malware reverse e ngineering
DESCRIPTION
Malware Reverse E ngineering. Man In T he Browser (MITB). Jeet Morparia. Software Engineer, Malware Analysis and Response. Agenda. Today’s malware landscape . 1. Reverse engineering a malware. 2. Man In T he B rowser. 3. Today’s malware landscape. - PowerPoint PPT PresentationTRANSCRIPT
Malware Reverse Engineering 1
Malware Reverse Engineering
Jeet MorpariaSoftware Engineer, Malware Analysis and Response
Man In The Browser (MITB)
Malware Reverse Engineering 2
Today’s malware landscape 1
Reverse engineering a malware2
Man In The Browser3
Agenda
3Malware Reverse Engineering
Today’s malware landscape
Malware Reverse Engineering 4
Though ‘spams’ have
decreased, ‘malicious
attacks’ have increased!
Use of more and more web-
toolkits
Malware Reverse Engineering 5
>50% increase in unique variants of
malware
>10k unique malicious web
domains
~50% increase in mobile
vulnerabilities
Malware Reverse Engineering 6
2 main reasons for this trend:
- Part of large organizations eco-system providing stepping stone to larger attack
- Less defended
Malware Reverse Engineering 7
Reverse Engineering A MalwareBlack boxing and White boxing
Analysis of a malware
Malware Reverse Engineering
8
8
Malware Reverse Engineering
9
9
HIEW
Presentation Identifier Goes Here
FILE PROPERTIES
VIRTUAL MEMORY
Malware Reverse Engineering
10
PACKED CODE
UNPACKED CODE
UPX Packed Sections
Unpacked Sections
10
Malware Reverse Engineering
11
11
Embedded Resources
Version Information
Malware Reverse Engineering
12
12
Monitoring Tools
Malware Reverse Engineering
13
13
OllyDbg
Break Points
Malware Reverse Engineering
14
14
IDA PRO
Man In The BrowserMalware Reverse Engineering 1
5
Man-in-the-middle (MiM)
Malware Reverse Engineering 16
ALICEEnd User
TRUDYAttacker
BOBBank server
Transfer $2500 to Mom Transfer $10000 to Trudy
Transferred $10000 to TrudyTransferred $2500 to Mom
DDE
EE D
ED
Man-in-the-browser (MITB)
Malware Reverse Engineering17
ALICE’S Browser
Transfer $2500 to Mom Transfer $10000 to Trudy
Transferred $10000 to TrudyTransferred $2500 to Mom
Captured form dataALICE
End User
TRUDYAttacker
BOBBank server
Infect Alice’s system with a Trojan
17
Malware Reverse Engineering 18
PIN:
CLEAN BROWSER
- No extra fields- Just the required information
INFECTED BROWSER
- Extra fields e.g.: PIN- Asks for critical information usually not required
Parameters MiM MITB
Hardware/Software requirements
Usually requires compromised hardware
Injects malicious software (Trojan) in web browser
Communication Has to deal with secure communication
Immune to secure communication such as SSL
Targets Targets are directed or location-based
Targets can be anywhere on the internet
MiM vs MITB
Malware Reverse Engineering 19
Purpose of MITB
• Subvert secure communication, SSL
• Steal and modify form data
• Didn’t I say MONEY !
Malware Reverse Engineering 20
Types of MITB
Malware Reverse Engineering 21
Hooking Windows API
• Trojan.Clampi
Using BHO (Browser Helper Objects) in IE ---OR--- Using
Firefox Extensions
• Trojan.Neloweg
Using Self Signed Certificates
• Trojan.Tatanarg
MITB by hooking Windows APIs
Malware Reverse Engineering 22
{- - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - -}
{- - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - -}
ORIGINAL FUNCTION
HOOKING FUNCTION
Trojan.Clampi injects malicious thread into IE browser
{- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -}
Monitors and hooks several API calls monitored by Windows DLL, urlmon.dll
• InternetConnectA
• InternetOpenA
• InternetReadFile
• InternetWriteFile
Hooks itself to original API when its called
1 2
3
What is a hook ?A piece of code that intercepts function calls to modify function of the application.
Grab data from IE browser before its encrypted, hence overcoming SSL
4
{- - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - -}
{- - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - -}
Can be detected by scanning for injected process
MITB using BHO/ Browser extension• Trojan.Neloweg
– Sets up Namespace and associates it with Winsock2
– Loads the dll in memory when any program tries to connect to the internet using Winsock2
– No process injection needed !Malware Reverse Engineering 2
3
• The dll file creates the browser extension files if its running under Firefox.exe– %ProgramFiles%\Mozilla Firefox\chrome\error.manifest– %ProgramFiles%\Mozilla Firefox\chrome\error.jar– %ProgramFiles%\Mozilla Firefox\components\nsLego.js– %ProgramFiles%\Mozilla Firefox\components\nsILEgo.xpt
• Error.jar contains the main code for form grabbing.
• Can be detected by in browser security software which block APIs form browser extensions. Eg Trusteer Rapport.
Malware Reverse Engineering 24
MITB using self signed certificates• Trojan.Tatanarg
– Much like MiM: Creates proxy service between bank and client
– On the bank side of proxy: Outbound traffic encrypted using bank credentials
– On the browser side of proxy: Encrypt traffic using its own credentials– Can be detected by scanning injected process
Malware Reverse Engineering 25
Other MITB prevention/detection techniques• Client-side java-script to encrypt some fields before the form
grabbing component– Already broken
• Multi factor authentication– Already broken
• Out of band transaction verification (OOB)– Verifying the transaction over a channel other than the browser
• Web frauds detection– Automated checks for fraud detection patterns by the banks
Malware Reverse Engineering 26
MITB Hooking win APIs BHO Self signed certificate
Trojan name Trojan.Clampi Trojan.Neloweg Trojan.Tatanarg
Injected process required ?
Yes No Yes
Encrypts/decrypts secure communication ?
No No Yes
Detection Scan injected browser process
In browser security Scan injected browser process
Summary of MITB
Malware Reverse Engineering 27
Conclusion• Attackers are using newer ways to infect machines
– Targeted attacks– Use of web tool kits
• Comprehensive analysis of a malware involves combination of black-boxing and white-boxing techniques
• MITB is an innovative way used by attackers to break security• MITB prevention is still work in progress (Good research
project!)• Malware reverse engineering as a profession has a broad scope
Malware Reverse Engineering 28
Reverse engineering tools• Hex View
– http://www.hiew.ru/• Unpacking tools
– http://www.woodmann.com/collaborative/tools/index.php/Category:Unpacking_Tools• Resource hacker
– http://www.angusj.com/resourcehacker/• Monitoring tools
– http://www.woodmann.com/collaborative/tools/index.php/Category:Monitoring_Tools• OllyDbg
– http://www.ollydbg.de/• IdaPro
– http://www.hex-rays.com/• Process Dumper
– http://www.microsoft.com/en-us/download/details.aspx?id=4060– http://www.woodmann.com/collaborative/tools/index.php/Category:Process_Dumpers
Malware Reverse Engineering 29
References• http://www.symantec.com/content/en/us/enterprise/media/security_respo
nse/whitepapers/inside_trojan_clampi.pdf• http://www.symantec.com/content/en/us/enterprise/media/security_respo
nse/whitepapers/Trojan_Neloweg_Bank_Robbing_Bot_in_the_Browser.pdf• http://www.symantec.com/connect/blogs/banking-proxy-trojantatanarg• http://www.symantec.com/threatreport/• https://www.owasp.org/index.php/OWASP_Anti-Malware_-_Knowledge_Bas
e#Appendix_A:_Security_Considerations_about_Authentication_Solutions_and_Malware
• http://www.scis.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf
Malware Reverse Engineering 30
VIDEO
• http://www.youtube.com/watch?v=USCHPIQB8_Y
Malware Reverse Engineering 31
Thank you!
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Malware Reverse Engineering 32
Jeet Morparia