Your SlideShare is downloading. ×
  • Like
Man In The Browser
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Man In The Browser

  • 854 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
854
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
22
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Man-In-The-BrowserAras Tarhan Manos Dimogerontakis Mário Almeida Umit Buyuksahin
  • 2. OUTLINE● Man-in-the-Browser Attack● Method of Attack● Banking Trojans● Zeus● Zeus Installation● Zeus Configuration Files● DEMO
  • 3. Man-in-the-Browser Attack● Online phishers steal money from online customers● Online customers become target with more advanced methods● One of the latest and most dangerous is Man-in-the- Browser.● The malicious code modifies actions performed by the computer users.● Then, steals confidential information● These attacks can not be detected by the user
  • 4. Method of Attack● The trojan installs an extension into the browser configuration● Whenever a page is loaded, the URL of the page is searched by the extension against a list of known sites targeted for attack.● When the handler detects a page-load for a specific pattern in its targeted list.● When the submit button is pressed, the extension extracts all data from all form fields.
  • 5. Method of Attack (2)● The browser sends the form including the modified values to the server.● The server receives the modified values in the form as normal request.● The server performs the transaction and generates a receipt.● The browser receives the receipt for the modified transaction and displays the modified receipt with the original details.
  • 6. Banking TrojansA number of Trojan families are used to conduct MITB attacks.Some MITB Trojans are so advanced that they have streamlinedthe process for committing fraud, programmed with functionality tofully automate the process from infection to cash out.Some known banking trojans: ● Zeus ● Sinowal (Torpig) ● SpyEye ● Carberp ● Feodo ● Tatanga ● ...
  • 7. ZEUS● aim is to steal credentials of the victim● steals banking information by using Key Stroke Logging and form grabbing methods● first appearance 2007, become widespread 2009 ( about 3.6 million in US )● targets only Microsoft Windows OS● used version: 2.0.8.9
  • 8. Evolution of ZEUS● Version 2.0.0.0, 01.04.2010 ○ full compatible with previous versions ○ the installation process in the system was re-written to send reports to the Control panel ○ valuable work with x32 applications in Windows x64 ○ the name of the botnet is limited to 20 characters and can contain any international characters ○ complete (as with wininet.dll) to work with nspr4.dll, but without HTTP-fakes ○ the configuration file is read in UTF-8 encoding
  • 9. Evolution of ZEUS● Version 2.0.1.0, 28.04.2010 ○ modified to bind to the user/OS ○ minor improvements to HTTP-injects● Version 2.0.2.0, 10.05.2010 ○ forced change of Mozilla Firefox security settings for normal HTTP-injects● Version 2.0.3.0, 19.05.2010 ○ in the configuration file, ■ added the option "StaticConfig.disable_tcpserver" ■ added the option "StaticConfig.remove_certs" ○ in control panel, fixed a bug in the module "Botnet-> Bots"
  • 10. Evolution of ZEUS● Version 2.0.5.0, 08.06.2010 ○ fixed minor bugs in HTTP-grabber● Version 2.0.6.0, 22.06.2010 ○ fixed an error resuting in disabling HTTP-injects● Version 2.0.8.0, 17.08.2010 ○ to the parameters HTTP-injects was added a new option "I" (compare URL insensitive) and "C" (comparison of context insensitive)● Version 2.1.0.0, 20.03.2011 ○ RDP + VNC BACKCONNECT added to connect remotely to the victim
  • 11. Zeus - Capabilities● gets OS info● does other things done by botnet scripts (like reboot, shutdown, log off and kill OS)● takes screenshot● sends a script to be executed● searches files● all orders and states of them can be viewed on a control panel in the server
  • 12. Used Environments● Virtual Machine ○ to add a significant layer of security and safety ○ both Server and Client to be hacked are installed on distinct Virtual Machines ○ used program: VirtualBox 4.1.6 for Windows hosts, Oracle ○ each of them has two network adaptors, Host-only to communicate between them and NAT for outside internet access● Operating System ○ used program: Windows XP Service Pack 3, Microsoft ○ since Zeus we get is able to be builded on Windows
  • 13. Used Environments● Server and Database ○ to manage bots inside victims ○ to receive the information from bots running on infected clients ○ to store the targeted data about the victim ○ used program: XAMPP 1.7.7 including ■ Apache 2.2.21 ■ MySQL 5.5.16 ■ PHP 5.3.8 ■ phpMyAdmin 3.4.5
  • 14. ZeusInstallation
  • 15. Demo