Your SlideShare is downloading. ×
0
Man In The Browser
Man In The Browser
Man In The Browser
Man In The Browser
Man In The Browser
Man In The Browser
Man In The Browser
Man In The Browser
Man In The Browser
Man In The Browser
Man In The Browser
Man In The Browser
Man In The Browser
Man In The Browser
Man In The Browser
Man In The Browser
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Man In The Browser

958

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
958
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
27
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Man-In-The-BrowserAras Tarhan Manos Dimogerontakis Mário Almeida Umit Buyuksahin
  • 2. OUTLINE● Man-in-the-Browser Attack● Method of Attack● Banking Trojans● Zeus● Zeus Installation● Zeus Configuration Files● DEMO
  • 3. Man-in-the-Browser Attack● Online phishers steal money from online customers● Online customers become target with more advanced methods● One of the latest and most dangerous is Man-in-the- Browser.● The malicious code modifies actions performed by the computer users.● Then, steals confidential information● These attacks can not be detected by the user
  • 4. Method of Attack● The trojan installs an extension into the browser configuration● Whenever a page is loaded, the URL of the page is searched by the extension against a list of known sites targeted for attack.● When the handler detects a page-load for a specific pattern in its targeted list.● When the submit button is pressed, the extension extracts all data from all form fields.
  • 5. Method of Attack (2)● The browser sends the form including the modified values to the server.● The server receives the modified values in the form as normal request.● The server performs the transaction and generates a receipt.● The browser receives the receipt for the modified transaction and displays the modified receipt with the original details.
  • 6. Banking TrojansA number of Trojan families are used to conduct MITB attacks.Some MITB Trojans are so advanced that they have streamlinedthe process for committing fraud, programmed with functionality tofully automate the process from infection to cash out.Some known banking trojans: ● Zeus ● Sinowal (Torpig) ● SpyEye ● Carberp ● Feodo ● Tatanga ● ...
  • 7. ZEUS● aim is to steal credentials of the victim● steals banking information by using Key Stroke Logging and form grabbing methods● first appearance 2007, become widespread 2009 ( about 3.6 million in US )● targets only Microsoft Windows OS● used version: 2.0.8.9
  • 8. Evolution of ZEUS● Version 2.0.0.0, 01.04.2010 ○ full compatible with previous versions ○ the installation process in the system was re-written to send reports to the Control panel ○ valuable work with x32 applications in Windows x64 ○ the name of the botnet is limited to 20 characters and can contain any international characters ○ complete (as with wininet.dll) to work with nspr4.dll, but without HTTP-fakes ○ the configuration file is read in UTF-8 encoding
  • 9. Evolution of ZEUS● Version 2.0.1.0, 28.04.2010 ○ modified to bind to the user/OS ○ minor improvements to HTTP-injects● Version 2.0.2.0, 10.05.2010 ○ forced change of Mozilla Firefox security settings for normal HTTP-injects● Version 2.0.3.0, 19.05.2010 ○ in the configuration file, ■ added the option "StaticConfig.disable_tcpserver" ■ added the option "StaticConfig.remove_certs" ○ in control panel, fixed a bug in the module "Botnet-> Bots"
  • 10. Evolution of ZEUS● Version 2.0.5.0, 08.06.2010 ○ fixed minor bugs in HTTP-grabber● Version 2.0.6.0, 22.06.2010 ○ fixed an error resuting in disabling HTTP-injects● Version 2.0.8.0, 17.08.2010 ○ to the parameters HTTP-injects was added a new option "I" (compare URL insensitive) and "C" (comparison of context insensitive)● Version 2.1.0.0, 20.03.2011 ○ RDP + VNC BACKCONNECT added to connect remotely to the victim
  • 11. Zeus - Capabilities● gets OS info● does other things done by botnet scripts (like reboot, shutdown, log off and kill OS)● takes screenshot● sends a script to be executed● searches files● all orders and states of them can be viewed on a control panel in the server
  • 12. Used Environments● Virtual Machine ○ to add a significant layer of security and safety ○ both Server and Client to be hacked are installed on distinct Virtual Machines ○ used program: VirtualBox 4.1.6 for Windows hosts, Oracle ○ each of them has two network adaptors, Host-only to communicate between them and NAT for outside internet access● Operating System ○ used program: Windows XP Service Pack 3, Microsoft ○ since Zeus we get is able to be builded on Windows
  • 13. Used Environments● Server and Database ○ to manage bots inside victims ○ to receive the information from bots running on infected clients ○ to store the targeted data about the victim ○ used program: XAMPP 1.7.7 including ■ Apache 2.2.21 ■ MySQL 5.5.16 ■ PHP 5.3.8 ■ phpMyAdmin 3.4.5
  • 14. ZeusInstallation
  • 15. Demo

×