Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bypassing malware detection mechanisms in online banking Jakub Kałużny Mateusz Olejarka CONFidence, 25.05.2015.

Published byRoy Francis Modified over 8 years ago

Similar presentations

Presentation on theme: "Bypassing malware detection mechanisms in online banking Jakub Kałużny Mateusz Olejarka CONFidence, 25.05.2015."— Presentation transcript:

1 Bypassing malware detection mechanisms in online banking Jakub Kałużny Mateusz Olejarka CONFidence, 25.05.2015

2 Pentesters @ SecuRing Ex-developers Experience with: E-banking and mobile banking systems Multi-factor and voice recognition authentication Malware post mortem Who are we? @j_kaluzny@molejarka

3 Intro Why this topic? How it’s done? Will it blend? Attack vectors Recommendation Q&A* Agenda

4 INTRO

5 AVs are not reliable Users are lazy Market gap for new solutions A lot of money Why this topic ?

6 Interaction with browser Web injects Other? What it does Steals credentials Changes transaction data Automates attacks How malware works? zeus spyeye carberp citadel zitmo vbclip banatrix carbanak eblaster bugat torpig hiloti gozi

7 Aim: Detect malware presence What is online malware detection ? BACKEND WEB SERVER BROWSER USER MALWARE HTTP TRANSACTIONS signatures fingerprint User/browser behaviour fraud detection system Action: drop or mark as compromised (JS)

8 Malware detection methods: HTTP response signature Browser fingerprint User/browser behavior Server-side behavioral methods Fraud detection system What are the limits ? marketing magic auditability

9 We do not represent any vendor We want to show architecture failures implementation errors We want to talk about what can be done What is the purpose of this report?

10 ATTACK VECTORS

11 Our approach BACKEND WEB SERVER BROWSER USER MALWARE HTTP TRANSACTIONS feed analyze JS analyze traffic analyze response

12 HTTP traffic First idea clean machine action system infected machine action

13 HTTP traffic + JS analysis Going through… clean machine action system infected machine action + js analysis: Different paths Different subdomains Different data format (e.g. base64) Encryption (e.g. rsa)

14 Almost there… clean machine action system infected machine action

15 If it bleeds, we can kill it clean machine action system infected machine action BYPASSED!

16 Architecture problem user action system anti malware magic red light green light Words of wisdom: adverse inference

17 Malware spotted! user action system anti malware magic red light Who sends the alert ? login: user1 time: … behaviour: suspicious login: user2?

18 First things first user action system anti malware magic red light JavaScript slowing your page ? BYPASSED!

19 Security by obscurity malware detection JavaScript eval Simple obfuscation – base64, hex rsa encryption signatures reasoning engine Web Service rsa public key

20 Signatures server-side browserserver website A please HTML + JS malware detection Fragments of website A Hey, your website A is webinjected ! regexp for website A

21 Signatures client-side browserserver website A please HTML + JS malware detection Hash of web injects signatures content web injects signatures Leaks your malware signatures The output is your weakness

22 CONCLUSIONS

23 Buy an anti-malware box? Ask for technical details Request live demo Better call your crew Trust, but verify Conclusions - banks

24 Online malware detection is a good path, behavioral systems are a future of ITsec But they are still based on the old HTTP + HTML + JS stack Think about architecture and implementation Conclusions – vendors

25 We can analyze and dissect your solution as well, or help you establish one. Interested? -> malware@securing.pl or antimalware@securing.pl What’s next?

26 Q&A*  And now a discussion :)

27 Thank You ! jakub.kaluzny@securing.pl mateusz.olejarka@securing.pl

Download ppt "Bypassing malware detection mechanisms in online banking Jakub Kałużny Mateusz Olejarka CONFidence, 25.05.2015."

Similar presentations

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.
WYSI WYG Peter Stancik Security Evangelist

WYSI WYG Peter Stancik Security Evangelist
The Threat Landscape Jan 2013. 2013 Threat Report 2.

The Threat Landscape Jan Threat Report 2.
A Security Analysis of Two Commercial Browser and Cloud Based Password Managers Rui Zhao 1, Chuan Yue 1, Kun Sun 2 University of Colorado Colorado Springs.

A Security Analysis of Two Commercial Browser and Cloud Based Password Managers Rui Zhao 1, Chuan Yue 1, Kun Sun 2 University of Colorado Colorado Springs.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
#AVeSPresents AVeS Cyber Security Confidence in your Digital Information 2014/09/25 Charl Ueckermann Managing Director AVeS Cyber Security Lex Informatica.

#AVeSPresents AVeS Cyber Security Confidence in your Digital Information 2014/09/25 Charl Ueckermann Managing Director AVeS Cyber Security Lex Informatica.
DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.

DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
January 2011 As a precaution, re-check the exam time in early January. Various rooms are used, your room will be on your personal timetable, available.

January 2011 As a precaution, re-check the exam time in early January. Various rooms are used, your room will be on your personal timetable, available.
Administrative  Philosophy  Class survey  Grading  Proposal (5 points max)  Small projects (10 points each max)  Project (40 points max)  Presentation.

Administrative  Philosophy  Class survey  Grading  Proposal (5 points max)  Small projects (10 points each max)  Project (40 points max)  Presentation.
IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.

IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.
Administrative  Philosophy  Class survey  Grading  Project  Presentation.

Administrative  Philosophy  Class survey  Grading  Project  Presentation.
FlexForm Login form integration Copyright ©2008 Collective Software, LLC.

FlexForm Login form integration Copyright ©2008 Collective Software, LLC.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Protecting Against Online Fraud F5 SIT Forum

Protecting Against Online Fraud F5 SIT Forum
INTRO TO MAKING A WEBSITE Mark Zhang.  HTML  CSS  Javascript  PHP  MySQL  …That’s a lot of stuff!

INTRO TO MAKING A WEBSITE Mark Zhang.  HTML  CSS  Javascript  PHP  MySQL  …That’s a lot of stuff!
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Agenda What is AJAX? What is jQuery? Demonstration/Tutorial Resources Q&A.

Agenda What is AJAX? What is jQuery? Demonstration/Tutorial Resources Q&A.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing

Similar presentations

Ads by Google