top ten securitytrends for2011. Retrieved from Continuity Centralwebsite:,A.,&Allan,A.(2006,September12).Threats:Man in the Browser. Retrieved April 10, 2011, fromTricipherwebsite: (2009, July 22). How a cybergang oper-ates a network of 1.9 million infected computers.Retrieved April 2011, from SecureTweets Blogwebsite: How-a-cybergang-operates-a-network-of-19-million-infected-computers.aspxMurchu, L. O. (2008, January 8). Trojan.Silent-banker Technical Details. Retrieved April 3, 2011,from Symantec Security Response website: writeup.jsp?docid=2007-121718-1009-99&tabid=2Mushaq,A.(2010,February19).ManintheBrowser:InsidetheZeusTrojan.RetrievedApril9,2011,fromthreatpost: Kaspersky Lab Security News Servicewebsite: FraudAction Research Labs. (2008, October31). One Sinowal Trojan + One Gang = Hundredsof Thousands of Compromised Accounts. RetrievedMarch 15, 2011, from Speaking of Security – TheRSABlogandPodcastwebsite: -one-gang-hundreds-of-thousands-of-compromised-accounts/
  11. 11. International Journal of Ambient Computing and Intelligence, 4(1), 29-39, January-March 2012 39Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.Stone-Gross,B.,Cova,M.,Cavallaro,L.,Gilbert,B.,Szydlowski, M., Kemmerer, R., et al. (2009). YourBotnet is My Botnet: Analysis of a Botnet Takeover.RetrievedApril2,2011,fromTakingovertheTorpigbotnet website: (2009). Zeus: King of the Bots. RetrievedApril 5, 2011, from Security Response security_response/whitepapers/zeus_king_of_bots.pdfTanenbaum, A. S., & Wetherall, D. J. (2011). Com-puter Networks (5th ed.). Boston, MA: Pearson.ENDNOTES1 Note however that this is how Stone-Grosset al. were able to hijack the Torpig botnet.Note too that because the domain selectionalgorithm can be changed, they were onlyable to maintain control for 10 days.2 Whichwillnotmakeyourcomputerrunfaster,despite what you may have heard.Kevin Curran BSc (Hons), PhD, SMIEEE, FBCS CITP, SMACM, FHEA is a Reader in Com-puter Science at the University of Ulster and group leader for the Ambient Intelligence ResearchGroup. His achievements include winning and managing UK & European Framework projectsand Technology Transfer Schemes. Dr. Curran has made significant contributions to advancingthe knowledge and understanding of computer networking and systems, evidenced by over 650published works. He is perhaps most well-known for his work on location positioning withinindoor environments, pervasive computing and internet security. His expertise has been ac-knowledged by invitations to present his work at international conferences, overseas universitiesand research laboratories. He is a regular contributor to BBC radio & TV news in the UK andis currently the recipient of an Engineering and Technology Board Visiting Lectureship for Ex-ceptional Engineers and is an IEEE Technical Expert for Internet/Security matters. He is listedin the Dictionary of International Biography, Marquis Who’s Who in Science and Engineeringand by Who’s Who in the World. Dr. Curran was awarded the Certificate of Excellence forResearch in 2004 by Science Publications and was named Irish Digital Media Newcomer of theYear Award in 2006. Dr. Curran has performed external panel duties for various Irish HigherEducation Institutions. He is a fellow of the British Computer Society (FBCS), a senior memberof the Association for Computing Machinery (SMACM), a senior member of the Institute ofElectrical and Electronics Engineers (SMIEEE) and a fellow of the higher education academy(FHEA). Dr. Curran’s stature and authority in the international community is demonstrated byhis influence, particularly in relation to the direction of research in computer science. He haschaired sessions and participated in the organising committees for many highly-respected in-ternational conferences and workshops. He is the Editor-in-Chief of the International Journal ofAmbient Computing and Intelligence and is also a member of 15 Journal Editorial Committeesand numerous international conference organising committees. He has served as an advisor tothe British Computer Society in regard to the computer industry standards and is a member ofBCS and IEEE Technology Specialist Groups and various other professional bodies.