Presentation is loading. Please wait.

Presentation is loading. Please wait.

A practical overview on how the bad guys adopt and circumvent security initiatives Commercial – in - Confidence Alex Shipp Imagineer.

Published byCordelia Page Modified over 8 years ago

Similar presentations

Presentation on theme: "A practical overview on how the bad guys adopt and circumvent security initiatives Commercial – in - Confidence Alex Shipp Imagineer."— Presentation transcript:

1 A practical overview on how the bad guys adopt and circumvent security initiatives Commercial – in - Confidence Alex Shipp Imagineer

2 Commercial – in - Confidence  One of the most successful rootkits  Features  It steals user private and confidential information (form grabber)  can inject arbitrary HTML code into any website (also encrypted websites)  can steal certificates  will take screenshots to defeat virtual keyboards  backconnect feature (SOCKS, BackConnect, VNC)  Everything is encrypted

3 Commercial – in - Confidence  Enhanced Zeus v2 core engine  Able to infect Mozilla Firefox  Able to infect Windows Vista and Windows 7 ▪ They do everything in user-mode (!)  New Encryption method  Details in the TrustDefender Labs report

4 Commercial – in - Confidence  Zeus supports a plugin style infrastructure  New BackConnect mechanism ▪ E.g. Real-time notification via IM once a victim is online ▪ SOCKS / VNC works even behind NAT  Extensive Javascript engine that can be plugged into Zeus v1 or Zeus v2

5 Commercial – in - Confidence  Dramatically increased functionality with javascript code where they can  harvest any challenge/response and/or token values in real-time and in a more interactive way.  Allows bypass of nearly all challenge mechanisms  (e.g. SMS/email/VRU OOB, token, secret questions/answers, elaborate challenge/response)

6 Commercial – in - Confidence  Observations  No “static” HTML injections anymore  Nothing happens until after the login  Dynamic connection to C&C server ▪ Send/receive data within one webpage ▪ transparent to the Webbrowser  Dynamic content delivery ▪ E.g. After compromise, they return “24h maintenance” page  But let’s have a look

7 Commercial – in - Confidence

8

9

10

11

12

13

14

15  As well as manipulating user-supplied content, they can also access system supplied content.  Bad news if you “encrypt” the password on the client side  Zeus can just inject code into your JavaScript files (!)

16 Commercial – in - Confidence  Watch the download of the loginPin.js  And once it’s downloaded...

17 Commercial – in - Confidence

18  BackConnect feature via SOCKS or VNC  Undermines any device fingerprinting

19 Commercial – in - Confidence  Drive-by attacks  PDF, Flash or any other software  Phishing attacks  Heavily geo based distribution  This is done via a flash object that calls URLMON.DLL.URLDownloadToFileA to save http:// >/l.php?i=18 locally to pdfupd.exe and then execute it with WinExec  More details in the next TrustDefender Labs Report

20 Commercial – in - Confidence  Mebroot is by far the most successful rootkit that is able to stay under the radar  Technically sophisticated, but also very clever  We know that they could infect much more machines, but don’t do so  Bad news: They have a comprehensive javascript engine as well  However not used yet (AFAWK)

21 Commercial – in - Confidence  Sizzler CSS Selector Engine  If it looks scary, it is scary  Watch out for simple device authentication

22 Commercial – in - Confidence  Phishing still works (!)  Real world example  Bank uses transactional 2FA hardware tokens  Phishing site asks for login credentials + private phone number  Fraudsters ring the customer and tell him that his account got compromised (which is true!) and tell him that in order to get it reconnected, they should enter the following number into their token and confirm the reply!

23 Commercial – in - Confidence ... is the R&D arm of TrustDefender  TrustDefender is a online-transaction security solution providing  Real-time customer endpoint risk-assessment & protection for online transactions  More info  http://www.trustdefender.com/blog http://www.trustdefender.com/blog

24 Commercial – in - Confidence  Bad guys adopt heavily  Protect all parts of the chain.  If one breaks, the chain is broken

Download ppt "A practical overview on how the bad guys adopt and circumvent security initiatives Commercial – in - Confidence Alex Shipp Imagineer."

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.

SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
New trends on cyber security - Cyber Espionage & Identity theft By K S Yash, CRO 1.

New trends on cyber security - Cyber Espionage & Identity theft By K S Yash, CRO 1.
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
#AVeSPresents AVeS Cyber Security Confidence in your Digital Information 2014/09/25 Charl Ueckermann Managing Director AVeS Cyber Security Lex Informatica.

#AVeSPresents AVeS Cyber Security Confidence in your Digital Information 2014/09/25 Charl Ueckermann Managing Director AVeS Cyber Security Lex Informatica.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.

Social Engineering J Nivethan. Social Engineering The process of deceiving people into giving away access or confidential information Onlinne Phone Offline.
Securing Online Transactions with a Trusted Digital Identity Dave Steeves - Security Software Engineer Microsoft’s.

Securing Online Transactions with a Trusted Digital Identity Dave Steeves - Security Software Engineer Microsoft’s.
OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or 415.514-3333 UCSF Campus VPN.

OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or UCSF Campus VPN.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)

1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)
Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.

Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.
269200 Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
How It Applies In A Virtual World

How It Applies In A Virtual World
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Similar presentations

Ads by Google