1 / 32

Malware Reverse E ngineering

Malware Reverse E ngineering. Man In T he Browser (MITB). Jeet Morparia. Software Engineer, Malware Analysis and Response. Agenda. Today’s malware landscape. 1. Reverse engineering a malware. 2. Man In T he B rowser. 3. Today’s malware landscape.

viveka
Download Presentation

Malware Reverse E ngineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malware Reverse Engineering Man In The Browser (MITB) JeetMorparia Software Engineer, Malware Analysis and Response Malware Reverse Engineering

  2. Agenda Today’s malware landscape 1 Reverse engineering a malware 2 Man In The Browser 3 Malware Reverse Engineering

  3. Today’s malware landscape Malware Reverse Engineering

  4. Though ‘spams’ have decreased, ‘malicious attacks’ have increased! Use of more and more web-toolkits Malware Reverse Engineering

  5. >50% increase in unique variants of malware >10k unique malicious web domains ~50% increase in mobile vulnerabilities Malware Reverse Engineering

  6. 2 main reasons for this trend: • Part of large organizations eco-system providing stepping stone to larger attack • Less defended Malware Reverse Engineering

  7. Reverse Engineering A Malware Black boxing and White boxing Malware Reverse Engineering

  8. Analysis of a malware Malware Reverse Engineering 8

  9. HIEW VIRTUAL MEMORY FILE PROPERTIES Presentation Identifier Goes Here Malware Reverse Engineering 9

  10. PACKED CODE UPX Packed Sections UNPACKED CODE Unpacked Sections 10 Malware Reverse Engineering

  11. Embedded Resources Version Information 11 Malware Reverse Engineering

  12. Monitoring Tools 12 Malware Reverse Engineering

  13. OllyDbg Break Points 13 Malware Reverse Engineering

  14. IDA PRO 14 Malware Reverse Engineering

  15. Man In The Browser Malware Reverse Engineering

  16. Man-in-the-middle (MiM) Transfer $2500 to Mom Transfer $10000 to Trudy E D E D D E D E Transferred $10000 to Trudy Transferred $2500 to Mom BOB Bank server ALICE End User TRUDY Attacker Malware Reverse Engineering

  17. Man-in-the-browser (MITB) ALICE’S Browser Transfer $10000 to Trudy Transfer $2500 to Mom Transferred $10000 to Trudy Transferred $2500 to Mom ALICE End User BOB Bank server Captured form data Infect Alice’s system with a Trojan TRUDY Attacker Malware Reverse Engineering 17

  18. CLEAN BROWSER - No extra fields - Just the required information INFECTED BROWSER - Extra fields e.g.: PIN - Asks for critical information usually not required PIN: Malware Reverse Engineering

  19. MiMvs MITB Malware Reverse Engineering

  20. Purpose of MITB • Subvert secure communication, SSL • Steal and modify form data • Didn’t I say MONEY ! Malware Reverse Engineering

  21. Types of MITB Malware Reverse Engineering

  22. MITB by hooking Windows APIs What is a hook ? A piece of code that intercepts function calls to modify function of the application. {- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -} • InternetConnectA • InternetOpenA • InternetReadFile • InternetWriteFile 1 2 Trojan.Clampiinjects malicious thread into IE browser Monitors and hooks several API calls monitored by Windows DLL, urlmon.dll • Can be detected by scanning for injected process {- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -} {- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -} HOOKING FUNCTION {- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -} {- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -} ORIGINAL FUNCTION 3 4 Hooks itself to original API when its called Grab data from IE browser before its encrypted, hence overcoming SSL Malware Reverse Engineering

  23. MITB using BHO/ Browser extension • Trojan.Neloweg • Sets up Namespace and associates it with Winsock2 • Loads the dll in memory when any program tries to connect to the internet using Winsock2 • No process injection needed ! Malware Reverse Engineering

  24. The dll file creates the browser extension files if its running under Firefox.exe • %ProgramFiles%\Mozilla Firefox\chrome\error.manifest • %ProgramFiles%\Mozilla Firefox\chrome\error.jar • %ProgramFiles%\Mozilla Firefox\components\nsLego.js • %ProgramFiles%\Mozilla Firefox\components\nsILEgo.xpt • Error.jar contains the main code for form grabbing. • Can be detected by in browser security software which block APIs form browser extensions. EgTrusteerRapport. Malware Reverse Engineering

  25. MITB using self signed certificates • Trojan.Tatanarg • Much like MiM: Creates proxy service between bank and client • On the bank side of proxy: Outbound traffic encrypted using bank credentials • On the browser side of proxy: Encrypt traffic using its own credentials • Can be detected by scanning injected process Malware Reverse Engineering

  26. Other MITB prevention/detection techniques • Client-side java-script to encrypt some fields before the form grabbing component • Already broken • Multi factor authentication • Already broken • Out of band transaction verification (OOB) • Verifying the transaction over a channel other than the browser • Web frauds detection • Automated checks for fraud detection patterns by the banks Malware Reverse Engineering

  27. Summary of MITB Malware Reverse Engineering

  28. Conclusion • Attackers are using newer ways to infect machines • Targeted attacks • Use of web tool kits • Comprehensive analysis of a malware involves combination of black-boxing and white-boxing techniques • MITB is an innovative way used by attackers to break security • MITB prevention is still work in progress (Good research project!) • Malware reverse engineering as a profession has a broad scope Malware Reverse Engineering

  29. Reverse engineering tools • Hex View • http://www.hiew.ru/ • Unpacking tools • http://www.woodmann.com/collaborative/tools/index.php/Category:Unpacking_Tools • Resource hacker • http://www.angusj.com/resourcehacker/ • Monitoring tools • http://www.woodmann.com/collaborative/tools/index.php/Category:Monitoring_Tools • OllyDbg • http://www.ollydbg.de/ • IdaPro • http://www.hex-rays.com/ • Process Dumper • http://www.microsoft.com/en-us/download/details.aspx?id=4060 • http://www.woodmann.com/collaborative/tools/index.php/Category:Process_Dumpers Malware Reverse Engineering

  30. References • http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/inside_trojan_clampi.pdf • http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Trojan_Neloweg_Bank_Robbing_Bot_in_the_Browser.pdf • http://www.symantec.com/connect/blogs/banking-proxy-trojantatanarg • http://www.symantec.com/threatreport/ • https://www.owasp.org/index.php/OWASP_Anti-Malware_-_Knowledge_Base#Appendix_A:_Security_Considerations_about_Authentication_Solutions_and_Malware • http://www.scis.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf Malware Reverse Engineering

  31. VIDEO • http://www.youtube.com/watch?v=USCHPIQB8_Y Malware Reverse Engineering

  32. JeetMorparia jeet.morparia@gmail.com Malware Reverse Engineering

More Related