bypassing malware detection mechanisms in online banking

26
Click to edit Master text styles Second level Third level Fourth level » Fifth level Click to edit Master title style Jakub Kałużny Mateusz Olejarka Bypassing malware detection mechanisms in online banking

Upload: jakub-kaluzny

Post on 16-Aug-2015

117 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

Jakub KałużnyMateusz Olejarka

Bypassing malware detection mechanisms in online banking

Page 2: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

• Pentesters @ SecuRing• Ex-developers• Experience with:—E-banking and mobile banking systems—Multi-factor and voice recognition

authentication—Malware post mortem

Who are we?

@j_kaluzny @molejarka

Page 3: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

• Intro—Why this topic?—How it’s done?—Will it blend?

• Vulnerabilities• Conclusions • Q&A*

Agenda

Page 4: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

Intro

Page 5: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

• AVs are not reliable• Users are lazy• Market gap for new solutions• A lot of money

Why this topic ?

Page 6: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

• Interaction with browser—Web injects —Other?

• What it does—Steals credentials—Changes transaction data—Automates attacks

How malware works?

zeus

spyeyecarberp

citadel

zitmo

vbclip banatrix

carbanak

eblasterbugat

torpig

hiloti

gozi

Page 7: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

Aim: Detect malware presence

What is online malware detection ?

BACKENDWEB SERVERBROWSER

USER

MALWARE

HTTP TRANSACTIONS

signatures

fingerprint

User/browserbehaviour fraud detection system

Action: drop or mark as compromised

(JS)

Page 8: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

Malware detection methods:• HTTP response signature• Browser fingerprint• User/browser behavior• Server-side behavioral methods• Fraud detection system

What are the limits ?

marketingmagic

auditability

Page 9: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

• We do not represent any vendor• We want to show —architecture failures— implementation errors

• We want to talk about what can be done

What is the purpose of this report?

Page 10: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

Vulnerabilities

Page 11: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title styleOur approach

BACKENDWEB SERVERBROWSER

USER

MALWARE

HTTP TRANSACTIONS

feed analyze JS

analyze traffic

analyze response

Page 12: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

HTTP traffic

First idea

clean machineaction

system

infected machineaction

Page 13: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

HTTP traffic + JS analysis

Going through…

clean machineaction

system

infected machineaction

+ js analysis:

• Different paths• Different subdomains

• Different data format (e.g. base64)• Encryption (e.g. rsa)

Page 14: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title styleAlmost there…

clean machineaction

system

infected machineaction

Page 15: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title styleIf it bleeds, we can kill it

clean machineaction

system

infected machineaction

BYPASSED!

Page 16: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title styleArchitecture problem

useraction

systemanti malware

magic

red light

green light

Words of wisdom: adverse inference

Page 17: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title styleMalware spotted!

useraction

systemanti malware

magic

red light

Who sends the alert ?

login: user1time: …behaviour: suspicious

login: user2?

Page 18: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title styleFirst things first

useraction

systemanti malware

magic

red light

JavaScript slowing your page ? BYPASSED!

Page 19: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title styleSecurity by obscurity

malware detection JavaScript

evalSimple obfuscation – base64, hex

rsa encryption

signatures

reasoning engine

Web Service

rsa public key

Page 20: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title styleSignatures server-side

browser server

website A please

HTML + JS malware detection

Fragments of website A

Hey, your website A is webinjected !

regexp for website A

Page 21: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title styleSignatures client-side

browser server

website A please

HTML + JS malware detection

Hash of web injects signatures content

web injects signatures

Leaks your malware signatures

The output is your weakness

Page 22: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

Conclusions

Page 23: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

• Buy an anti-malware box? • Better call your crew• Trust, but verify• Ask for technical details

Conclusions - banks

Page 24: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

• Online malware detection is a good path, behavioral systems are a future of ITsec

• But they are still based on the old HTTP + HTML + JS stack

• Think about architecture and implementation

Conclusions – vendors

Page 25: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

• Recommendations for potential anti-malware buyers – paper, work in progress

• Interested? -> [email protected] or [email protected]

What’s next?

Page 26: Bypassing malware detection mechanisms in online banking

• Click to edit Master text styles— Second level

• Third level— Fourth level

» Fifth level

Click to edit Master title style

Thank You

Q&A*