Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware Reverse Engineering 1 Jeet Morparia Software Engineer, Malware Analysis and Response Man In The Browser (MITB)

Similar presentations

Presentation on theme: "Malware Reverse Engineering 1 Jeet Morparia Software Engineer, Malware Analysis and Response Man In The Browser (MITB)"— Presentation transcript:

1 Malware Reverse Engineering 1 Jeet Morparia Software Engineer, Malware Analysis and Response Man In The Browser (MITB)

2 Malware Reverse Engineering 2 Today’s malware landscape 1 Reverse engineering a malware 2 Man In The Browser 3 Agenda

3 Malware Reverse Engineering 3 Today’s malware landscape

4 Malware Reverse Engineering 4 Though ‘spams’ have decreased, ‘malicious attacks’ have increased! Use of more and more web- toolkits

5 Malware Reverse Engineering 5 >50% increase in unique variants of malware >10k unique malicious web domains ~50% increase in mobile vulnerabilities

6 Malware Reverse Engineering 6 2 main reasons for this trend: -Part of large organizations eco- system providing stepping stone to larger attack -Less defended

7 Malware Reverse Engineering 7 Reverse Engineering A Malware Black boxing and White boxing

8 Analysis of a malware Malware Reverse Engineering 8 8

9 9 9 HIEW Presentation Identifier Goes Here FILE PROPERTIES VIRTUAL MEMORY

10 Malware Reverse Engineering 10 PACKED CODE UNPACKED CODE UPX Packed Sections Unpacked Sections 10

11 Malware Reverse Engineering 11 Embedded Resources Version Information

12 Malware Reverse Engineering 12 Monitoring Tools

13 Malware Reverse Engineering 13 OllyDbg Break Points

14 Malware Reverse Engineering 14 IDA PRO

15 Man In The Browser Malware Reverse Engineering 15

16 Man-in-the-middle (MiM) Malware Reverse Engineering 16 ALICE End User TRUDY Attacker BOB Bank server Transfer $2500 to Mom Transfer $10000 to Trudy Transferred $10000 to Trudy Transferred $2500 to Mom D D E E E D ED

17 Man-in-the-browser (MITB) Malware Reverse Engineering 17 ALICE’S Browser Transfer $2500 to Mom Transfer $10000 to Trudy Transferred $10000 to Trudy Transferred $2500 to Mom Captured form data ALICE End User TRUDY Attacker BOB Bank server Infect Alice’s system with a Trojan 17

18 Malware Reverse Engineering 18 PIN: CLEAN BROWSER - No extra fields - Just the required information INFECTED BROWSER - Extra fields e.g.: PIN - Asks for critical information usually not required

19 ParametersMiMMITB Hardware/Software requirements Usually requires compromised hardware Injects malicious software (Trojan) in web browser CommunicationHas to deal with secure communication Immune to secure communication such as SSL TargetsTargets are directed or location-based Targets can be anywhere on the internet MiM vs MITB Malware Reverse Engineering 19

20 Purpose of MITB Subvert secure communication, SSL Steal and modify form data Didn’t I say MONEY ! Malware Reverse Engineering 20

21 Types of MITB Malware Reverse Engineering 21 Hooking Windows API Trojan.Clampi Using BHO (Browser Helper Objects) in IE ---OR--- Using Firefox Extensions Trojan.Neloweg Using Self Signed Certificates Trojan.Tatanarg

22 MITB by hooking Windows APIs Malware Reverse Engineering 22 {- - - - - - - - - - - - - - - - - - - -} {- - - - - - - - - - - - - - - - - - - -} ORIGINAL FUNCTION HOOKING FUNCTION Trojan.Clampi injects malicious thread into IE browser {- - - - - - - - - - - - - - - - - - - -} Monitors and hooks several API calls monitored by Windows DLL, urlmon.dll InternetConnectA InternetOpenA InternetReadFile InternetWriteFile Hooks itself to original API when its called 12 3 What is a hook ? A piece of code that intercepts function calls to modify function of the application. Grab data from IE browser before its encrypted, hence overcoming SSL 4 {- - - - - - - - - - - - - - - - - - - -} {- - - - - - - - - - - - - - - - - - - -} Can be detected by scanning for injected process

23 MITB using BHO/ Browser extension Trojan.Neloweg – Sets up Namespace and associates it with Winsock2 – Loads the dll in memory when any program tries to connect to the internet using Winsock2 – No process injection needed ! Malware Reverse Engineering 23

24 The dll file creates the browser extension files if its running under Firefox.exe – %ProgramFiles%\Mozilla Firefox\chrome\error.manifest – %ProgramFiles%\Mozilla Firefox\chrome\error.jar – %ProgramFiles%\Mozilla Firefox\components\nsLego.js – %ProgramFiles%\Mozilla Firefox\components\nsILEgo.xpt Error.jar contains the main code for form grabbing. Can be detected by in browser security software which block APIs form browser extensions. Eg Trusteer Rapport. Malware Reverse Engineering 24

25 MITB using self signed certificates Trojan.Tatanarg – Much like MiM: Creates proxy service between bank and client – On the bank side of proxy: Outbound traffic encrypted using bank credentials – On the browser side of proxy: Encrypt traffic using its own credentials – Can be detected by scanning injected process Malware Reverse Engineering 25

26 Other MITB prevention/detection techniques Client-side java-script to encrypt some fields before the form grabbing component – Already broken Multi factor authentication – Already broken Out of band transaction verification (OOB) – Verifying the transaction over a channel other than the browser Web frauds detection – Automated checks for fraud detection patterns by the banks Malware Reverse Engineering 26

27 MITBHooking win APIsBHOSelf signed certificate Trojan nameTrojan.ClampiTrojan.NelowegTrojan.Tatanarg Injected process required ? YesNoYes Encrypts/decrypts secure communication ? No Yes DetectionScan injected browser process In browser securityScan injected browser process Summary of MITB Malware Reverse Engineering 27

28 Conclusion Attackers are using newer ways to infect machines – Targeted attacks – Use of web tool kits Comprehensive analysis of a malware involves combination of black-boxing and white-boxing techniques MITB is an innovative way used by attackers to break security MITB prevention is still work in progress (Good research project!) Malware reverse engineering as a profession has a broad scope Malware Reverse Engineering 28

29 Reverse engineering tools Hex View – Unpacking tools – Resource hacker – Monitoring tools – OllyDbg – IdaPro – Process Dumper – – Malware Reverse Engineering 29

30 References nse/whitepapers/inside_trojan_clampi.pdf nse/whitepapers/inside_trojan_clampi.pdf nse/whitepapers/Trojan_Neloweg_Bank_Robbing_Bot_in_the_Browser.pdf nse/whitepapers/Trojan_Neloweg_Bank_Robbing_Bot_in_the_Browser.pdf _Knowledge_Base#Appendix_A:_Security_Considerations_about_Authentica tion_Solutions_and_Malware _Knowledge_Base#Appendix_A:_Security_Considerations_about_Authentica tion_Solutions_and_Malware Malware Reverse Engineering 30

31 VIDEO Malware Reverse Engineering 31

32 Thank you! Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Malware Reverse Engineering 32 Jeet Morparia

Download ppt "Malware Reverse Engineering 1 Jeet Morparia Software Engineer, Malware Analysis and Response Man In The Browser (MITB)"

Similar presentations

Ads by Google