SlideShare a Scribd company logo

Bypassing malware detection mechanisms in online banking

Download as PPTX, PDF
Jakub Kałużny
Jakub Kałużny

The document outlines a presentation given by two pentesters on bypassing malware detection mechanisms in online banking. It discusses how malware works by interacting with browsers and stealing credentials. It then summarizes common malware detection methods used by banks and their limitations. Several vulnerabilities in typical detection architectures and implementations are presented. The document concludes that while behavioral detection systems are promising, the underlying HTTP and JavaScript infrastructure poses challenges and recommends rethinking architecture and implementation. It also provides recommendations for banks and vendors on improving security.

1 of 26
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Jakub Kałużny Mateusz Olejarka Bypassing malware detection mechanisms in online banking
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Pentesters @ SecuRing • Ex-developers • Experience with: — E-banking and mobile banking systems — Multi-factor and voice recognition authentication — Malware post mortem Who are we? @j_kaluzny @molejarka
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Intro — Why this topic? — How it’s done? — Will it blend? • Vulnerabilities • Conclusions • Q&A* Agenda
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Intro
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • AVs are not reliable • Users are lazy • Market gap for new solutions • A lot of money Why this topic ?
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Interaction with browser — Web injects — Other? • What it does — Steals credentials — Changes transaction data — Automates attacks How malware works? zeus spyeye carberp citadel zitmo vbclip banatrix carbanak eblaster bugat torpig hiloti gozi
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Aim: Detect malware presence What is online malware detection ? BACKEND WEB SERVER BROWSER USER MALWARE HTTP TRANSACTIONS signatures fingerprint User/browser behaviour fraud detection system Action: drop or mark as compromised (JS)
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Malware detection methods: • HTTP response signature • Browser fingerprint • User/browser behavior • Server-side behavioral methods • Fraud detection system What are the limits ? marketing magic auditability
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • We do not represent any vendor • We want to show — architecture failures — implementation errors • We want to talk about what can be done What is the purpose of this report?
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Vulnerabilities
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleOur approach BACKEND WEB SERVER BROWSER USER MALWARE HTTP TRANSACTIONS feed analyze JS analyze traffic analyze response
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style HTTP traffic First idea clean machine action system infected machine action
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style HTTP traffic + JS analysis Going through… clean machine action system infected machine action + js analysis: • Different paths • Different subdomains • Different data format (e.g. base64) • Encryption (e.g. rsa)
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleAlmost there… clean machine action system infected machine action
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleIf it bleeds, we can kill it clean machine action system infected machine action BYPASSED!
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleArchitecture problem user action systemanti malware magic red light green light Words of wisdom: adverse inference
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleMalware spotted! user action systemanti malware magic red light Who sends the alert ? login: user1 time: … behaviour: suspicious login: user2?
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleFirst things first user action systemanti malware magic red light JavaScript slowing your page ? BYPASSED!
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleSecurity by obscurity malware detection JavaScript eval Simple obfuscation – base64, hex rsa encryption signatures reasoning engine Web Service rsa public key
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleSignatures server-side browser server website A please HTML + JS malware detection Fragments of website A Hey, your website A is webinjected ! regexp for website A
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleSignatures client-side browser server website A please HTML + JS malware detection Hash of web injects signatures content web injects signatures Leaks your malware signatures The output is your weakness
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Conclusions
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Buy an anti-malware box? • Better call your crew • Trust, but verify • Ask for technical details Conclusions - banks
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Online malware detection is a good path, behavioral systems are a future of ITsec • But they are still based on the old HTTP + HTML + JS stack • Think about architecture and implementation Conclusions – vendors
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Recommendations for potential anti-malware buyers – paper, work in progress • Interested? -> malware@securing.pl or antimalware@securing.pl What’s next?
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Thank You Q&A*

Recommended

Dissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
Dissecting State-of-the-Art Android Malware Using Static and Dynamic AnalysisDissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
Dissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
CHOOSE
 
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral ...
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral ...MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral ...
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral ...
Emiliano De Cristofaro
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
Cysinfo Cyber Security Community
 
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Carlos Laorden
 
Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android Apps
Priyanka Aash
 
Fast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachFast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approach
Yury Leonychev
 
AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)
雅太 西田
 
Android malware overview, status and dilemmas
Android malware overview, status and dilemmasAndroid malware overview, status and dilemmas
Android malware overview, status and dilemmas
Tech and Law Center
 

Recommended

Dissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
Dissecting State-of-the-Art Android Malware Using Static and Dynamic AnalysisDissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
Dissecting State-of-the-Art Android Malware Using Static and Dynamic Analysis
CHOOSE
 
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral ...
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral ...MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral ...
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral ...
Emiliano De Cristofaro
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
Cysinfo Cyber Security Community
 
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Carlos Laorden
 
Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android Apps
Priyanka Aash
 
Fast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approachFast detection of Android malware: machine learning approach
Fast detection of Android malware: machine learning approach
Yury Leonychev
 
AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)
雅太 西田
 
Android malware overview, status and dilemmas
Android malware overview, status and dilemmasAndroid malware overview, status and dilemmas
Android malware overview, status and dilemmas
Tech and Law Center
 
DevSecOps Done Right - Strategies and Tools.pptx
DevSecOps Done Right - Strategies and Tools.pptxDevSecOps Done Right - Strategies and Tools.pptx
DevSecOps Done Right - Strategies and Tools.pptx
Davide Benvegnù
 
New Developments in the BREACH attack
New Developments in the BREACH attackNew Developments in the BREACH attack
New Developments in the BREACH attack
E Hacking
 
Content Marketing and the Digital Dinosaurs
Content Marketing and the Digital DinosaursContent Marketing and the Digital Dinosaurs
Content Marketing and the Digital Dinosaurs
Frances Deighton
 
7 ways of reducing tpm cost
7 ways of reducing tpm cost 7 ways of reducing tpm cost
7 ways of reducing tpm cost
TradeInsight
 
Enterprise DevOps
Enterprise DevOpsEnterprise DevOps
Enterprise DevOps
Vistara
 
MongoDB and MongoMK Source Event
MongoDB and MongoMK Source EventMongoDB and MongoMK Source Event
MongoDB and MongoMK Source Event
Yuval Ararat
 
Inovatie locala, impact global
Inovatie locala, impact globalInovatie locala, impact global
Inovatie locala, impact global
Costin Raiu
 
Latin American ccTLD Distribution strategies - ICANN 53 presentation
Latin American ccTLD Distribution strategies - ICANN 53 presentationLatin American ccTLD Distribution strategies - ICANN 53 presentation
Latin American ccTLD Distribution strategies - ICANN 53 presentation
LogicBoxes
 
Real Time Advertising: Project Sunblock, Ensuring quality and brand protectio...
Real Time Advertising: Project Sunblock, Ensuring quality and brand protectio...Real Time Advertising: Project Sunblock, Ensuring quality and brand protectio...
Real Time Advertising: Project Sunblock, Ensuring quality and brand protectio...
MediaSense
 
Securing Africa - 2009-2010
Securing Africa - 2009-2010Securing Africa - 2009-2010
Securing Africa - 2009-2010
Costin Raiu
 
The Savage Curtain: Mobile SSL Failures
The Savage Curtain: Mobile SSL FailuresThe Savage Curtain: Mobile SSL Failures
The Savage Curtain: Mobile SSL Failures
☠Tony Trummer☠
 
Identifying DoD Cybersecurity Requirements
Identifying DoD Cybersecurity RequirementsIdentifying DoD Cybersecurity Requirements
Identifying DoD Cybersecurity Requirements
Robert E Jones
 
Building Blockchain Solutions with Algorand Developer Tools
Building Blockchain Solutions with Algorand Developer ToolsBuilding Blockchain Solutions with Algorand Developer Tools
Building Blockchain Solutions with Algorand Developer Tools
Russ Fustino
 
Well Planned is Half Done: Planning Projects in the Digitization World
Well Planned is Half Done: Planning Projects in the Digitization WorldWell Planned is Half Done: Planning Projects in the Digitization World
Well Planned is Half Done: Planning Projects in the Digitization World
Florida State University
 
Algorand blockchain basics, decentralized and for developers
Algorand blockchain basics, decentralized and for developersAlgorand blockchain basics, decentralized and for developers
Algorand blockchain basics, decentralized and for developers
Russ Fustino
 
Using Solr to find the Right Person for the Right Job
Using Solr to find the Right Person for the Right JobUsing Solr to find the Right Person for the Right Job
Using Solr to find the Right Person for the Right Job
Lucidworks (Archived)
 
Link-Link MATERI TRAINING "Strategic Sourcing & VENDOR MANAGEMENT"
Link-Link MATERI TRAINING "Strategic Sourcing & VENDOR MANAGEMENT"Link-Link MATERI TRAINING "Strategic Sourcing & VENDOR MANAGEMENT"
Link-Link MATERI TRAINING "Strategic Sourcing & VENDOR MANAGEMENT"
Kanaidi ken
 
Geek Sync | Azure Cloud & You: First Steps for the DBA
Geek Sync | Azure Cloud & You: First Steps for the DBAGeek Sync | Azure Cloud & You: First Steps for the DBA
Geek Sync | Azure Cloud & You: First Steps for the DBA
IDERA Software
 
Malware * punct ro
Malware * punct roMalware * punct ro
Malware * punct ro
Costin Raiu
 
Winning Strategies for a Successful ERP Implementation
Winning Strategies for a Successful ERP ImplementationWinning Strategies for a Successful ERP Implementation
Winning Strategies for a Successful ERP Implementation
Jonathan Gross
 
The Hacker's Guide to NOT Getting Hacked
The Hacker's Guide to NOT Getting HackedThe Hacker's Guide to NOT Getting Hacked
The Hacker's Guide to NOT Getting Hacked
Jakub Kałużny
 
Pentesting voice biometrics solutions - AusCERT 2017
Pentesting voice biometrics solutions - AusCERT 2017Pentesting voice biometrics solutions - AusCERT 2017
Pentesting voice biometrics solutions - AusCERT 2017
Jakub Kałużny
 

More Related Content

Similar to Bypassing malware detection mechanisms in online banking

DevSecOps Done Right - Strategies and Tools.pptx
DevSecOps Done Right - Strategies and Tools.pptxDevSecOps Done Right - Strategies and Tools.pptx
DevSecOps Done Right - Strategies and Tools.pptx
Davide Benvegnù
 
New Developments in the BREACH attack
New Developments in the BREACH attackNew Developments in the BREACH attack
New Developments in the BREACH attack
E Hacking
 
Content Marketing and the Digital Dinosaurs
Content Marketing and the Digital DinosaursContent Marketing and the Digital Dinosaurs
Content Marketing and the Digital Dinosaurs
Frances Deighton
 
7 ways of reducing tpm cost
7 ways of reducing tpm cost 7 ways of reducing tpm cost
7 ways of reducing tpm cost
TradeInsight
 
Enterprise DevOps
Enterprise DevOpsEnterprise DevOps
Enterprise DevOps
Vistara
 
MongoDB and MongoMK Source Event
MongoDB and MongoMK Source EventMongoDB and MongoMK Source Event
MongoDB and MongoMK Source Event
Yuval Ararat
 
Inovatie locala, impact global
Inovatie locala, impact globalInovatie locala, impact global
Inovatie locala, impact global
Costin Raiu
 
Latin American ccTLD Distribution strategies - ICANN 53 presentation
Latin American ccTLD Distribution strategies - ICANN 53 presentationLatin American ccTLD Distribution strategies - ICANN 53 presentation
Latin American ccTLD Distribution strategies - ICANN 53 presentation
LogicBoxes
 
Real Time Advertising: Project Sunblock, Ensuring quality and brand protectio...
Real Time Advertising: Project Sunblock, Ensuring quality and brand protectio...Real Time Advertising: Project Sunblock, Ensuring quality and brand protectio...
Real Time Advertising: Project Sunblock, Ensuring quality and brand protectio...
MediaSense
 
Securing Africa - 2009-2010
Securing Africa - 2009-2010Securing Africa - 2009-2010
Securing Africa - 2009-2010
Costin Raiu
 
The Savage Curtain: Mobile SSL Failures
The Savage Curtain: Mobile SSL FailuresThe Savage Curtain: Mobile SSL Failures
The Savage Curtain: Mobile SSL Failures
☠Tony Trummer☠
 
Identifying DoD Cybersecurity Requirements
Identifying DoD Cybersecurity RequirementsIdentifying DoD Cybersecurity Requirements
Identifying DoD Cybersecurity Requirements
Robert E Jones
 
Building Blockchain Solutions with Algorand Developer Tools
Building Blockchain Solutions with Algorand Developer ToolsBuilding Blockchain Solutions with Algorand Developer Tools
Building Blockchain Solutions with Algorand Developer Tools
Russ Fustino
 
Well Planned is Half Done: Planning Projects in the Digitization World
Well Planned is Half Done: Planning Projects in the Digitization WorldWell Planned is Half Done: Planning Projects in the Digitization World
Well Planned is Half Done: Planning Projects in the Digitization World
Florida State University
 
Algorand blockchain basics, decentralized and for developers
Algorand blockchain basics, decentralized and for developersAlgorand blockchain basics, decentralized and for developers
Algorand blockchain basics, decentralized and for developers
Russ Fustino
 
Using Solr to find the Right Person for the Right Job
Using Solr to find the Right Person for the Right JobUsing Solr to find the Right Person for the Right Job
Using Solr to find the Right Person for the Right Job
Lucidworks (Archived)
 
Link-Link MATERI TRAINING "Strategic Sourcing & VENDOR MANAGEMENT"
Link-Link MATERI TRAINING "Strategic Sourcing & VENDOR MANAGEMENT"Link-Link MATERI TRAINING "Strategic Sourcing & VENDOR MANAGEMENT"
Link-Link MATERI TRAINING "Strategic Sourcing & VENDOR MANAGEMENT"
Kanaidi ken
 
Geek Sync | Azure Cloud & You: First Steps for the DBA
Geek Sync | Azure Cloud & You: First Steps for the DBAGeek Sync | Azure Cloud & You: First Steps for the DBA
Geek Sync | Azure Cloud & You: First Steps for the DBA
IDERA Software
 
Malware * punct ro
Malware * punct roMalware * punct ro
Malware * punct ro
Costin Raiu
 
Winning Strategies for a Successful ERP Implementation
Winning Strategies for a Successful ERP ImplementationWinning Strategies for a Successful ERP Implementation
Winning Strategies for a Successful ERP Implementation
Jonathan Gross
 

Similar to Bypassing malware detection mechanisms in online banking (20)

DevSecOps Done Right - Strategies and Tools.pptx
DevSecOps Done Right - Strategies and Tools.pptxDevSecOps Done Right - Strategies and Tools.pptx
DevSecOps Done Right - Strategies and Tools.pptx
 
New Developments in the BREACH attack
New Developments in the BREACH attackNew Developments in the BREACH attack
New Developments in the BREACH attack
 
Content Marketing and the Digital Dinosaurs
Content Marketing and the Digital DinosaursContent Marketing and the Digital Dinosaurs
Content Marketing and the Digital Dinosaurs
 
7 ways of reducing tpm cost
7 ways of reducing tpm cost 7 ways of reducing tpm cost
7 ways of reducing tpm cost
 
Enterprise DevOps
Enterprise DevOpsEnterprise DevOps
Enterprise DevOps
 
MongoDB and MongoMK Source Event
MongoDB and MongoMK Source EventMongoDB and MongoMK Source Event
MongoDB and MongoMK Source Event
 
Inovatie locala, impact global
Inovatie locala, impact globalInovatie locala, impact global
Inovatie locala, impact global
 
Latin American ccTLD Distribution strategies - ICANN 53 presentation
Latin American ccTLD Distribution strategies - ICANN 53 presentationLatin American ccTLD Distribution strategies - ICANN 53 presentation
Latin American ccTLD Distribution strategies - ICANN 53 presentation
 
Real Time Advertising: Project Sunblock, Ensuring quality and brand protectio...
Real Time Advertising: Project Sunblock, Ensuring quality and brand protectio...Real Time Advertising: Project Sunblock, Ensuring quality and brand protectio...
Real Time Advertising: Project Sunblock, Ensuring quality and brand protectio...
 
Securing Africa - 2009-2010
Securing Africa - 2009-2010Securing Africa - 2009-2010
Securing Africa - 2009-2010
 
The Savage Curtain: Mobile SSL Failures
The Savage Curtain: Mobile SSL FailuresThe Savage Curtain: Mobile SSL Failures
The Savage Curtain: Mobile SSL Failures
 
Identifying DoD Cybersecurity Requirements
Identifying DoD Cybersecurity RequirementsIdentifying DoD Cybersecurity Requirements
Identifying DoD Cybersecurity Requirements
 
Building Blockchain Solutions with Algorand Developer Tools
Building Blockchain Solutions with Algorand Developer ToolsBuilding Blockchain Solutions with Algorand Developer Tools
Building Blockchain Solutions with Algorand Developer Tools
 
Well Planned is Half Done: Planning Projects in the Digitization World
Well Planned is Half Done: Planning Projects in the Digitization WorldWell Planned is Half Done: Planning Projects in the Digitization World
Well Planned is Half Done: Planning Projects in the Digitization World
 
Algorand blockchain basics, decentralized and for developers
Algorand blockchain basics, decentralized and for developersAlgorand blockchain basics, decentralized and for developers
Algorand blockchain basics, decentralized and for developers
 
Using Solr to find the Right Person for the Right Job
Using Solr to find the Right Person for the Right JobUsing Solr to find the Right Person for the Right Job
Using Solr to find the Right Person for the Right Job
 
Link-Link MATERI TRAINING "Strategic Sourcing & VENDOR MANAGEMENT"
Link-Link MATERI TRAINING "Strategic Sourcing & VENDOR MANAGEMENT"Link-Link MATERI TRAINING "Strategic Sourcing & VENDOR MANAGEMENT"
Link-Link MATERI TRAINING "Strategic Sourcing & VENDOR MANAGEMENT"
 
Geek Sync | Azure Cloud & You: First Steps for the DBA
Geek Sync | Azure Cloud & You: First Steps for the DBAGeek Sync | Azure Cloud & You: First Steps for the DBA
Geek Sync | Azure Cloud & You: First Steps for the DBA
 
Malware * punct ro
Malware * punct roMalware * punct ro
Malware * punct ro
 
Winning Strategies for a Successful ERP Implementation
Winning Strategies for a Successful ERP ImplementationWinning Strategies for a Successful ERP Implementation
Winning Strategies for a Successful ERP Implementation
 

More from Jakub Kałużny

The Hacker's Guide to NOT Getting Hacked
The Hacker's Guide to NOT Getting HackedThe Hacker's Guide to NOT Getting Hacked
The Hacker's Guide to NOT Getting Hacked
Jakub Kałużny
 
Pentesting voice biometrics solutions - AusCERT 2017
Pentesting voice biometrics solutions - AusCERT 2017Pentesting voice biometrics solutions - AusCERT 2017
Pentesting voice biometrics solutions - AusCERT 2017
Jakub Kałużny
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Jakub Kałużny
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online banking
Jakub Kałużny
 
ESA - Hacking the aerospace industry - should we worry ?
ESA - Hacking the aerospace industry - should we worry ? ESA - Hacking the aerospace industry - should we worry ?
ESA - Hacking the aerospace industry - should we worry ?
Jakub Kałużny
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Jakub Kałużny
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 

More from Jakub Kałużny (8)

The Hacker's Guide to NOT Getting Hacked
The Hacker's Guide to NOT Getting HackedThe Hacker's Guide to NOT Getting Hacked
The Hacker's Guide to NOT Getting Hacked
 
Pentesting voice biometrics solutions - AusCERT 2017
Pentesting voice biometrics solutions - AusCERT 2017Pentesting voice biometrics solutions - AusCERT 2017
Pentesting voice biometrics solutions - AusCERT 2017
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online banking
 
ESA - Hacking the aerospace industry - should we worry ?
ESA - Hacking the aerospace industry - should we worry ? ESA - Hacking the aerospace industry - should we worry ?
ESA - Hacking the aerospace industry - should we worry ?
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 

Bypassing malware detection mechanisms in online banking

  • 1. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Jakub Kałużny Mateusz Olejarka Bypassing malware detection mechanisms in online banking
  • 2. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Pentesters @ SecuRing • Ex-developers • Experience with: — E-banking and mobile banking systems — Multi-factor and voice recognition authentication — Malware post mortem Who are we? @j_kaluzny @molejarka
  • 3. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Intro — Why this topic? — How it’s done? — Will it blend? • Vulnerabilities • Conclusions • Q&A* Agenda
  • 4. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Intro
  • 5. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • AVs are not reliable • Users are lazy • Market gap for new solutions • A lot of money Why this topic ?
  • 6. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Interaction with browser — Web injects — Other? • What it does — Steals credentials — Changes transaction data — Automates attacks How malware works? zeus spyeye carberp citadel zitmo vbclip banatrix carbanak eblaster bugat torpig hiloti gozi
  • 7. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Aim: Detect malware presence What is online malware detection ? BACKEND WEB SERVER BROWSER USER MALWARE HTTP TRANSACTIONS signatures fingerprint User/browser behaviour fraud detection system Action: drop or mark as compromised (JS)
  • 8. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Malware detection methods: • HTTP response signature • Browser fingerprint • User/browser behavior • Server-side behavioral methods • Fraud detection system What are the limits ? marketing magic auditability
  • 9. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • We do not represent any vendor • We want to show — architecture failures — implementation errors • We want to talk about what can be done What is the purpose of this report?
  • 10. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Vulnerabilities
  • 11. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleOur approach BACKEND WEB SERVER BROWSER USER MALWARE HTTP TRANSACTIONS feed analyze JS analyze traffic analyze response
  • 12. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style HTTP traffic First idea clean machine action system infected machine action
  • 13. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style HTTP traffic + JS analysis Going through… clean machine action system infected machine action + js analysis: • Different paths • Different subdomains • Different data format (e.g. base64) • Encryption (e.g. rsa)
  • 14. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleAlmost there… clean machine action system infected machine action
  • 15. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleIf it bleeds, we can kill it clean machine action system infected machine action BYPASSED!
  • 16. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleArchitecture problem user action systemanti malware magic red light green light Words of wisdom: adverse inference
  • 17. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleMalware spotted! user action systemanti malware magic red light Who sends the alert ? login: user1 time: … behaviour: suspicious login: user2?
  • 18. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleFirst things first user action systemanti malware magic red light JavaScript slowing your page ? BYPASSED!
  • 19. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleSecurity by obscurity malware detection JavaScript eval Simple obfuscation – base64, hex rsa encryption signatures reasoning engine Web Service rsa public key
  • 20. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleSignatures server-side browser server website A please HTML + JS malware detection Fragments of website A Hey, your website A is webinjected ! regexp for website A
  • 21. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleSignatures client-side browser server website A please HTML + JS malware detection Hash of web injects signatures content web injects signatures Leaks your malware signatures The output is your weakness
  • 22. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Conclusions
  • 23. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Buy an anti-malware box? • Better call your crew • Trust, but verify • Ask for technical details Conclusions - banks
  • 24. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Online malware detection is a good path, behavioral systems are a future of ITsec • But they are still based on the old HTTP + HTML + JS stack • Think about architecture and implementation Conclusions – vendors
  • 25. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Recommendations for potential anti-malware buyers – paper, work in progress • Interested? -> malware@securing.pl or antimalware@securing.pl What’s next?
  • 26. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Thank You Q&A*

Editor's Notes

  1. Poziom zaawansowania polskich bankowości
  2. Malware related task are on the rise Huge media coverage of malware related topics They steal real money (we’ve seen it!) Emerging market of anti-malware solutions Statistics
  3. Limitation for each method Bots can simulate everything There are no 100% malware-proof solutions But at least they should be properly implemented
  4. Pay shitload of money for a malware detection box (top secret military grade i can’t tell you about technology)? Better call your crew Do not trust vendors. Test your countermeasures. Hybrid approach Strategy, not snake oil
  5. Don’t bullshit a bullshitter
  6. Robimy to?