Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Man-In-The-Browser attacks


Published on

Report on Men-In-The-Browser attacks.

Published in: Technology, Economy & Finance
  • hello dear
    Nice to meet you My name is miss Helen. am a young girl I was impressed when i saw your profile today and i will like to establish a long lasting relationship with you. In addition, i will like you to reply me through my e-mail address( so that i will give you my picture of you to know whom i am, please i will like to tell you how much interested i am in knowing more about you, i think we can start from here and share our feelings together as one. please contact me back with my mail address Thanks waiting to hear from you dear.yours new friend
    Are you sure you want to  Yes  No
    Your message goes here

Man-In-The-Browser attacks

  1. 1. Man-in-the-Browser Attacks Mário Almeida Umit BuyuksahinEmmanouil Dimogerontakis Aras Tarhan December 20, 2011
  2. 2. Contents1 Background 22 Introduction 3 2.1 The Risk in Man-in-the-Browser Attack . . . . . . . . . . . . 4 2.2 Global Threat of Man-in-the-Browser . . . . . . . . . . . . . . 4 2.3 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.4 Point of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 63 Background & Overview of the Method of Attack 8 3.1 The Method of Attack . . . . . . . . . . . . . . . . . . . . . . 10 3.1.1 Phase 1: Infection . . . . . . . . . . . . . . . . . . . . 10 3.1.2 Phase 2: Transaction Takeover . . . . . . . . . . . . . 11 3.2 Banking Malware Example . . . . . . . . . . . . . . . . . . . 134 Banking Trojans 14 4.1 Banking trojans capabilities . . . . . . . . . . . . . . . . . . . 15 4.2 Anatomy of an e-fraud incident . . . . . . . . . . . . . . . . . 16 4.3 Zeus configuration files . . . . . . . . . . . . . . . . . . . . . . 16 4.4 Domain Generation Algorithms . . . . . . . . . . . . . . . . . 17 4.5 P2P botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4.6 Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . 18 4.7 Man-In-The-Mobile . . . . . . . . . . . . . . . . . . . . . . . . 19 4.8 Tatanga . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.9 Banking trojans statistics . . . . . . . . . . . . . . . . . . . . 215 Counter Measures 23 5.1 Active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 5.2 Passive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 5.3 Combination of Active and Passive counter Measures . . . . . 25 1
  3. 3. Chapter 1BackgroundInitially, online Fraudsters (phishers) used social engineering techniques totry to get personal information of customer by sending emails in order tosteal money from their Internet banking account. These information can bepasswords or bank account details, could be further used for other criminalactivities. For example, the fraudsters may intend to leave the victims informationbehind after they have successfully committed the crime. Therefore policescan suspect the visible evidence which belongs to victims as a suspiciouscriminal. Fraudsters are using newer and more advanced methods to targetonline customers. One of the latest and most dangerous methods beingdeveloped and deployed is the use of Trojans to launch man-in-the-Browser(MITB) attacks. Shortly, a Man-in-the- Browser attack occurs when maliciouscode infects an Internet browser. The code modifies actions performed by thecomputer user and, in some cases, is able to initiate actions independentlyof the customer. When a customer logs onto their bank account, using aninfected Internet browser is enough to trigger illicit transactions that resultin online theft. 2
  4. 4. Chapter 2IntroductionFirstly, online fraudulences have been introduced as a use of social engineeringtechnique in which potential victims are persuaded to obtain their confidentialinformation, such as usernames, passwords, and bank account details, to areturn email. General type of this attack is extended by creating fraudulentweb pages to convince the customers to believe that they are on the legitimatewebsites of banking. When information of customer has been submittedthrough the form provided fraudulent web pages, these information is beensent to the online fraudsters. There are some kind of spying techniques thatare used to monitor the customers banking information claimed such as : • screenshot and video capture • code injection of fraudulent pages or form fields • redirecting website • keystroke loggingSometimes, in order to obtain customers information can be combined withmultiple penetrating techniques; for instance, by using the screenshot andvideo capture to monitor the users activity and using the keystroke loggingto record passwords or information. Subsequently, on of the latest and more dangerous approach of onlinefraudulences technology such as a Trojan horse has been released. It operatesby becoming embedded in a users Internet browser and later steals confidentialinformation and sends it back to the online fraudsters. A number of Trojan families are used to conduct Man-in-the-Browserattacks including Zeus, Adrenaline, Sinowal, and Silent Banker. Some MITBTrojans are so advanced that they have streamlined the process for committingfraud, programmed with functionality to fully automate the process frominfection to cash out. Man-in-the-Browser and Man-in-the-Middle Attacks: Although Man-in-the-Middle attacks (MitM) and man-in-the-Browser (MitB) attacks have 3
  5. 5. same idea based on controlling the Internet traffic between client and server,these attacks use different ways to carry out the attack. Unlike Man-in-the-Middle attack, man-in-the-Browser attacks placed customers browser andmanipulate the outgoing and ingoing traffic after the authentication processof customers processes.2.1 The Risk in Man-in-the-Browser AttackThe most obvious and most dangerous properties of Man-in-the-Browser isthat hard to detect and, in many cases, succeed in causing damage completelysurreptitiously. Following are some of reasons why MITB attacks pose high risk: • Computers can be infected easily: Especially, while customers are browsing or downloading media and other files, they are encouraged to install updated versions of software. These requests are so common, that many clients automatically accept and customers do not notice fine differences between malware program and normal program. Thus, they may download malware and their computers unknowingly are infected. • Detection is hard : Since malwares are produced by using some kind of toolkit that support variation of malicious code , they are hard to detect . • Traditional Strong Authentication is inadequate: Traditional Strong authentication validates that a person logging on to an online resource is indeed who he or she claims to be. When the customer wants to make an online transaction, the infected browser carries out illicit transactions covertly - neither the customer, nor the bank, are aware that anything irregular is happening. • Traditional Anti-Fraud Mechanisms are Not Effective: Since risk-based anti-fraud tools just focus on user authentication and transaction validation, they do not detect whether a transaction was initiated by malware or not, there is a high risk.2.2 Global Threat of Man-in-the-BrowserMitB attacks are not contained to one region or geography; They are aglobal threat, affecting all regions of the world. However, they are especiallyprevalent in areas where two-factor authentication is densely deployed. Today,MitB attacks are increasing in their deployment and scale: • In the United Kingdom, banks are suffering an increasing number of MITB attacks. One financial institution alone reported a loss of 4
  6. 6. 600,000 pounds as a result of a single attack by the PSP2-BBB Trojan.3 European countries such as Germany, the Netherlands, Spain, France, and Poland have deployed two-factor authentication in the last few years, which have attracted a rise in the numbers of MITB attacks in these regions. Germany has been particularly hard hit by an abundance of MITB attacks as it is one of the few successful paths to commit online banking fraud in the country. Banking innovations such as the Single Euro Payments Area (SEPA) and pressure to deliver faster payments have also increased exposure to transaction fraud. The increased ease and speed of moving money is advantageous for legitimate transactions, but reduces the flexibility to investigate and prevent suspicious transactions. • In U.S. financial institutions are attacked by MITB; however, the threat has been mainly confined to commercial banking or high net worth customers. Because one-time password authentication is not very common amongst consumers in the U.S., MITB attacks against the general consumer public are less common compared to the volume experienced by consumers in Europe. However, as security defenses increase and the ability to infect more machines with MITB Trojans increases the expected number of attacks on US retail banking institutions is also expected to rise. • Financial institutions in Australia, Asia and Latin America are increasingly deploying two-factor authentication for their online banking users, and as a result, have experienced an increasing number of MITB attacks.2.3 EvaluationMan in the browser is also called a proxy Trojan or a password pinchingTrojan. It combines the use of online fraudulences approaches with a Trojanhorse technology, put in a customers browser, to modify, capture, and/oradd an additional information on web pages without the customers and thehosts knowledge. Man-in-the-Browser Trojans commonly perform what is known as sessionhijacking abusing a legitimate users session with the site being accessedwhile the user is logged into their account. By hijacking a session in thisway, all actions performed by the Trojan actually become part of the userslegitimate session such as conducting a malicious activity (i.e., a fraudulentmoney transfer, changing a postal address) or even injecting JavaScript codethat can then perform this automatically. The basic flow of a MITB attackis as follows: 1. A consumer gets infected with a Trojan capable of launching an MITB attack. 5
  7. 7. 2. Upon the initiation of a legitimate online transaction, the Trojan is triggered into action and launches its MITB functionalities 3. The user passes all authentication stages, including any two-factor authentication when needed. The Trojan wait silently for successful login and/or transaction authorization. 4. The Trojan manipulates the transaction details payee, and sometimes the amount. In most cases the legitimate payee account is replaced with a mule account that the fraudsters can use. 5. By using social engineering techniques the user is unaware that they are being impacted. The Trojan displays fake pages to the user, which may show the transaction details as originally entered by the user. If additional authentication is necessary to complete the transaction, the Trojan will interact with the user and ask the user to enter their authentication credentials in real-time to approve the transaction.2.4 Point of AttacksIt is known that Online Fraudsters can successfully target to Firefox, InternetExplorer and Opera , on the Windows, Linux and MacOS X Platform byusing Trojans.The trojans can do the following: In the Man-in-the-Browser attacks, Trojans uses some kind of propertiesof Internet web browsers for this purpose: • Browser Helper Objects: These are dynamically-loaded libraries (dll) loaded by Internet Explorer(IE) upon start-up. They run inside IE, and have full access to IE and full access to the DOM tree, etc. Developing BHOs is very easy. • Extensions: It is similar to Browser Helper Objects for other Browsers such as Firefox (hereafter, both will be referred to as extensions). Developing Extensions is easy. UserScripts Scripts that are running in the browser (Firefox/Greasemonkey+Opera). Developing UserScripts is very easy. • API-Hooking: This technique is a Man-in-the-Middle attack between the application (.exe) and the dlls that are loaded up, both for application specific dlls such as extensions and Operating System dlls. For example if the SSL engine of the browser is a separate dll, then API-Hooking can be used to modify all communication between the browser and the SSL engine. Developing API Hooks is difficult. 6
  8. 8. Figure 2.1: A good example this type of attack is the breach of PaulMcCartneys fan page. In April 2009, the site was hacked for two days andall visitors were silently infected with a variant of a MITB Trojan. 7
  9. 9. Chapter 3Background & Overview of theMethod of AttackThe fraudulent transaction is done from victims computer. It is made duringthe time the victim works with the related site. It is done silently withoutasking the victim for anything. Man-in-the-browser also sometimes called aproxy Trojan operates from within the Web browser by: • hooking key Operating System and Web browser APIs, – When the Internet Explorer opens a connection to the Internet, it will call a function named InternetConnect which resides within the wininet.dll module that every Windows installation has MITB Trojans will now just hook into this first call between the Internet Explorer Application and the Windows System, so that the Trojan get full control over everything that is transmitted in this call. – On Mac, If a web browser is using the system API to manage its Internet connections, then malware simply needs to hook CFReadStreamOpen(), CFReadStreamRead() or CFReadStreamWrite() in a similar way to the one described above. – Hooking method works as follows; it jumps to its own codebase so that, the malicious code is executed. It needs to make sure that the original code is called. Otherwise, no internet connection would be established. • inserting advanced HTML/JavaScript Injections and utilising common facilities provided to enhance browser capabilities – Firefox extensions provide functionality to capture and edit HTTP/S forms data when submitted to and received from the web server. An attacker can change the values of form elements without knowledge of the user. Even when the HTTPS protocol is used, an extensions 8
  10. 10. code can change the secured fields of a form before encryption and after decryption of data. This allows Man-in-the-Browser attack possible through malicious Firefox extensions. When a user submits a form, an extension can intercept the form submission and change its values. When a response arrives from the server, again extension can intercept the response and can change it as required. It do not make any difference whether the secured channel is used or not, whether form request is POST or GET. Since, the changes are made by the extension in the browser both during request and response, it is not observable by a user and difficult to detect. Examples below are some operations that can be done through HTML/JavaScript Injections– Persistent Storage: Persistent storage can be used if you want to save the current account balance for later use. Internet Explorer actually provides a nice interface for localStorage and globalStorage that can be used for exactly this purpose.If thats not possible (e.g. if you run Firefox), then they simply create a new content element (thats a <DIV> element called customStorage) where they store the information.Access to the persistent store is done via a JavaScript function where you can specify whether you want to read, write or delete the name and the value of the information to be stored together with an expiry.– Getting the actual cash balance for the current account.– Replacing the login button with a malicious login button.– Change account balance display (to remove fraudulent transaction amount. JavaScript will get the fraudulent amount from local storage into a variable. The correct HTML of the fake amount (obviously the current balance plus the fraudulent amount) will be written to the HTML.– Remember the last login date and replace the "real" last login date with a fake one. When called, this will walk through the content elements and find the paragraph that contains last login. It will then convert the date and time into a JavaScript variable. The first time, it just store this information in the persistent storage. The second time, it will replace the real date with the saved one from the persistent storage.– Change recipient details on form submission. The original recipient details will be saved and the wire transfer form will be located. All these details will be stored in the local storage. The login number, the account number, the amount and the bank identification number will be sent to the server, who will in turn reply with the money mule account details. Then the function will be called which 9
  11. 11. will change the recipient details on the transaction. With all the relevant information at hand, malware will search for the wire transfer form and put the money mule details received into the local storage for later use. Malware makes sure that this wire transfer is executed immediately. Now the recipient details are changed to the money mule details and finally the form will be submitted and the wire transfer executed – One-Time-Password token stealing: For an authentication page where the user has to provide a OTP, maware will hook into the onSubmit of the Sign on button. It will save all values (including the OTP) and then simulate the look and feel of a new page loading. This new page says that the token password has expired and the user should please enter another one. The page loading will be stretched to get a new OTP! All content elements will be made invisible (via CSS) and the page loading time will be a simulated for a certain time. With a timeout function, the content elements keep appearing one by one (exactly how it looks if a page loads slowly).They check all input parameters (including e.g. that the OTP is different than the old one) Briefly, Man-in-the-Browser malware which is virtually undetecable tovirus scanning software allows the attacker: • not to have to worry about encryption since SSL/TLS happens outside the browser • to inspect any content sent or received by the browser • to inject and manipulate any content before rendering within the Web browser • and to create dynamically additional GET/POST/PUT/etc. to any destination.3.1 The Method of Attack3.1.1 Phase 1: InfectionThe first phase of an MITB attack is the infection of a target computer3.1 .A number of techniques have proven to be effective, typically relying onsocial engineering to trick a user into doing something unwise, but sometimesexploiting other browser or network vulnerabilities. 1. User is manipulated by means of phishing e-mails necessary video codec, pirated software package, interesting PDF document etc. to download malware-infected software or a patch to exploit browser vulnerability. 10
  12. 12. Figure 3.1: 2. At some later time, the user restarts the browser. 3. The trojan installs an extension into the browser configuration. 4. The browser loads the extension. 5. The extension registers a handler for every page-load.3.1.2 Phase 2: Transaction Takeover Figure 3.2: 11
  13. 13. 1. Monitors all of the user’s activities.2. Whenever a page is loaded, the URL of the page is searched by the extension against a list of known sites targeted for attack.3. When a targeted site is loaded, it registers a button event handler.4. Extracts all data through the DOM (Document Object Model, a cross- platform and language-independent convention for representing and interacting with objects in HTML, XHTML and XML documents) interface in the browser and modifies them, then continues to submit.5. The browser sends the form including the modified values to the server. Figure 3.3:6. The server cannot differentiate between the original values and the modified values, or detect the changes and receives the modified values in the form as a normal request.7. The server performs the transaction and generates a receipt. The browser receives the receipt for the modified transaction.8. Then the extension detects the targeted URL and replaces the modified data int the receipt with the original. The browser displays the modified receipt with the original details. Finally, the user thinks that the original transaction was received by the server intact and authorized correctly. 12
  14. 14. Figure 3.4:3.2 Banking Malware ExampleThe user passes all authentication stages, including any two-factor authenticationwhen needed. The Trojan waits silently for successful login and/or transactionauthorization. The Trojan manipulates the transaction details payee, andsometimes the amount. In most cases the legitimate payee account is replacedwith a mule account that the fraudster can use. By using social engineeringtechniques the user is unaware that they are being impacted. The Trojandisplays fake pages to the user, which may show the transaction details asoriginally entered by the user. If additional authentication is necessary tocomplete the transaction, the Trojan will interact with the user and askthe user to enter their authentication credentials in real-time to approve thetransaction. What makes MITB attacks difficult to detect is that any activity performedseems as if it is originating from the legitimate users browser. Characteristicssuch as the HTTP headers and the IP address will appear the same as theusers real data. This creates a challenge in distinguishing between genuineand malicious transactions. 13
  15. 15. Chapter 4Banking TrojansBanking trojans commonly perform what is known as session hijacking abusinga legitimate users session with the site being accessed while the user is loggedinto their account. They steal data from infected computers via web browsersand protected storage. Once infected, the computer sends the stolen data toa bot command and control (C& C) server, where the data is stored. Some MITB Trojans are so advanced that they have streamlined theprocess for committing fraud, programmed with functionality to fully automatethe process from infection to cash out. The banking trojans are generally composed by a Command and Controlwebserver(C& C) and a botnet. They generally come with a configurationfile in XML that specifies specific attack methodologies(i.e.: texttt{^^url_monitored1~~url_monitored2||code_to_change_in_original_page|| injected_code})and web injections, as well as the specific builder. A number of Trojan families are used to conduct MITB attacks: • Zeus • Sinowal (Torpig) • SpyEye • Carberp • Feodo • Tatanga • ... 14
  16. 16. 4.1 Banking trojans capabilitiesThe banking trojan families have different capabilities. The most commonare the following: • Bot - An infected computer can perform actions demanded by the C & C. This bots can be organized in different ways to work as proxies, to provide the spreading of new configurations, etc. • Configuration update - It is possible to update the configuration files after infection. • Binary update - Some of this trojans have a modular design that allows them to update the binary functionalities or even add new functionalities (Ex: Tatanga). • HTML injection (check previous sections) • Redirection (check previous sections) • Screenshots / record video • Capture virtual keyboards • Credentials / Certificates / Information theft • System corruption (KillOS) - The C & C allows the sending of command that will corrupt the target system in a way that it will be difficult to traceback the origin of the attacks. Before going into deeper detail with some techniques used by Zeus andTatanga, lets focus on this specific banking e-fraud, how it works and itsmain aspects. In order to perform an e-fraud, the banking trojans have tobe work in a transparent way, updating themselves and sometimes trick theclients so they will install new software. This introduces three importantconcepts: • Social engineering - is the art of manipulating people into performing actions or divulging confidential information. Consists of applying deception for the purpose of information gathering, fraud, or computer system access. • Real-time integration - the trojans are updated with mule account databases to aid in the automated transfer of money. • Circumvention of various 2FA systems - Some banking trojans even provide techniques to circunvent two phase authentication systems. 15
  17. 17. 4.2 Anatomy of an e-fraud incidentAlthough similar methodologies have been described for generic MITB attackswe will revisit some of its aspects and mention the typical anatomy of ane-fraud incident to understand how the previous concepts relate with it: 1. Infection 2. Configuration file update/download 3. Interaction with the user (Social engineering) with: HTML injection, Mit(B|M|Mo), Pharming, Phishing... 4. Banking credentials theft 5. Account spying 6. Fraudulent transaction • Manual Mules • Automatic Man in the Browser (MitB) 7. Money laundering • P2P Digital Currency. • The informal value transfer system called Hawala. • Mules + Western Union (most usual). The infection process was already described so lets start by how theupdate of the configuration file is done. The following sections will be basedon one of the most popular banking trojans, Zeus.4.3 Zeus configuration filesAn important fact to mention is that typically, the bot itself is merelya framework that hooks itself into the system and hides there effectivelythrough the use of rootkits. The logics that drives behavior of the bot iscontained in its configuration file. The configuration file of Zeus is similar to a definitions database foran antivirus product. Without it, it’s pretty much useless. The logicscontained in the configuration contains the list of banking institutions thatthe bot targets, URLs of the additional components that the bots relies onto download commands and updates, the lists of questions and the list of thefields that the bot injects into Internet banking websites to steal personaldetails/credentials, etc. 16
  18. 18. This configuration is never stored in open text. It is encrypted analthough previous generation of Zeus used a hard-coded encryption mechanismfor its configuration, the new generations already encrypt it with a key that isunique for and is stored inside the bot executable for which this configurationfile exists. This way, configuration file of one bot sample will not workfor another bot sample, even if both samples are generated with the samebuilder.4.4 Domain Generation AlgorithmsSince this configuration files need to be updated, the attackers had to comeup with a way to distribute them without compromising the Zeus botnetcontrollers. One of the first alternatives they came up with was DGA, thedomain generation algorithm that used date and salt to generate the domainsthe bots should contact. Zeus bots can cycle through a new list of 1,020 domains every day tocall to see which one is hosting the live C & C server. It tries to connect tothe domains in random order and once a file is downloaded and executed, itstops checking. Figure 4.1: After a while, security researchers started to be able to predict andregister domains that will be used by Zbots ahead of time to learn aboutthe bots activities. So new generations of Zeus are using new alternatives,for example Peer-to-Peer botnets. 17
  19. 19. 4.5 P2P botnetsThis paradigm of updating configuration files through P2P networks opensnew alternatives for dynamically changing the bot network and applying newtechniques to hide the origin of the configuration files. Figure 4.2:4.6 Social EngineeringNow that we have described how the configuration of Zeus and its botnetswork, lets finally talk of how the social engineering has an important role onthe stealing of confidential information. Nowadays banks make use of multiple-factor authentication mechanismssuch as mobile sms tokens. The idea is to use evidences which have separaterange of attack vectors (e.g. logical, physical) leading to more complex attackscenario and consequently, lower risk. Although the initial idea of this mechanisms was to secure the authenticationprocess, we will see there are techniques that can workaround them. Thefollowing image shows, for each type of authentication mechanism, the respectivetechnique that can be used to steal the information. For the simplest login mechanism that consists of a form with usernameand password, we can use keylogging or form grabbing to intercept theircontent. This can even be done through pharming that consists of redirectingthe traffic to another website, this can be done by exploiting vunerabilities 18
  20. 20. Figure 4.3:in DNS protocols. The virtual keyboard password can be captured usingscreen or video capturing. The one time passwords (OTP) such has codecards, sms tokens and mobile transaction authentication numbers (mTAN)can also be attacked. If through some code injection all the code card digitsare asked, then the attacker will have all the code card data. This could bedone in a more transparent way though, either through pharming or phishinguntil a big percentage of the code card digits has been stolen. The mTAN orthe sms tokens can also be stolen through code injection and in some cases,through Man-In-The-Mobile attacks.4.7 Man-In-The-Mobile 1. The attacker steals both the online username and password using a malware (ZeuS 2.x). 2. The attacker infects the user’s mobile device by forcing him to install a malicious application (he sends a SMS with a link to the malicious mobile application)_4.4. 3. The attacker logs in with the stolen credentials using the user’s pc as a socks/proxy and performs an operation_4.5. 4. An SMS is sent to the user’s mobile device with the authentication code. The malicious software running in the device forwards the SMS to other terminal controlled by the attacker. 5. The attacker fills in the authentication code and completes the operation.4.8 TatangaTo provide new evidence of the banking trojan evolution, we will describeanother trojan called Tatanga that was discovered by S21sec in February 19
  21. 21. Figure 4.4: Figure 4.5:2011. Tatanga has MITB functionalities and affected banks in Spain, UnitedKingdom, Germany and Portugal. It is capable of realizing bank transfersautomatically, obtaining "mules" from a server and faking the real balanceand money movements of the victims. Some characteristics of Tatanga include: • Very low detection • C++ • No packers • Modular design • Anti-VM, anti-debugging • Proxys to distribute binaries • Records video! One of the major aspects of Tatanga is its modular design that allowsthe addition of new binary functionalities. This modules are ciphered usingXOR and BZIP2 and are deciphered into memory when the injection is donein the browsers to avoid AV detection. Some of this modules are described bellow: 20
  22. 22. • HTTPTrafficLogger • Comm (Handles ciphering between trojan and control panel) • ModDynamicInjection (Performs code injecton) • ModEmailGrabber (Collects email info) • ModAVTrafficBlocker (Blocks AVs) • ModMalwareRemove (Removes other malwares, ex: Zeus) • FilePatcher (Propagation) • Coredb (Manages the configuration files - 3DES ciphering) • SmartHTTPDose • ...4.9 Banking trojans statisticsTo conclude this banking trojan section we will provide some statistics ofZeus infections to show that this a large scale problem with millions ofinfected machines. Figure 4.6: Old statistics report over 160 million attempted losses and an actual lossof 50 million euros! 21
  23. 23. Figure 4.7: 22
  24. 24. Chapter 5Counter MeasuresAs MITB attacks are still in process of evolving there is not a global approachto defend against them. There are, though, combinations of counter measureswhich can effectively resist against certain kinds of attacks. In this section weare going to review a big number of known counter measures and commenton their efficiency against MITB attacks. Our final goal is to provide a set ofcounter measures which can effectively provide a defense mechanism againsta generic MITMB attack. We can differentiate the counter measures in two wide categories: activeand passive.5.1 ActiveActive counter measures involve the user in some additional authenticatingsteps, at login time, transaction execution time, or both. Username and password, biometrics: Techniques applied generallyfor user authentication like and are not effective because the malware canintercept or wait until user is past this challenge before taking over.OTP based: Techniques mostly used by banks for user authentication basedon One Time Passcode tokens. Out-of-Band OTP is an OTP delivered froman alternative channel of communication, like cellular networks (i.e. GSM).EMV-CAP OTP is consisted of an electronic physical reader which provideda users chip-enabled bank card can generate OTP’s. All the OTP basedmeasures are not effective because the malware can intercept or wait untiluser is past this challenge before taking over.OTP based with Signature: Some forms of OTP tokens can also be usedto electronically sign transaction details, if they are equipped with a smallnumeric keypad; user is prompted to enter transaction details on the smallkeypad, then a signature code is calculated by the token. This method canalso be used with EMV-CAP OTP. This techniques can be effective againstMitB attack. User enters the transaction details so is aware of the specifics, 23
  25. 25. and the banking site can detect if malware attempts to change them. Thissolution, though, is inconvenient because usability on the token screen andkeyboard is weak, and the user could be confused and special hardware mustbe deployed.Out-of-Band OTP with Transaction Details: Enhanced Out-of-BandOTP which contains also information about the transaction so the user canbe able to verify that the right transaction is being performed. This measurecan be trully effective is simple MitB attack but can be vulnerable when theattack is combined with a Man-in-the-Mobile attack.Smart Cards with Digital Certificate: PKI digital certificate storedon a smart card or USB cryptographic token; credential used to performclient authentication via SSL. This technique is not functional against MitBattacks as well because he malware can intercept or wait until user is pastthis challenge before taking over.Anti-Virus or Anti-Malware: This solution could be effective, but takinginto account that malware is changing so rapidly that client software ishaving trouble keeping up; signature-based detection models are increasinglyineffective and other models are still improving.Separate Computer Used Solely for Online-Banking, Live-CDs:This solution can be effective at a good level but is not convenient toimplement. Malware is less likely to be installed if the computer is notused for other things but it is not a user-friendly solution.Hardened Browser on a USB Drive: A hardened browser is shippedto end-users on a USB drive and hard-coded to only connect to the targetbanks Web site; sometimes there is also a PKI credential stored on theUSB device, and used for authentication. This measure can be effectivebut many organizations have disabled USB drives or, at least, have disabledautorun capability for external media, making deployment of this solutionmore challenging. Moreover browser updates can also become problematic.5.2 PassivePassive counter measures are invisible to the user, yet help identify the useror flag suspicious activity. These techniques are attractive because theydo not impact the user experience in any way and, as a result, are easilydeployed to protect all customers, even those who do not wish to see visiblesecurity measures.. IP-Geolocation: Based on the end-users computer IP address, thistechnique determines the users geographic location and compares it to typicallocations used by this user. This solution could be effective when credentialsare stolen and used elsewhere, these techniques fail against MITB becausethe malware is in the users regular browser, at the users typical location. 24
  26. 26. Although in cases where credentials are stolen and sold to third persons thistechnique could be helpful.Device-Profiling: A snapshot of the users browser configuration is taken(via Javascript and HTTP headers) to determine if the user is visiting fromtheir usual Web browser; in a PC browser environment this technique is quiteeffective at uniquely identifying a computer with no interaction from the user.It can be effective under the same circumstances with IP-Geolocation.Transactional Fraud Detection: The online-banking application is modifiedto make calls to the fraud detection service at every point an organizationthinks may be relevant to fraud. This is typically only done at initial logonand at specific monetary transaction points where the fraud engine looksat transactions and compares them to what would be termed normal forthat user or group of users; patterns are detected and warnings raised ifappropriate. It is essential to perform the analysis in real-time, becausethe transactions are nowadays processed automatically and are completed insmall amount of time.Monitor User Behavior: Users Web traffic data is captured and analyzedfrom the moment they log on to the moment they complete their session.Analysis from a single user session, multiple sessions for the same user andmultiple sessions for multiple users, gives the system a complete view of howthe banking application is being used and, more importantly, abused.5.3 Combination of Active and Passive counter MeasuresAs we saw before, most of the classical counter measure techniques are notable to protect users from MitB attacks. The solutions who work seem toneed though a lot of recourses in order to provide accurate results. Wehave to consider also the rapid evolution of the MitB browser techniquesused. Concluding we will suggest a solution that we think is best, which isassembled by a combination of working active and passive solutions. The following combination can provide a high level of security against ageneric MitB attack: • Active: Out-of-band transaction detail confirmation, followed by one- time-passcode generation: this technique leverages devices such as mobile phones that are already being carried by the intended end- users, and enables review of transaction details outside the influence of malware on the user’s PC. • Passive: Fraud detection that monitors user behavior: this server- side monitoring of a user’s movement through a banking Web site, inclusive of transaction execution steps as well as the steps leading there, provides flexibility for financial institutions to adapt to constantly 25
  27. 27. evolving malware features, and detect suspicious patterns of activity for immediate intervention. The combination of flexible authentication technology enabling easystep-up authentication when risk levels dictate along with ongoing userbehavior monitoring provides a layered defense against malware threats. 26
  28. 28. Bibliography[1] Nattakant Utakrit, "A Review of Browser Extensions, a Man-in-the- Browser Phishing Techniques Targeting Bank Customers"[2] Philipp Gühring, "Concepts against Man-in-the-Browser Attacks"[3][4] "Evolution of Zeus botnet", blogs/evolution-zeus-botnet[5] "How trojan.Zbot.B!inf uses crypto api" connect/blogs/how-trojanzbotbinf-uses-crypto-api[6] RSA Labs, "MAKING SENSE OF MAN-IN-THE-BROWSER ATTACKS", 10459_MITB_WP_0611.pdf[7] Frank Kim and Ed Skoudis, "Protecting Your Web Apps", protecting_web_apps.pdf[8] Prajwol Kumar Nakarmi & Sajjad Rizvi, "Man in the Browser Attack"[9] Karel Miko, "Internet Banking Attacks"[10] 27