Browser attack points still abused by banking trojans

Presented at VB2017, Oct. 4, 2017, 3 p.m. (30 minutes)

With the ever-increasing use of banking-related services on the web, browsers have naturally drawn the attention of malware authors. They express an interest in adjusting the behaviour of the browsers for their purposes, namely intercepting the content of web forms, modifying server responses manifested as webinjects, and confirming validity of spoofed SSL certificates. These goals are usually achieved by placing malicious code at certain addresses within a browser process. It has been more than seven years now since the infamous Zeus bot first successfully took advantage of *Mozilla Firefox* by hooking specific exported functions, and the very same approach has been widely used by others ever since. Moving to *Microsoft Edge*, the developers have made their best attempt to mitigate arbitrary code execution, using technologies like Control Guard Integrity (CGI) and Arbitrary Code Guard (ACG), but the focus is on stopping exploitation of the browser itself, rather than preventing execution of injected code delivered by a remote malicious process. Finally, cybercrooks seem to have the greatest trouble adapting their hooks in *Google Chrome*. Though it might not have been the primary intent of the developers, the custom implementation of the SSL functionality has resulted in a cat-and-mouse game thanks to the fact that the attack points are unexported and change regularly. In our session we will guide the audience through an overview of the techniques used by major banking trojans in the wild. We are pleased to see that the ease of implementing hijacking methods is decreasing, and that attackers are under constant pressure to adopt changes. Moreover, security solutions offer various browser protections that work very well against existing methods. How do they handle that? Wouldn't it be great to see the mitigation in the first possible layer? We consider this as a topic for discussion. As a side result, we also transform our collected knowledge into a plug-in for the Volatility Framework that extends the functionality of apihooks within the scope of browsers.

Presenters:

• Michal Poslušný - ESET
  Michal Poslušný Michal Poslušný is a malware analyst working at ESET, where he is mainly responsible for reverse engineering of complex malware threats. He also works on developing various internal projects and tools and is a co-author of ESET's CrackMe used for hiring new talents. In his free time he likes to play online games, develop fun projects and spend time with family.
• Peter Kálnai - ESET
  Peter Kálnai Peter Kálnai is a malware researcher at ESET. He realizes that mastering the art of reverse engineering is a lifelong project. He is interested in discovering and extending the features of Volatility Framework. He has actively participated in international conferences including Virus Bulletin, RSA Conference, CARO Workshop, Botconf, AVAR and cyberCentral. In his free time he enjoys table football and playing indie games on his mobile phone. @pkalnai

Links:

• https://www.virusbulletin.com/conference/vb2017/abstracts/browser-attack-points-still-abused-banking-trojans
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2017/Kalnai-VB2017-browser-attack-points-trojans.pdf
• https://www.virusbulletin.com/virusbulletin/2018/07/vb2017-paper-browser-attack-points-still-abused-banking-trojans/

Similar Presentations:

• Black Hat USA 2010 / NEPTUNE: Dissecting Web-based Malware via Browser and OS Instrumentation
• 31C3 (2014) / The Invisible Committee Returns with "Fuck Off Google": Cybernetics, Anti-Terrorism, and the ongoing case against the Tarnac 10
• VB2016 / Last-minute paper: Malicious Proxy auto-configs: An Easy Way to Harvest Banking Credentials