Malware Reverse E ngineering - PowerPoint PPT Presentation

hieu
malware reverse e ngineering n.
Skip this Video
Loading SlideShow in 5 Seconds..
Malware Reverse E ngineering PowerPoint Presentation
Download Presentation
Malware Reverse E ngineering

play fullscreen
1 / 32
Download Presentation
197 Views
Download Presentation

Malware Reverse E ngineering

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Malware Reverse Engineering Man In The Browser (MITB) JeetMorparia Software Engineer, Malware Analysis and Response Malware Reverse Engineering

  2. Agenda Today’s malware landscape 1 Reverse engineering a malware 2 Man In The Browser 3 Malware Reverse Engineering

  3. Today’s malware landscape Malware Reverse Engineering

  4. Though ‘spams’ have decreased, ‘malicious attacks’ have increased! Use of more and more web-toolkits Malware Reverse Engineering

  5. >50% increase in unique variants of malware >10k unique malicious web domains ~50% increase in mobile vulnerabilities Malware Reverse Engineering


  6. 2 main reasons for this trend: • Part of large organizations eco-system providing stepping stone to larger attack • Less defended Malware Reverse Engineering

  7. Reverse Engineering A Malware Black boxing and White boxing Malware Reverse Engineering

  8. Analysis of a malware Malware Reverse Engineering 8

  9. HIEW VIRTUAL MEMORY FILE PROPERTIES Presentation Identifier Goes Here Malware Reverse Engineering 9

  10. PACKED CODE UPX Packed Sections UNPACKED CODE Unpacked Sections 10 Malware Reverse Engineering

  11. Embedded Resources Version Information 11 Malware Reverse Engineering

  12. Monitoring Tools 12 Malware Reverse Engineering

  13. OllyDbg Break Points 13 Malware Reverse Engineering

  14. IDA PRO 14 Malware Reverse Engineering

  15. Man In The Browser Malware Reverse Engineering

  16. Man-in-the-middle (MiM) Transfer $2500 to Mom Transfer $10000 to Trudy E D E D D E D E Transferred $10000 to Trudy Transferred $2500 to Mom BOB Bank server ALICE End User TRUDY Attacker Malware Reverse Engineering

  17. Man-in-the-browser (MITB) ALICE’S Browser Transfer $10000 to Trudy Transfer $2500 to Mom Transferred $10000 to Trudy Transferred $2500 to Mom ALICE End User BOB Bank server Captured form data Infect Alice’s system with a Trojan TRUDY Attacker Malware Reverse Engineering 17

  18. CLEAN BROWSER - No extra fields - Just the required information INFECTED BROWSER - Extra fields e.g.: PIN - Asks for critical information usually not required PIN: Malware Reverse Engineering

  19. MiMvs MITB Malware Reverse Engineering

  20. Purpose of MITB • Subvert secure communication, SSL • Steal and modify form data • Didn’t I say MONEY ! Malware Reverse Engineering

  21. Types of MITB Malware Reverse Engineering

  22. MITB by hooking Windows APIs What is a hook ? A piece of code that intercepts function calls to modify function of the application. {- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -} • InternetConnectA • InternetOpenA • InternetReadFile • InternetWriteFile 1 2 Trojan.Clampiinjects malicious thread into IE browser Monitors and hooks several API calls monitored by Windows DLL, urlmon.dll • Can be detected by scanning for injected process {- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -} {- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -} HOOKING FUNCTION {- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -} {- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -} ORIGINAL FUNCTION 3 4 Hooks itself to original API when its called Grab data from IE browser before its encrypted, hence overcoming SSL Malware Reverse Engineering

  23. MITB using BHO/ Browser extension • Trojan.Neloweg • Sets up Namespace and associates it with Winsock2 • Loads the dll in memory when any program tries to connect to the internet using Winsock2 • No process injection needed ! Malware Reverse Engineering

  24. The dll file creates the browser extension files if its running under Firefox.exe • %ProgramFiles%\Mozilla Firefox\chrome\error.manifest • %ProgramFiles%\Mozilla Firefox\chrome\error.jar • %ProgramFiles%\Mozilla Firefox\components\nsLego.js • %ProgramFiles%\Mozilla Firefox\components\nsILEgo.xpt • Error.jar contains the main code for form grabbing. • Can be detected by in browser security software which block APIs form browser extensions. EgTrusteerRapport. Malware Reverse Engineering

  25. MITB using self signed certificates • Trojan.Tatanarg • Much like MiM: Creates proxy service between bank and client • On the bank side of proxy: Outbound traffic encrypted using bank credentials • On the browser side of proxy: Encrypt traffic using its own credentials • Can be detected by scanning injected process Malware Reverse Engineering

  26. Other MITB prevention/detection techniques • Client-side java-script to encrypt some fields before the form grabbing component • Already broken • Multi factor authentication • Already broken • Out of band transaction verification (OOB) • Verifying the transaction over a channel other than the browser • Web frauds detection • Automated checks for fraud detection patterns by the banks Malware Reverse Engineering

  27. Summary of MITB Malware Reverse Engineering

  28. Conclusion • Attackers are using newer ways to infect machines • Targeted attacks • Use of web tool kits • Comprehensive analysis of a malware involves combination of black-boxing and white-boxing techniques • MITB is an innovative way used by attackers to break security • MITB prevention is still work in progress (Good research project!) • Malware reverse engineering as a profession has a broad scope Malware Reverse Engineering

  29. Reverse engineering tools • Hex View • http://www.hiew.ru/ • Unpacking tools • http://www.woodmann.com/collaborative/tools/index.php/Category:Unpacking_Tools • Resource hacker • http://www.angusj.com/resourcehacker/ • Monitoring tools • http://www.woodmann.com/collaborative/tools/index.php/Category:Monitoring_Tools • OllyDbg • http://www.ollydbg.de/ • IdaPro • http://www.hex-rays.com/ • Process Dumper • http://www.microsoft.com/en-us/download/details.aspx?id=4060 • http://www.woodmann.com/collaborative/tools/index.php/Category:Process_Dumpers Malware Reverse Engineering

  30. References • http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/inside_trojan_clampi.pdf • http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Trojan_Neloweg_Bank_Robbing_Bot_in_the_Browser.pdf • http://www.symantec.com/connect/blogs/banking-proxy-trojantatanarg • http://www.symantec.com/threatreport/ • https://www.owasp.org/index.php/OWASP_Anti-Malware_-_Knowledge_Base#Appendix_A:_Security_Considerations_about_Authentication_Solutions_and_Malware • http://www.scis.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf Malware Reverse Engineering

  31. VIDEO • http://www.youtube.com/watch?v=USCHPIQB8_Y Malware Reverse Engineering

  32. JeetMorparia jeet.morparia@gmail.com Malware Reverse Engineering