Man-In-The-BrowserAras Tarhan Manos Dimogerontakis Mário Almeida Umit Buyuksahin
OUTLINE● Man-in-the-Browser Attack● Method of Attack● Banking Trojans● Zeus● Zeus Installation● Zeus Configuration Files● DEMO
Man-in-the-Browser Attack● Online phishers steal money from online customers● Online customers become target with more advanced methods● One of the latest and most dangerous is Man-in-the- Browser.● The malicious code modifies actions performed by the computer users.● Then, steals confidential information● These attacks can not be detected by the user
Method of Attack● The trojan installs an extension into the browser configuration● Whenever a page is loaded, the URL of the page is searched by the extension against a list of known sites targeted for attack.● When the handler detects a page-load for a specific pattern in its targeted list.● When the submit button is pressed, the extension extracts all data from all form fields.
Method of Attack (2)● The browser sends the form including the modified values to the server.● The server receives the modified values in the form as normal request.● The server performs the transaction and generates a receipt.● The browser receives the receipt for the modified transaction and displays the modified receipt with the original details.
Banking TrojansA number of Trojan families are used to conduct MITB attacks.Some MITB Trojans are so advanced that they have streamlinedthe process for committing fraud, programmed with functionality tofully automate the process from infection to cash out.Some known banking trojans: ● Zeus ● Sinowal (Torpig) ● SpyEye ● Carberp ● Feodo ● Tatanga ● ...
ZEUS● aim is to steal credentials of the victim● steals banking information by using Key Stroke Logging and form grabbing methods● first appearance 2007, become widespread 2009 ( about 3.6 million in US )● targets only Microsoft Windows OS● used version: 18.104.22.168
Evolution of ZEUS● Version 22.214.171.124, 01.04.2010 ○ full compatible with previous versions ○ the installation process in the system was re-written to send reports to the Control panel ○ valuable work with x32 applications in Windows x64 ○ the name of the botnet is limited to 20 characters and can contain any international characters ○ complete (as with wininet.dll) to work with nspr4.dll, but without HTTP-fakes ○ the configuration file is read in UTF-8 encoding
Evolution of ZEUS● Version 126.96.36.199, 28.04.2010 ○ modified to bind to the user/OS ○ minor improvements to HTTP-injects● Version 188.8.131.52, 10.05.2010 ○ forced change of Mozilla Firefox security settings for normal HTTP-injects● Version 184.108.40.206, 19.05.2010 ○ in the configuration file, ■ added the option "StaticConfig.disable_tcpserver" ■ added the option "StaticConfig.remove_certs" ○ in control panel, fixed a bug in the module "Botnet-> Bots"
Evolution of ZEUS● Version 220.127.116.11, 08.06.2010 ○ fixed minor bugs in HTTP-grabber● Version 18.104.22.168, 22.06.2010 ○ fixed an error resuting in disabling HTTP-injects● Version 22.214.171.124, 17.08.2010 ○ to the parameters HTTP-injects was added a new option "I" (compare URL insensitive) and "C" (comparison of context insensitive)● Version 126.96.36.199, 20.03.2011 ○ RDP + VNC BACKCONNECT added to connect remotely to the victim
Zeus - Capabilities● gets OS info● does other things done by botnet scripts (like reboot, shutdown, log off and kill OS)● takes screenshot● sends a script to be executed● searches files● all orders and states of them can be viewed on a control panel in the server
Used Environments● Virtual Machine ○ to add a significant layer of security and safety ○ both Server and Client to be hacked are installed on distinct Virtual Machines ○ used program: VirtualBox 4.1.6 for Windows hosts, Oracle ○ each of them has two network adaptors, Host-only to communicate between them and NAT for outside internet access● Operating System ○ used program: Windows XP Service Pack 3, Microsoft ○ since Zeus we get is able to be builded on Windows
Used Environments● Server and Database ○ to manage bots inside victims ○ to receive the information from bots running on infected clients ○ to store the targeted data about the victim ○ used program: XAMPP 1.7.7 including ■ Apache 2.2.21 ■ MySQL 5.5.16 ■ PHP 5.3.8 ■ phpMyAdmin 3.4.5