The document outlines a presentation given by two pentesters on bypassing malware detection mechanisms in online banking. It discusses how malware works by interacting with browsers and stealing credentials. It then summarizes common malware detection methods used by banks and their limitations. Several vulnerabilities in typical detection architectures and implementations are presented. The document concludes that while behavioral detection systems are promising, the underlying HTTP and JavaScript infrastructure poses challenges and recommends rethinking architecture and implementation. It also provides recommendations for banks and vendors on improving security.
Dissecting State-of-the-Art Android Malware Using Static and Dynamic AnalysisCHOOSE
Steven Arzt — CHOOSE Talk — 2016-11-15
http://www.choose.s-i.ch/events/arzt-2016/
Android malware is getting more and more sophisticated. So-called "sleeper" applications only trigger their malicious behavior after a certain time has passed or event has happened, effectively evading many dynamic analysis techniques. Other techniques include integrity checks as well as detectors for emulators, rooted devices, and hooks. If any such sign is detected, the malware refrains from its actual malicious behavior. For countering static analyses, these apps apply code encryption, packers, and code obfuscators. Together, these features render most automated analyses ineffective, leaving a manual analysis as the only viable option — a very difficult and time-consuming undertaking.
To alleviate the problem, we propose CodeInspect, a new integrated reverse-engineering environment extending the Eclipse IDE and targeting sophisticated state-of-the-art malware apps for Android. CodeInspect not only features an interactive debugger that can work on the bytecode level, but also various static and dynamic analyses that support the human analyst. One can display data flows inside the app, check which permissions are used where in the code, what strings are computed or decrypted at runtime, which code is dynamically loaded and more. Reverse engineers can even add new Java source classes or projects into the application, which can then be called from the original app’s code. This is especially useful when implementing decryption methods which can be directly tested in place.
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral ...Emiliano De Cristofaro
E. Mariconti, L. Onwuzurike, P. Andriotis, E. De Cristofaro, G. Ross, G. Stringhini. MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Model. To appear at NDSS 2017.
This document provides an overview of Android malware analysis training. It begins with a disclaimer and acknowledgements. It then introduces the speaker and provides a basic overview of Android architecture, security features, application format, and permissions. It discusses Dalvik bytecode and sets up an analysis lab with tools like emulators, decompilers, and reverse engineering VMs. Finally it ends with references to malware analysis projects and a tutorial on the Dalvik bytecode.
Finding Triggered Malice in Android AppsPriyanka Aash
Traditional techniques to detect malice in Android apps struggle to identify trigger-based changes to application logic. Unfortunately, such triggers are a key component of targeted malware, where the trigger is the mechanism that ensures that the code is only executed at the target. This talk will review how static analysis can be used to detect and leverage triggers for more robust detection.
(Source: RSA USA 2016-San Francisco)
Fast detection of Android malware: machine learning approachYury Leonychev
This is a my presentation for YaC 2013 about machine learning based system for fast classification of Android applications. Covered themes: how to find malware around thousands of applications in Store.
1) The researcher analyzed over 14,000 Android malware samples and found that they were signed with only 589 unique certificates, showing that many malwares reuse the same certificates.
2) Further analysis of the largest malware family, FakeInst, showed that its 4,911 samples were signed by only 31 certificates, with the most used certificate signing 2,602 samples.
3) Some certificates were found to be used by malwares for over a year, indicating they may be shared between malware developers.
This document summarizes research on malicious Android apps from 2012-2013. Some key points:
- Over 1,260 app samples were analyzed in 2012, with many found to steal user information, turn devices into bots, or generate revenue through premium calls/texts.
- Early malware like DroidDream, Plankton, and BaseBridge leveraged exploits to gain root access and stealthily update themselves. Later malware got more sophisticated with techniques like anti-analysis tricks.
- Malware has been distributed through third-party app stores and underground affiliate programs. Estimates found infection rates between 0.0009-1% of Android devices by 2013.
- While most stole data or made money fraud
Dissecting State-of-the-Art Android Malware Using Static and Dynamic AnalysisCHOOSE
Steven Arzt — CHOOSE Talk — 2016-11-15
http://www.choose.s-i.ch/events/arzt-2016/
Android malware is getting more and more sophisticated. So-called "sleeper" applications only trigger their malicious behavior after a certain time has passed or event has happened, effectively evading many dynamic analysis techniques. Other techniques include integrity checks as well as detectors for emulators, rooted devices, and hooks. If any such sign is detected, the malware refrains from its actual malicious behavior. For countering static analyses, these apps apply code encryption, packers, and code obfuscators. Together, these features render most automated analyses ineffective, leaving a manual analysis as the only viable option — a very difficult and time-consuming undertaking.
To alleviate the problem, we propose CodeInspect, a new integrated reverse-engineering environment extending the Eclipse IDE and targeting sophisticated state-of-the-art malware apps for Android. CodeInspect not only features an interactive debugger that can work on the bytecode level, but also various static and dynamic analyses that support the human analyst. One can display data flows inside the app, check which permissions are used where in the code, what strings are computed or decrypted at runtime, which code is dynamically loaded and more. Reverse engineers can even add new Java source classes or projects into the application, which can then be called from the original app’s code. This is especially useful when implementing decryption methods which can be directly tested in place.
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral ...Emiliano De Cristofaro
E. Mariconti, L. Onwuzurike, P. Andriotis, E. De Cristofaro, G. Ross, G. Stringhini. MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Model. To appear at NDSS 2017.
This document provides an overview of Android malware analysis training. It begins with a disclaimer and acknowledgements. It then introduces the speaker and provides a basic overview of Android architecture, security features, application format, and permissions. It discusses Dalvik bytecode and sets up an analysis lab with tools like emulators, decompilers, and reverse engineering VMs. Finally it ends with references to malware analysis projects and a tutorial on the Dalvik bytecode.
Finding Triggered Malice in Android AppsPriyanka Aash
Traditional techniques to detect malice in Android apps struggle to identify trigger-based changes to application logic. Unfortunately, such triggers are a key component of targeted malware, where the trigger is the mechanism that ensures that the code is only executed at the target. This talk will review how static analysis can be used to detect and leverage triggers for more robust detection.
(Source: RSA USA 2016-San Francisco)
Fast detection of Android malware: machine learning approachYury Leonychev
This is a my presentation for YaC 2013 about machine learning based system for fast classification of Android applications. Covered themes: how to find malware around thousands of applications in Store.
1) The researcher analyzed over 14,000 Android malware samples and found that they were signed with only 589 unique certificates, showing that many malwares reuse the same certificates.
2) Further analysis of the largest malware family, FakeInst, showed that its 4,911 samples were signed by only 31 certificates, with the most used certificate signing 2,602 samples.
3) Some certificates were found to be used by malwares for over a year, indicating they may be shared between malware developers.
This document summarizes research on malicious Android apps from 2012-2013. Some key points:
- Over 1,260 app samples were analyzed in 2012, with many found to steal user information, turn devices into bots, or generate revenue through premium calls/texts.
- Early malware like DroidDream, Plankton, and BaseBridge leveraged exploits to gain root access and stealthily update themselves. Later malware got more sophisticated with techniques like anti-analysis tricks.
- Malware has been distributed through third-party app stores and underground affiliate programs. Estimates found infection rates between 0.0009-1% of Android devices by 2013.
- While most stole data or made money fraud
DevSecOps Done Right - Strategies and Tools.pptxDavide Benvegnù
Had a session at the "Empowering Digital Trust: Data Security and Beyond" event organized by Thales Data Security. The event was free and open to the public.
What is content marketing?
Why is content marketing important?
What are some good examples of content marketing?
What's different about the iProspect approach to content marketing?
The document discusses 7 ways for companies to break the cost barrier of trade promotion management (TPM) software. It recommends following best practices like using Excel appropriately, setting realistic implementation goals, choosing a software provider that shares implementation risks, and rolling out technology in manageable phases. The presentation concludes by taking questions from the audience.
Vistara provides a unified IT operations management software-as-a-service (SaaS) solution that enables enterprise IT and service providers to drive DevOps. The presentation discusses DevOps definitions, challenges and best practices, and demonstrates Vistara's DevOps management capabilities. It also covers the Vistara SaaS platform architecture and a case study of how Vistara supports a customer's DevOps organization through automation and a dedicated distributed infrastructure.
The document discusses MongoDB and MongoMK. It provides an overview of MongoDB including its document-oriented data model, clustering using replica sets and sharding, and resilience. It also discusses MongoMK which exposes the Oak microkernel API and implements a document store using MongoDB for persistence. The document recommends various best practices for hardening, backup, monitoring, and sizing the oplog when using MongoDB in production.
This document discusses Kaspersky Lab's local innovation efforts and their global impact. It introduces Kaspersky Lab and describes some of their major global innovations between 1996-2010, including over 70 patents. It then outlines two local Romanian projects - PatroKLes, which scans Romanian websites for malware, and Krab Krawler, which analyzes Twitter for malicious programs. The document concludes by emphasizing the importance of continuous innovation in cybersecurity.
Latin American ccTLD Distribution strategies - ICANN 53 presentationLogicBoxes
A presentation made by Siddharth Taliyan on how ccTLDs in Latin America can make the most out of their resources to expand their distribution network and further strengthen their ccTLD growth.
Real Time Advertising: Project Sunblock, Ensuring quality and brand protectio...MediaSense
Ensuing quality and brand protection from your advertising, Duncan Trigg, CEO, Project Sunblock
Presented at MediaSense's #realtimerev event in London, May 2014
www.media-sense.com
The document discusses cybersecurity trends in Africa, including the growing threat landscape, rise in new malware, and effects of increased internet bandwidth through faster fiber optic connections. It notes internet threats have grown exponentially, with infected legitimate websites increasing 15,000% from 2006 to 2009. The document recommends mitigation steps for 2010 such as using an internet security suite, keeping software updated, and being wary of social engineering attacks.
The document discusses mobile application security and SSL/TLS validation. It describes how mobile apps often do not properly validate SSL certificates, leaving them vulnerable to man-in-the-middle attacks. It then details methods for testing SSL validation in mobile apps, such as using a proxy to generate certificates and ensuring certificates are validated for both the certificate authority and hostname. Recommendations are provided for improving mobile app SSL validation through secure coding practices.
Identifying DoD Cybersecurity RequirementsRobert E Jones
Left Brain Professionals offers expert audit guidance and accounting system customization for federal contractors. They help contractors prepare for audits, comply with federal contracting requirements, and manage their business more profitably. Their cybersecurity services also focus on practical, affordable steps to protect contractor data, customers, and reputations.
Building Blockchain Solutions with Algorand Developer ToolsRuss Fustino
The document provides an overview of building blockchain solutions using Algorand developer tools. It discusses Algorand's consensus model of Pure Proof of Stake which aims to solve the blockchain trilemma of security, scalability, and decentralization. It also outlines Algorand's APIs, SDKs, command line tools, and features in development like Vault and Pixel that are aimed at improving storage and transaction efficiency. The document encourages developers to sign up and get started with Algorand's testnet and developer tools.
Algorand blockchain basics, decentralized and for developersRuss Fustino
Algorand is a new blockchain built on a Permissionless, pure proof of stake, decentralized agreement protocol, where anyone can participate and requires minimal computational power. This protocol finalizes transactions very quickly and offers true decentralization.
For developers the Algorand blockchain provides JavaScript, Java, Python and Go SDKs. Additionally REST endpoints are provided for interacting with the nodes and handling wallet functions. These REST endpoints are based on the OpenAPI Specification and can be used to build clients in any language.
This session covers the basics of how the Algorand protocol works, cover the architecture overview, managing the node with the command line tools, and show developers how to integrate using the SDKs to build Layer 2 applications.
The document discusses the search capabilities and infrastructure at TheLadders.com. It describes how they standardized their search using Solr, setting up a search team in 2010 and platform team in 2011. It also discusses challenges like complex boolean queries and implementing a recommendation service using Solr as the backend.
Geek Sync | Azure Cloud & You: First Steps for the DBAIDERA Software
You can watch the replay for this Geek Sync webcast, Azure Cloud & You: First Steps for the DBA, in the IDERA Resource Center, http://ow.ly/68S750A4rtU.
It's not a question of whether or not the landscape for the common DBA is changing. Without a doubt, it is. Azure offers up a new world of possibilities for DBA's and we should all strive to learn it. In this session, we'll cover some basic knowledge and terminology of Azure as well as how easy it is to incorporate Azure into your environment. We will stand up a new Azure virtual machine as well as a setup SQL DB. You will see how easy it is to accomplish this. This new-found knowledge will help propel your career into the new landscape.
Speaker: John Morehouse is currently a Consultant with Denny Cherry & Associates living in Louisville, Kentucky. John led the Omaha SQL Server user group for 7 years and is now a leader of the Louisville SQL Server/Power BI user group. He is a Microsoft Data Platform MVP, 2016 IDERA ACE, blogger, avid tweeter, and a frequent speaker at SQL Saturday's as well as other conferences. In his spare time, you can usually find John on Twitter (@sqlrus) as well as chasing his two young sons around the house.
This document discusses Kaspersky Lab and its operations in Romania. It notes that Kaspersky Lab has been operating in Romania since 2003, has over 300 million users globally, and gains over 50,000 new users daily. It also outlines two malware detection projects developed by Kaspersky Lab Romania called PatroKLes and Krab Krawler and provides statistics on the number of infected websites in Romania detected by Kaspersky Lab.
Winning Strategies for a Successful ERP ImplementationJonathan Gross
Is your company running an ERP selection project? Has it turned its mind to ERP implementation? In this presentation, we breakdown critical organizational readiness tasks that should be undertaken early, including team building. Learn the keys to building an effective ERP organization, including steering committee, project management, and core team.
The Hacker's Guide to NOT Getting HackedJakub Kałużny
The document provides guidance on how to avoid cyber threats and hacking. It discusses identifying assets and potential attack vectors, modeling threats from opportunistic to advanced actors. Different levels of security paranoia are outlined from 99% of people to security paranoid. Advice is given on securing devices, accounts, banking, travel and more. General scams are listed and threats to phones, computers, IoT devices, routers, email, social media and identity are covered. The importance of regularly updating defenses and reviewing security practices is emphasized.
The era of scratch cards, RSA tokens, SMS codes and different variations of second factor authentication (and authorization) devices is soon to be over. The question is – what will replace current 2-FA methods – smart mobile applications or biometric solutions? And how quickly will the attackers find ways to bypass these methods.
One of the most popular biometric authentication already being widely implemented is voice biometrics. In this talk, expect to learn:
– a systematic approach how to pentest voice biometrics
– tools for automating calls to IVR channels
– how good is a good microphone
– how to fuzz the voice and identify key biometric characteristics and thresholds to bypass the algorithms
– how these kind of solutions compare to standard password metrics
– how easy is it to abuse or bypass voice biometrics
I am sharing my experience of pentesting few voice biometrics systems, fuzzing voice in IVR channels, abusing implementation in mobile apps, and finally, I define security requirements for implementing this kind of solutions.
More Related Content
Similar to Bypassing malware detection mechanisms in online banking
DevSecOps Done Right - Strategies and Tools.pptxDavide Benvegnù
Had a session at the "Empowering Digital Trust: Data Security and Beyond" event organized by Thales Data Security. The event was free and open to the public.
What is content marketing?
Why is content marketing important?
What are some good examples of content marketing?
What's different about the iProspect approach to content marketing?
The document discusses 7 ways for companies to break the cost barrier of trade promotion management (TPM) software. It recommends following best practices like using Excel appropriately, setting realistic implementation goals, choosing a software provider that shares implementation risks, and rolling out technology in manageable phases. The presentation concludes by taking questions from the audience.
Vistara provides a unified IT operations management software-as-a-service (SaaS) solution that enables enterprise IT and service providers to drive DevOps. The presentation discusses DevOps definitions, challenges and best practices, and demonstrates Vistara's DevOps management capabilities. It also covers the Vistara SaaS platform architecture and a case study of how Vistara supports a customer's DevOps organization through automation and a dedicated distributed infrastructure.
The document discusses MongoDB and MongoMK. It provides an overview of MongoDB including its document-oriented data model, clustering using replica sets and sharding, and resilience. It also discusses MongoMK which exposes the Oak microkernel API and implements a document store using MongoDB for persistence. The document recommends various best practices for hardening, backup, monitoring, and sizing the oplog when using MongoDB in production.
This document discusses Kaspersky Lab's local innovation efforts and their global impact. It introduces Kaspersky Lab and describes some of their major global innovations between 1996-2010, including over 70 patents. It then outlines two local Romanian projects - PatroKLes, which scans Romanian websites for malware, and Krab Krawler, which analyzes Twitter for malicious programs. The document concludes by emphasizing the importance of continuous innovation in cybersecurity.
Latin American ccTLD Distribution strategies - ICANN 53 presentationLogicBoxes
A presentation made by Siddharth Taliyan on how ccTLDs in Latin America can make the most out of their resources to expand their distribution network and further strengthen their ccTLD growth.
Real Time Advertising: Project Sunblock, Ensuring quality and brand protectio...MediaSense
Ensuing quality and brand protection from your advertising, Duncan Trigg, CEO, Project Sunblock
Presented at MediaSense's #realtimerev event in London, May 2014
www.media-sense.com
The document discusses cybersecurity trends in Africa, including the growing threat landscape, rise in new malware, and effects of increased internet bandwidth through faster fiber optic connections. It notes internet threats have grown exponentially, with infected legitimate websites increasing 15,000% from 2006 to 2009. The document recommends mitigation steps for 2010 such as using an internet security suite, keeping software updated, and being wary of social engineering attacks.
The document discusses mobile application security and SSL/TLS validation. It describes how mobile apps often do not properly validate SSL certificates, leaving them vulnerable to man-in-the-middle attacks. It then details methods for testing SSL validation in mobile apps, such as using a proxy to generate certificates and ensuring certificates are validated for both the certificate authority and hostname. Recommendations are provided for improving mobile app SSL validation through secure coding practices.
Identifying DoD Cybersecurity RequirementsRobert E Jones
Left Brain Professionals offers expert audit guidance and accounting system customization for federal contractors. They help contractors prepare for audits, comply with federal contracting requirements, and manage their business more profitably. Their cybersecurity services also focus on practical, affordable steps to protect contractor data, customers, and reputations.
Building Blockchain Solutions with Algorand Developer ToolsRuss Fustino
The document provides an overview of building blockchain solutions using Algorand developer tools. It discusses Algorand's consensus model of Pure Proof of Stake which aims to solve the blockchain trilemma of security, scalability, and decentralization. It also outlines Algorand's APIs, SDKs, command line tools, and features in development like Vault and Pixel that are aimed at improving storage and transaction efficiency. The document encourages developers to sign up and get started with Algorand's testnet and developer tools.
Algorand blockchain basics, decentralized and for developersRuss Fustino
Algorand is a new blockchain built on a Permissionless, pure proof of stake, decentralized agreement protocol, where anyone can participate and requires minimal computational power. This protocol finalizes transactions very quickly and offers true decentralization.
For developers the Algorand blockchain provides JavaScript, Java, Python and Go SDKs. Additionally REST endpoints are provided for interacting with the nodes and handling wallet functions. These REST endpoints are based on the OpenAPI Specification and can be used to build clients in any language.
This session covers the basics of how the Algorand protocol works, cover the architecture overview, managing the node with the command line tools, and show developers how to integrate using the SDKs to build Layer 2 applications.
The document discusses the search capabilities and infrastructure at TheLadders.com. It describes how they standardized their search using Solr, setting up a search team in 2010 and platform team in 2011. It also discusses challenges like complex boolean queries and implementing a recommendation service using Solr as the backend.
Geek Sync | Azure Cloud & You: First Steps for the DBAIDERA Software
You can watch the replay for this Geek Sync webcast, Azure Cloud & You: First Steps for the DBA, in the IDERA Resource Center, http://ow.ly/68S750A4rtU.
It's not a question of whether or not the landscape for the common DBA is changing. Without a doubt, it is. Azure offers up a new world of possibilities for DBA's and we should all strive to learn it. In this session, we'll cover some basic knowledge and terminology of Azure as well as how easy it is to incorporate Azure into your environment. We will stand up a new Azure virtual machine as well as a setup SQL DB. You will see how easy it is to accomplish this. This new-found knowledge will help propel your career into the new landscape.
Speaker: John Morehouse is currently a Consultant with Denny Cherry & Associates living in Louisville, Kentucky. John led the Omaha SQL Server user group for 7 years and is now a leader of the Louisville SQL Server/Power BI user group. He is a Microsoft Data Platform MVP, 2016 IDERA ACE, blogger, avid tweeter, and a frequent speaker at SQL Saturday's as well as other conferences. In his spare time, you can usually find John on Twitter (@sqlrus) as well as chasing his two young sons around the house.
This document discusses Kaspersky Lab and its operations in Romania. It notes that Kaspersky Lab has been operating in Romania since 2003, has over 300 million users globally, and gains over 50,000 new users daily. It also outlines two malware detection projects developed by Kaspersky Lab Romania called PatroKLes and Krab Krawler and provides statistics on the number of infected websites in Romania detected by Kaspersky Lab.
Winning Strategies for a Successful ERP ImplementationJonathan Gross
Is your company running an ERP selection project? Has it turned its mind to ERP implementation? In this presentation, we breakdown critical organizational readiness tasks that should be undertaken early, including team building. Learn the keys to building an effective ERP organization, including steering committee, project management, and core team.
Similar to Bypassing malware detection mechanisms in online banking (20)
The Hacker's Guide to NOT Getting HackedJakub Kałużny
The document provides guidance on how to avoid cyber threats and hacking. It discusses identifying assets and potential attack vectors, modeling threats from opportunistic to advanced actors. Different levels of security paranoia are outlined from 99% of people to security paranoid. Advice is given on securing devices, accounts, banking, travel and more. General scams are listed and threats to phones, computers, IoT devices, routers, email, social media and identity are covered. The importance of regularly updating defenses and reviewing security practices is emphasized.
The era of scratch cards, RSA tokens, SMS codes and different variations of second factor authentication (and authorization) devices is soon to be over. The question is – what will replace current 2-FA methods – smart mobile applications or biometric solutions? And how quickly will the attackers find ways to bypass these methods.
One of the most popular biometric authentication already being widely implemented is voice biometrics. In this talk, expect to learn:
– a systematic approach how to pentest voice biometrics
– tools for automating calls to IVR channels
– how good is a good microphone
– how to fuzz the voice and identify key biometric characteristics and thresholds to bypass the algorithms
– how these kind of solutions compare to standard password metrics
– how easy is it to abuse or bypass voice biometrics
I am sharing my experience of pentesting few voice biometrics systems, fuzzing voice in IVR channels, abusing implementation in mobile apps, and finally, I define security requirements for implementing this kind of solutions.
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
Did "cloud computing" and "big data" buzzwords bring new challenges for security testers?
Apart from complexity of Hadoop installations and number of interfaces, standard techniques can be applied to test for: web application vulnerabilities, SSL security and encryption at rest. We tested popular Hadoop environments and found a few critical vulnerabilities, which for sure cast a shadow on big data security.
Script based malware detection in online bankingJakub Kałużny
Online banking applications are particularly exposed to malware attacks. In order to prevent stealing from customer accounts, banks have invested in malware detection mechanisms. These programs are not installed on clients’ computers but rather implemented server-side or by including some JavaScript code on protected websites. We have tested such solutions which are using different detection methods. To name a few:
behavioral patterns,
web injects signatures,
user input analysis.
Our research points out clearly that even products sold as a „100% malware proof solutions” have serious implementation errors and it is only a matter of time when malware creators start targeting their guns against these vulnerabilities, effectively bypassing or abusing these countermeasures. Is it a road to failure or is there still time to improve these solutions? In this document we present security analysis of those solutions from attacker point of view and recommendations for improvement.
See also our presentation from Black Hat Asia and Confidence: „Bypassing malware detection mechanisms in online banking„
ESA - Hacking the aerospace industry - should we worry ? Jakub Kałużny
This more entertaining than technical presentation aims to raise security awareness of scientists and astronomers in European Space Agency. Presented in ESAC, Madrid, 16.11.2015
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all.
We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
When it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
The document discusses security issues with pull printing solutions. It provides three examples of security assessments conducted on different vendor products. In the first example, the proprietary protocol was reverse engineered and vulnerabilities like weak encryption were found. The second vendor took security seriously and responded quickly to reported issues. The third example showed vulnerabilities like a lack of encryption that could allow print job tampering. The document emphasizes that pull printing solutions require thorough security testing.
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Bypassing malware detection mechanisms in online banking
1. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
Jakub Kałużny
Mateusz Olejarka
Bypassing malware
detection mechanisms in
online banking
2. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
• Pentesters @ SecuRing
• Ex-developers
• Experience with:
— E-banking and mobile banking systems
— Multi-factor and voice recognition authentication
— Malware post mortem
Who are we?
@j_kaluzny @molejarka
3. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
• Intro
— Why this topic?
— How it’s done?
— Will it blend?
• Vulnerabilities
• Conclusions
• Q&A*
Agenda
4. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
Intro
5. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
• AVs are not reliable
• Users are lazy
• Market gap for new solutions
• A lot of money
Why this topic ?
6. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
• Interaction with browser
— Web injects
— Other?
• What it does
— Steals credentials
— Changes transaction data
— Automates attacks
How malware works?
zeus
spyeye
carberp
citadel
zitmo
vbclip banatrix
carbanak
eblaster
bugat
torpig
hiloti
gozi
7. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
Aim: Detect malware presence
What is online malware detection ?
BACKEND
WEB
SERVER
BROWSER
USER
MALWARE
HTTP TRANSACTIONS
signatures
fingerprint
User/browser
behaviour fraud detection system
Action: drop or mark as compromised
(JS)
8. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
Malware detection methods:
• HTTP response signature
• Browser fingerprint
• User/browser behavior
• Server-side behavioral methods
• Fraud detection system
What are the limits ?
marketing
magic
auditability
9. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
• We do not represent any vendor
• We want to show
— architecture failures
— implementation errors
• We want to talk about what can be done
What is the purpose of this report?
10. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
Vulnerabilities
11. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title styleOur approach
BACKEND
WEB
SERVER
BROWSER
USER
MALWARE
HTTP TRANSACTIONS
feed analyze JS
analyze traffic
analyze response
12. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
HTTP traffic
First idea
clean machine
action
system
infected machine
action
13. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
HTTP traffic + JS analysis
Going through…
clean machine
action
system
infected machine
action
+ js analysis:
• Different paths
• Different subdomains
• Different data format (e.g. base64)
• Encryption (e.g. rsa)
14. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title styleAlmost there…
clean machine
action
system
infected machine
action
15. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title styleIf it bleeds, we can kill it
clean machine
action
system
infected machine
action
BYPASSED!
16. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title styleArchitecture problem
user
action
systemanti
malware
magic
red light
green light
Words of wisdom: adverse inference
17. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title styleMalware spotted!
user
action
systemanti
malware
magic
red light
Who sends the alert ?
login: user1
time: …
behaviour: suspicious
login: user2?
18. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title styleFirst things first
user
action
systemanti
malware
magic
red light
JavaScript
slowing your page ? BYPASSED!
19. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title styleSecurity by obscurity
malware detection JavaScript
eval
Simple obfuscation – base64, hex
rsa encryption
signatures
reasoning engine
Web Service
rsa public key
20. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title styleSignatures server-side
browser server
website A please
HTML + JS malware detection
Fragments of website A
Hey, your website A is webinjected !
regexp for website A
21. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title styleSignatures client-side
browser server
website A please
HTML + JS malware detection
Hash of web injects signatures content
web injects signatures
Leaks your malware signatures
The output is your weakness
22. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
Conclusions
23. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
• Buy an anti-malware box?
• Better call your crew
• Trust, but verify
• Ask for technical details
Conclusions - banks
24. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
• Online malware detection is a good path,
behavioral systems are a future of ITsec
• But they are still based on the old HTTP + HTML
+ JS stack
• Think about architecture and implementation
Conclusions – vendors
25. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
• Recommendations for potential anti-malware
buyers – paper, work in progress
• Interested? -> malware@securing.pl or
antimalware@securing.pl
What’s next?
26. • Click to edit Master text styles
— Second level
• Third level
— Fourth level
» Fifth level
Click to edit Master title style
Thank You
Q&A*
Editor's Notes
Poziom zaawansowania polskich bankowości
Malware related task are on the rise
Huge media coverage of malware related topics
They steal real money (we’ve seen it!)
Emerging market of anti-malware solutions
Statistics
Limitation for each method
Bots can simulate everything
There are no 100% malware-proof solutions
But at least they should be properly implemented
Pay shitload of money for a malware detection box (top secret military grade i can’t tell you about technology)? Better call your crew
Do not trust vendors. Test your countermeasures.
Hybrid approach
Strategy, not snake oil