© 2013 Trustwave Holdings, Inc. 1

August 2013 | Chicago

Using Hacker Tricks in Legit Defensive

Code

Ziv Mador

Director of Security Research

Content developed and presented at RSA with:

Ryan Barnett

Lead Security Researcher

© 2013 Trustwave Holdings, Inc. 2

Turning Bad Guys Against Themselves

The “Dual” Ouroboros

Exploit Kits

Banking

Trojans

© 2013 Trustwave Holdings, Inc. 3

Agenda

• Banking Trojans vs. Web Fraud Detection

• How To Protect Web Fraud Detection Code?

• Web Obfuscation Usage By Exploit Kits

• Applying Obfuscation To Web Fraud Detection Code

• Banking Trojans “Fight Back”

• Leveraging De-Obfuscation Algorithms in Web Security Products

• Summary

© 2013 Trustwave Holdings, Inc. 4

Today’s Adversarial Relationship Pairings

Security Vendors

Web Fraud

Detection

Secure Web

Gateways

Banking

Trojans

Exploit Kits

Cybercriminals

© 2013 Trustwave Holdings, Inc. 5

Banking Trojan Overview

© 2013 Trustwave Holdings, Inc. 6

User

Compormised

website

Exploit

server

Injected

iframe

© 2013 Trustwave Holdings, Inc. 7

Banking Trojan Prevalence in 2013

The State of Financial Trojans 2013 - Symantec

© 2013 Trustwave Holdings, Inc. 8

Zeus C&C Interface: Fraudulent EFTs

© 2013 Trustwave Holdings, Inc. 9

New “ZeusVM” Variant (Feb. 2014)

What’s Wrong With This Picture? Hidden Zeus Config File

Image credit: malwarebytes blog

© 2013 Trustwave Holdings, Inc. 10

Zeus “webinject”: ATM PIN Phishing

© 2013 Trustwave Holdings, Inc. 11

Zeus “webinject”: ATM PIN Phishing

© 2013 Trustwave Holdings, Inc. 12

Web Fraud Detection Overview

© 2013 Trustwave Holdings, Inc. 13

Web Fraud Detection Techniques

Device

Identification

GeoLocation

Webpage Integrity

User Behavior

Time Differential

Linking

Proxy Piercing

Device/User

Reputation

Clickstream

Analysis

© 2013 Trustwave Holdings, Inc. 14

http://panopticlick.eff.org/

© 2013 Trustwave Holdings, Inc. 15

Webpage Integrity Validation

http://www.cs.washington.edu/research/security/web-tripwire.html

© 2013 Trustwave Holdings, Inc. 16

Example Fraud Detection JavaScript

© 2013 Trustwave Holdings, Inc. 17

Fingerprint.js: Browser Characteristics Checked

© 2013 Trustwave Holdings, Inc. 18

Fingerprint Hash Beaconing

© 2013 Trustwave Holdings, Inc. 19

Device Fingerprint Execution

© 2013 Trustwave Holdings, Inc. 20

Web Tripwire XMLHttpRequest

© 2013 Trustwave Holdings, Inc. 21

Web Tripwire Hash Validation

© 2013 Trustwave Holdings, Inc. 22

Banking Trojans Circumvent Web Fraud Detection

© 2013 Trustwave Holdings, Inc. 23

Updated Zeus “webinjects” Configuration: Removes The Fraud Detection Code

© 2013 Trustwave Holdings, Inc. 24

Zeus Strips Fraud Detection JS Code

© 2013 Trustwave Holdings, Inc. 25

Zeus Strips Fraud Detection JS Code

© 2013 Trustwave Holdings, Inc. 26

Exploit Kit Overview

© 2013 Trustwave Holdings, Inc. 27

Exploit Kits

• Serve as malware distribution

mechanisms

• MaaS “Malware As a Service”

• Provide rich configuration and

reporting

© Kahu Security

© 2013 Trustwave Holdings, Inc. 28

© 2013 Trustwave Holdings, Inc. 29

© 2013 Trustwave Holdings, Inc. 30

Exploit Kit Prevalence (Q4 2013)

53.8% 33.7%

4.2%

2.7% 2.7%

1.8%

0.7%

0.2% 0.2%

0.1%

Blackhole

RedKit

Cool

Neutrino

DotCachef

Styx

Whitehole

Bleeding Life

Nuclear

Magnitude

© 2013 Trustwave Holdings, Inc. 31

Malicious Links

• Cybercriminals inject malicious iframe links to

compromised web sites or to malicious web sites

• Then may use phishing campaigns with links to

those sites or simply wait for normal web traffic

User

Compormised

website

Exploit

server

Injected

iframe

© 2013 Trustwave Holdings, Inc. 32

Victim Visits Infected Website

© 2013 Trustwave Holdings, Inc. 33

Malvertising Infection on Yahoo

© hitmanpro blog

© 2013 Trustwave Holdings, Inc. 34

Use of Multiple Vulnerabilities

• Typically attempt to exploit multiple

vulnerabilities in different applications

o One vulnerability suffices for infection

© 2013 Trustwave Holdings, Inc. 35

Using Obfuscation

• Obfuscation fails most static

analyzers

Exploit kit code

The same code, obfuscated

Obfuscation

© 2013 Trustwave Holdings, Inc. 36

Similarity of Challenges

Escaping

detection by

exploit kits

Protecting web

fraud detection

code

© 2013 Trustwave Holdings, Inc. 37

Obfuscation

Leveraging Cybercriminals’ Tactics

Web Fraud

Detection

Banking

Trojans

Exploit Kits

Security Vendors Cybercriminals

Secure Web

Gateways

© 2013 Trustwave Holdings, Inc. 38

Using Exploit Kit Obfuscation for Defense

© 2013 Trustwave Holdings, Inc. 39

Applying Obfuscation to Defensive Code

• If cybercriminals can

protect their code with

obfuscation, why can’t legit

sites do the same?

© 2013 Trustwave Holdings, Inc. 40

Use of Obfuscation for Legit Code

• The idea in general is not new

• Suggested in the past for

o Hindering hacker attacks

o Protecting Intellectual Property (IP)

• Already used by some applications (e.g. Oracle’s

Java cryptography code)

• A recent study about “unhackable” obfuscation for

legit apps (1)

• Similarly, some bank sites are pure Flash

• Here we discuss using techniques from malicious

code (1) http://www.wired.com/wiredscience/2014/02/cryptography-

breakthrough/all/

© 2013 Trustwave Holdings, Inc. 41

Using Exploit Kit Obfuscation Code: CryptJS

© 2013 Trustwave Holdings, Inc. 42

Using Exploit Kit Obfuscation Code: CryptJS

© 2013 Trustwave Holdings, Inc. 43

New Obfuscated HTML

© 2013 Trustwave Holdings, Inc. 44

Still Functionally Equivalent Code

© 2013 Trustwave Holdings, Inc. 45

Zeus “webinjects” No Longer Work!

© 2013 Trustwave Holdings, Inc. 46

January 28, 2014 - SpyEye Creator Arrested

Aleksander Panin SpyEye Malware

© 2013 Trustwave Holdings, Inc. 47

Greed Drives Innovation

© 2013 Trustwave Holdings, Inc. 48

The Arms Race Continues…

© 2013 Trustwave Holdings, Inc. 49

Obfuscation

Leveraging Cybercriminals’ Tactics

Web Fraud

Detection

Secure Web

Gateways

Banking

Trojans

Exploit Kits

Security Vendors Cybercriminals

© 2013 Trustwave Holdings, Inc. 50

New “De-Obfuscation” Flag (O) Added to Zeus

© 2013 Trustwave Holdings, Inc. 51

Modified Zeus “httpgrabber” De-Obfuscation Code

© 2013 Trustwave Holdings, Inc. 52

Modified Zeus Decodes, Removes and Injects

© 2013 Trustwave Holdings, Inc. 53

Leveraging De-obfuscation Algorithms

• De-obfuscation algorithms show clear text

• Sometimes they are complicated and dynamic

• Malware authors may come up with more

efficient algorithms

• Why won’t we leverage their creativity again??

• We can reverse engineer the malware and

identify the de-obfuscation algorithms

• We can now use these de-obfuscation

algorithms in security products that scan web

pages (SWG, AV, Firewall…)

© 2013 Trustwave Holdings, Inc. 54

Obfuscation

Leveraging Cybercriminals’ Tactics

Web Fraud

Detection

Secure Web

Gateways

Banking

Trojans

Exploit Kits

Security Vendors Cybercriminals

De-Obfuscation Reuse

© 2013 Trustwave Holdings, Inc. 55

Polymorphic Variable Names

The Lifecycle Continues

Web Fraud

Detection

Banking

Trojans

Exploit Kits

Security Vendors Cybercriminals

Secure Web

Gateways

© 2013 Trustwave Holdings, Inc. 56

Using Polymorphic Variable Names

© 2013 Trustwave Holdings, Inc. 57

Using Polymorphic Variable Names

© 2013 Trustwave Holdings, Inc. 58

Using Polymorphic Variable Names

© 2013 Trustwave Holdings, Inc. 59

Summary

• In addition to fighting cybercriminals’ techniques,

security vendors can also leverage them in some cases

for better protection

• Algorithms from one cyber gang can be used to protect

against malware from another gang

• It is an iterative process

• More research is welcomed

– Identifying other similar scenarios

– Considering the ethical and legal aspects of this

concept

© 2013 Trustwave Holdings, Inc. 60

Acknowledgments

• We would like to thank fellow SpiderLabs Researchers who helped

with developing the demos

– Daniel Chechik

– Felipe Zimmerle Costa

© 2013 Trustwave Holdings, Inc. 61

Q&A

Ziv Mador

zmador@trustwave.com