350 likes | 629 Views
Malware Reverse E ngineering. Man In T he Browser (MITB). Jeet Morparia. Software Engineer, Malware Analysis and Response. Agenda. Today’s malware landscape . 1. Reverse engineering a malware. 2. Man In T he B rowser. 3. Today’s malware landscape.
E N D
Malware Reverse Engineering Man In The Browser (MITB) JeetMorparia Software Engineer, Malware Analysis and Response Malware Reverse Engineering
Agenda Today’s malware landscape 1 Reverse engineering a malware 2 Man In The Browser 3 Malware Reverse Engineering
Today’s malware landscape Malware Reverse Engineering
Though ‘spams’ have decreased, ‘malicious attacks’ have increased! Use of more and more web-toolkits Malware Reverse Engineering
>50% increase in unique variants of malware >10k unique malicious web domains ~50% increase in mobile vulnerabilities Malware Reverse Engineering
2 main reasons for this trend: • Part of large organizations eco-system providing stepping stone to larger attack • Less defended Malware Reverse Engineering
Reverse Engineering A Malware Black boxing and White boxing Malware Reverse Engineering
Analysis of a malware Malware Reverse Engineering 8
HIEW VIRTUAL MEMORY FILE PROPERTIES Presentation Identifier Goes Here Malware Reverse Engineering 9
PACKED CODE UPX Packed Sections UNPACKED CODE Unpacked Sections 10 Malware Reverse Engineering
Embedded Resources Version Information 11 Malware Reverse Engineering
Monitoring Tools 12 Malware Reverse Engineering
OllyDbg Break Points 13 Malware Reverse Engineering
IDA PRO 14 Malware Reverse Engineering
Man In The Browser Malware Reverse Engineering
Man-in-the-middle (MiM) Transfer $2500 to Mom Transfer $10000 to Trudy E D E D D E D E Transferred $10000 to Trudy Transferred $2500 to Mom BOB Bank server ALICE End User TRUDY Attacker Malware Reverse Engineering
Man-in-the-browser (MITB) ALICE’S Browser Transfer $10000 to Trudy Transfer $2500 to Mom Transferred $10000 to Trudy Transferred $2500 to Mom ALICE End User BOB Bank server Captured form data Infect Alice’s system with a Trojan TRUDY Attacker Malware Reverse Engineering 17
CLEAN BROWSER - No extra fields - Just the required information INFECTED BROWSER - Extra fields e.g.: PIN - Asks for critical information usually not required PIN: Malware Reverse Engineering
MiMvs MITB Malware Reverse Engineering
Purpose of MITB • Subvert secure communication, SSL • Steal and modify form data • Didn’t I say MONEY ! Malware Reverse Engineering
Types of MITB Malware Reverse Engineering
MITB by hooking Windows APIs What is a hook ? A piece of code that intercepts function calls to modify function of the application. {- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -} • InternetConnectA • InternetOpenA • InternetReadFile • InternetWriteFile 1 2 Trojan.Clampiinjects malicious thread into IE browser Monitors and hooks several API calls monitored by Windows DLL, urlmon.dll • Can be detected by scanning for injected process {- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -} {- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -} HOOKING FUNCTION {- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -} {- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -} ORIGINAL FUNCTION 3 4 Hooks itself to original API when its called Grab data from IE browser before its encrypted, hence overcoming SSL Malware Reverse Engineering
MITB using BHO/ Browser extension • Trojan.Neloweg • Sets up Namespace and associates it with Winsock2 • Loads the dll in memory when any program tries to connect to the internet using Winsock2 • No process injection needed ! Malware Reverse Engineering
The dll file creates the browser extension files if its running under Firefox.exe • %ProgramFiles%\Mozilla Firefox\chrome\error.manifest • %ProgramFiles%\Mozilla Firefox\chrome\error.jar • %ProgramFiles%\Mozilla Firefox\components\nsLego.js • %ProgramFiles%\Mozilla Firefox\components\nsILEgo.xpt • Error.jar contains the main code for form grabbing. • Can be detected by in browser security software which block APIs form browser extensions. EgTrusteerRapport. Malware Reverse Engineering
MITB using self signed certificates • Trojan.Tatanarg • Much like MiM: Creates proxy service between bank and client • On the bank side of proxy: Outbound traffic encrypted using bank credentials • On the browser side of proxy: Encrypt traffic using its own credentials • Can be detected by scanning injected process Malware Reverse Engineering
Other MITB prevention/detection techniques • Client-side java-script to encrypt some fields before the form grabbing component • Already broken • Multi factor authentication • Already broken • Out of band transaction verification (OOB) • Verifying the transaction over a channel other than the browser • Web frauds detection • Automated checks for fraud detection patterns by the banks Malware Reverse Engineering
Summary of MITB Malware Reverse Engineering
Conclusion • Attackers are using newer ways to infect machines • Targeted attacks • Use of web tool kits • Comprehensive analysis of a malware involves combination of black-boxing and white-boxing techniques • MITB is an innovative way used by attackers to break security • MITB prevention is still work in progress (Good research project!) • Malware reverse engineering as a profession has a broad scope Malware Reverse Engineering
Reverse engineering tools • Hex View • http://www.hiew.ru/ • Unpacking tools • http://www.woodmann.com/collaborative/tools/index.php/Category:Unpacking_Tools • Resource hacker • http://www.angusj.com/resourcehacker/ • Monitoring tools • http://www.woodmann.com/collaborative/tools/index.php/Category:Monitoring_Tools • OllyDbg • http://www.ollydbg.de/ • IdaPro • http://www.hex-rays.com/ • Process Dumper • http://www.microsoft.com/en-us/download/details.aspx?id=4060 • http://www.woodmann.com/collaborative/tools/index.php/Category:Process_Dumpers Malware Reverse Engineering
References • http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/inside_trojan_clampi.pdf • http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Trojan_Neloweg_Bank_Robbing_Bot_in_the_Browser.pdf • http://www.symantec.com/connect/blogs/banking-proxy-trojantatanarg • http://www.symantec.com/threatreport/ • https://www.owasp.org/index.php/OWASP_Anti-Malware_-_Knowledge_Base#Appendix_A:_Security_Considerations_about_Authentication_Solutions_and_Malware • http://www.scis.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf Malware Reverse Engineering
VIDEO • http://www.youtube.com/watch?v=USCHPIQB8_Y Malware Reverse Engineering
JeetMorparia jeet.morparia@gmail.com Malware Reverse Engineering