click to edit master text styles bypassing malware second level · 2018. 5. 11. · click to edit...
Post on 29-Aug-2020
2 Views
Preview:
TRANSCRIPT
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
Jakub Kałużny
Mateusz Olejarka
Bypassing malware detection mechanisms in online banking
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
• Pentesters @ SecuRing
• Ex-developers
• Experience with:
— E-banking and mobile banking systems
— Multi-factor and voice recognition authentication
— Malware post mortem
Who are we?
@j_kaluzny @molejarka
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
• Intro
— Why this topic?
— How it’s done?
— Will it blend?
• Vulnerabilities
• Conclusions
• Q&A*
Agenda
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
Intro
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
• AVs are not reliable
• Users are lazy
• Market gap for new solutions
• A lot of money
Why this topic ?
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
• Interaction with browser
— Web injects
— Other?
• What it does
— Steals credentials
— Changes transaction data
— Automates attacks
How malware works?
zeus
spyeye
carberp
citadel
zitmo
vbclip banatrix
carbanak
eblasterbugat
torpig
hiloti
gozi
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
Aim: Detect malware presence
What is online malware detection ?
BACKENDWEB
SERVERBROWSER
USER
MALWARE
HTTP TRANSACTIONS
signatures
fingerprint
User/browserbehaviour fraud detection system
Action: drop or mark as compromised
(JS)
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
Malware detection methods:
• HTTP response signature
• Browser fingerprint
• User/browser behavior
• Server-side behavioral methods
• Fraud detection system
What are the limits ?
marketingmagic
auditability
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
• We do not represent any vendor
• We want to show
— architecture failures
— implementation errors
• We want to talk about what can be done
What is the purpose of this report?
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
Vulnerabilities
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title styleOur approach
BACKENDWEB
SERVERBROWSER
USER
MALWARE
HTTP TRANSACTIONS
feed analyze JS
analyze traffic
analyze response
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
HTTP traffic
First idea
clean machineaction
system
infected machine
action
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
HTTP traffic + JS analysis
Going through…
clean machineaction
system
infected machine
action
+ js analysis:
• Different paths• Different subdomains
• Different data format (e.g. base64)• Encryption (e.g. rsa)
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title styleAlmost there…
clean machineaction
system
infected machine
action
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title styleIf it bleeds, we can kill it
clean machineaction
system
infected machine
action
BYPASSED!
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title styleArchitecture problem
useraction
systemantimalware
magic
red light
green light
Words of wisdom: adverse inference
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title styleMalware spotted!
useraction
systemantimalware
magic
red light
Who sends the alert ?
login: user1time: …behaviour: suspicious
login: user2?
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title styleFirst things first
useraction
systemantimalware
magic
red light
JavaScript slowing your page ? BYPASSED!
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title styleSecurity by obscurity
malware detection JavaScript
eval
Simple obfuscation – base64, hex
rsa encryption
signatures
reasoning engine
Web Service
rsa public key
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title styleSignatures server-side
browser server
website A please
HTML + JS malware detection
Fragments of website A
Hey, your website A is webinjected !
regexp for website A
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title styleSignatures client-side
browser server
website A please
HTML + JS malware detection
Hash of web injects signatures content
web injects signatures
Leaks your malware signatures
The output is your weakness
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
Conclusions
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
• Buy an anti-malware box?
• Better call your crew
• Trust, but verify
• Ask for technical details
Conclusions - banks
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
• Online malware detection is a good path,behavioral systems are a future of ITsec
• But they are still based on the old HTTP + HTML + JS stack
• Think about architecture and implementation
Conclusions – vendors
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
• Recommendations for potential anti-malwarebuyers – paper, work in progress
• Interested? -> malware@securing.pl or antimalware@securing.pl
What’s next?
• Click to edit Master text styles
— Second level
• Third level— Fourth level
» Fifth level
Click to edit Master title style
Thank You
Q&A*
top related