Malware Reverse Engineering
Man In The Browser (MITB)
Jeet Morparia
Software Engineer, Malware Analysis and Response
Malware Reverse Engineering
1
Agenda
1
Today’s malware landscape
2
Reverse engineering a malware
3
Man In The Browser
Malware Reverse Engineering
2
Today’s malware landscape
Malware Reverse Engineering
3
Though ‘spams’
have
decreased,
‘malicious
attacks’ have
increased!
Use of more
and more webtoolkits
Malware Reverse Engineering
4
>50% increase in
unique variants of
malware
>10k unique
malicious web
domains
~50% increase in
mobile
vulnerabilities
Malware Reverse Engineering
5
2 main reasons for
this trend:
Malware Reverse Engineering
-
Part of large
organizations ecosystem providing
stepping stone to
larger attack
-
Less defended
6
Reverse Engineering A Malware
Black boxing and White boxing
Malware Reverse Engineering
7
Analysis of a malware
8
Malware Reverse Engineering
8
HIEW
VIRTUAL
MEMORY
FILE
PROPERTIES
9
Malware Reverse Engineering
Presentation Identifier Goes Here
9
PACKED
CODE
UPX Packed Sections
UNPACKED
CODE
Unpacked Sections
10
Malware Reverse Engineering
10
Embedded Resources
Version Information
11
Malware Reverse Engineering
11
Monitoring
Tools
12
Malware Reverse Engineering
12
OllyDbg
Break
Points
13
Malware Reverse Engineering
13
IDA PRO
14
Malware Reverse Engineering
14
Man In The Browser
Malware Reverse Engineering
15
Man-in-the-middle (MiM)
Transfer $2500 to Mom
E
D
Transfer $10000 to Trudy
D
E
E
D
D
E
Transferred $10000 to Trudy
Transferred $2500 to Mom
ALICE
TRUDY
BOB
End User
Attacker
Bank server
Malware Reverse Engineering
16
Man-in-the-browser (MITB)
ALICE’S Browser
Transfer $10000 to Trudy
Transfer $2500 to Mom
Transferred $10000 to Trudy
Transferred $2500 to Mom
ALICE
BOB
Captured form data
End User
Bank server
Infect Alice’s system
with a Trojan
TRUDY
Attacker
Malware Reverse Engineering
17
17
CLEAN BROWSER
- No extra fields
- Just the required information
INFECTED BROWSER
- Extra fields e.g.: PIN
PIN:
- Asks for critical information
usually not required
Malware Reverse Engineering
18
MiM vs MITB
Parameters
MiM
MITB
Hardware/Software
requirements
Usually requires
compromised hardware
Injects malicious software
(Trojan) in web browser
Communication
Has to deal with secure
communication
Immune to secure
communication such as SSL
Targets
Targets are directed or
location-based
Targets can be anywhere on
the internet
Malware Reverse Engineering
19
Purpose of MITB
• Subvert secure communication, SSL
• Steal and modify form data
• Didn’t I say MONEY !
Malware Reverse Engineering
20
Types of MITB
Hooking Windows API
• Trojan.Clampi
Using BHO (Browser Helper
Objects) in IE ---OR--- Using
Firefox Extensions
• Trojan.Neloweg
Using Self Signed
Certificates
• Trojan.Tatanarg
Malware Reverse Engineering
21
MITB by hooking Windows APIs
What is a hook ?
A piece of code that intercepts function calls to modify function of the application.
{- - - - - - - - - - - - - - - - - - - - - - - - - - - - -}
HOOKING
FUNCTION
ORIGINAL
FUNCTION
{- - - - - - - - - - - - - - - - - - - - - - - - - - - - -}
Hooks itself to original API when its called
Malware Reverse Engineering
• InternetReadFile
• InternetWriteFile
Monitors and hooks several API calls monitored by
Windows DLL, urlmon.dll
Can be detected
by scanning for
injected process
{- - - - - - - - - - - - - - - - - - - - - - - - - - - - -}
{- - - - - - - - - - - - - - - - - - - - - - - - - - - - -}
3
2
Trojan.Clampi injects malicious thread into IE browser
• InternetOpenA
{- - - - - - - - - - - - - - - - - - - - - - - - - - - - -}
1
• InternetConnectA
4
Grab data from IE browser before its encrypted, hence
overcoming SSL
22
MITB using BHO/ Browser extension
• Trojan.Neloweg
– Sets up Namespace and associates it with Winsock2
– Loads the dll in memory when any program tries to connect to the
internet using Winsock2
– No process injection needed !
Malware Reverse Engineering
23
• The dll file creates the browser extension files if its running
under Firefox.exe
– %ProgramFiles%\Mozilla Firefox\chrome\error.manifest
– %ProgramFiles%\Mozilla Firefox\chrome\error.jar
– %ProgramFiles%\Mozilla Firefox\components\nsLego.js
– %ProgramFiles%\Mozilla Firefox\components\nsILEgo.xpt
• Error.jar contains the main code for form grabbing.
• Can be detected by in browser security software which block
APIs form browser extensions. Eg Trusteer Rapport.
Malware Reverse Engineering
24
MITB using self signed certificates
• Trojan.Tatanarg
– Much like MiM: Creates proxy service between bank and client
– On the bank side of proxy: Outbound traffic encrypted using bank
credentials
– On the browser side of proxy: Encrypt traffic using its own credentials
– Can be detected by scanning injected process
Malware Reverse Engineering
25
Other MITB prevention/detection techniques
• Client-side java-script to encrypt some fields before the form
grabbing component
– Already broken
• Multi factor authentication
– Already broken
• Out of band transaction verification (OOB)
– Verifying the transaction over a channel other than the browser
• Web frauds detection
– Automated checks for fraud detection patterns by the banks
Malware Reverse Engineering
26
Summary of MITB
MITB
Hooking win APIs
BHO
Self signed
certificate
Trojan name
Trojan.Clampi
Trojan.Neloweg
Trojan.Tatanarg
Injected process
required ?
Yes
No
Yes
Encrypts/decrypts
secure
communication ?
No
No
Yes
Detection
Scan injected
browser process
In browser security
Scan injected
browser process
Malware Reverse Engineering
27
Conclusion
• Attackers are using newer ways to infect machines
– Targeted attacks
– Use of web tool kits
• Comprehensive analysis of a malware involves combination of
black-boxing and white-boxing techniques
• MITB is an innovative way used by attackers to break security
• MITB prevention is still work in progress (Good research
project!)
• Malware reverse engineering as a profession has a broad scope
Malware Reverse Engineering
28
Reverse engineering tools
• Hex View
– http://www.hiew.ru/
• Unpacking tools
– http://www.woodmann.com/collaborative/tools/index.php/Category:Unpacking_Tools
• Resource hacker
– http://www.angusj.com/resourcehacker/
• Monitoring tools
– http://www.woodmann.com/collaborative/tools/index.php/Category:Monitoring_Tools
• OllyDbg
– http://www.ollydbg.de/
• IdaPro
– http://www.hex-rays.com/
• Process Dumper
– http://www.microsoft.com/en-us/download/details.aspx?id=4060
– http://www.woodmann.com/collaborative/tools/index.php/Category:Process_Dumpers
Malware Reverse Engineering
29
References
• http://www.symantec.com/content/en/us/enterprise/media/security_respo
nse/whitepapers/inside_trojan_clampi.pdf
• http://www.symantec.com/content/en/us/enterprise/media/security_respo
nse/whitepapers/Trojan_Neloweg_Bank_Robbing_Bot_in_the_Browser.pdf
• http://www.symantec.com/connect/blogs/banking-proxy-trojantatanarg
• http://www.symantec.com/threatreport/
• https://www.owasp.org/index.php/OWASP_Anti-Malware__Knowledge_Base#Appendix_A:_Security_Considerations_about_Authentica
tion_Solutions_and_Malware
• http://www.scis.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf
Malware Reverse Engineering
30
VIDEO
• http://www.youtube.com/watch?v=USCHPIQB8_Y
Malware Reverse Engineering
31
Thank you!
Jeet Morparia
jeet.morparia@gmail.com
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Malware Reverse Engineering
32
