Malware Reverse Engineering 1

Malware Reverse Engineering

Jeet MorpariaSoftware Engineer, Malware Analysis and Response

Man In The Browser (MITB)

Malware Reverse Engineering 2

Today’s malware landscape 1

Reverse engineering a malware2

Man In The Browser3

Agenda

3Malware Reverse Engineering

Today’s malware landscape

Malware Reverse Engineering 4

Though ‘spams’ have

decreased, ‘malicious

attacks’ have increased!

Use of more and more web-

toolkits

Malware Reverse Engineering 5

>50% increase in unique variants of

malware

>10k unique malicious web

domains

~50% increase in mobile

vulnerabilities

Malware Reverse Engineering 6

2 main reasons for this trend:

- Part of large organizations eco-system providing stepping stone to larger attack

- Less defended

Malware Reverse Engineering 7

Reverse Engineering A MalwareBlack boxing and White boxing

Analysis of a malware

Malware Reverse Engineering

8

8

Malware Reverse Engineering

9

9

HIEW

Presentation Identifier Goes Here

FILE PROPERTIES

VIRTUAL MEMORY

Malware Reverse Engineering

10

PACKED CODE

UNPACKED CODE

UPX Packed Sections

Unpacked Sections

10

Malware Reverse Engineering

11

11

Embedded Resources

Version Information

Malware Reverse Engineering

12

12

Monitoring Tools

Malware Reverse Engineering

13

13

OllyDbg

Break Points

Malware Reverse Engineering

14

14

IDA PRO

Man In The BrowserMalware Reverse Engineering 1

5

Man-in-the-middle (MiM)

Malware Reverse Engineering 16

ALICEEnd User

TRUDYAttacker

BOBBank server

Transfer $2500 to Mom Transfer $10000 to Trudy

Transferred $10000 to TrudyTransferred $2500 to Mom

DDE

EE D

ED

Man-in-the-browser (MITB)

Malware Reverse Engineering17

ALICE’S Browser

Transfer $2500 to Mom Transfer $10000 to Trudy

Transferred $10000 to TrudyTransferred $2500 to Mom

Captured form dataALICE

End User

TRUDYAttacker

BOBBank server

Infect Alice’s system with a Trojan

17

Malware Reverse Engineering 18

PIN:

CLEAN BROWSER

- No extra fields- Just the required information

INFECTED BROWSER

- Extra fields e.g.: PIN- Asks for critical information usually not required

Parameters MiM MITB

Hardware/Software requirements

Usually requires compromised hardware

Injects malicious software (Trojan) in web browser

Communication Has to deal with secure communication

Immune to secure communication such as SSL

Targets Targets are directed or location-based

Targets can be anywhere on the internet

MiM vs MITB

Malware Reverse Engineering 19

Purpose of MITB

• Subvert secure communication, SSL

• Steal and modify form data

• Didn’t I say MONEY !

Malware Reverse Engineering 20

Types of MITB

Malware Reverse Engineering 21

Hooking Windows API

• Trojan.Clampi

Using BHO (Browser Helper Objects) in IE ---OR--- Using

Firefox Extensions

• Trojan.Neloweg

Using Self Signed Certificates

• Trojan.Tatanarg

MITB by hooking Windows APIs

Malware Reverse Engineering 22

{- - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - -}

{- - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - -}

ORIGINAL FUNCTION

HOOKING FUNCTION

Trojan.Clampi injects malicious thread into IE browser

{- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -}

Monitors and hooks several API calls monitored by Windows DLL, urlmon.dll

• InternetConnectA

• InternetOpenA

• InternetReadFile

• InternetWriteFile

Hooks itself to original API when its called

1 2

3

What is a hook ?A piece of code that intercepts function calls to modify function of the application.

Grab data from IE browser before its encrypted, hence overcoming SSL

4

{- - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - -}

{- - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - -}

Can be detected by scanning for injected process

MITB using BHO/ Browser extension• Trojan.Neloweg

– Sets up Namespace and associates it with Winsock2

– Loads the dll in memory when any program tries to connect to the internet using Winsock2

– No process injection needed !Malware Reverse Engineering 2

3

• The dll file creates the browser extension files if its running under Firefox.exe– %ProgramFiles%\Mozilla Firefox\chrome\error.manifest– %ProgramFiles%\Mozilla Firefox\chrome\error.jar– %ProgramFiles%\Mozilla Firefox\components\nsLego.js– %ProgramFiles%\Mozilla Firefox\components\nsILEgo.xpt

• Error.jar contains the main code for form grabbing.

• Can be detected by in browser security software which block APIs form browser extensions. Eg Trusteer Rapport.

Malware Reverse Engineering 24

MITB using self signed certificates• Trojan.Tatanarg

– Much like MiM: Creates proxy service between bank and client

– On the bank side of proxy: Outbound traffic encrypted using bank credentials

– On the browser side of proxy: Encrypt traffic using its own credentials– Can be detected by scanning injected process

Malware Reverse Engineering 25

Other MITB prevention/detection techniques• Client-side java-script to encrypt some fields before the form

grabbing component– Already broken

• Multi factor authentication– Already broken

• Out of band transaction verification (OOB)– Verifying the transaction over a channel other than the browser

• Web frauds detection– Automated checks for fraud detection patterns by the banks

Malware Reverse Engineering 26

MITB Hooking win APIs BHO Self signed certificate

Trojan name Trojan.Clampi Trojan.Neloweg Trojan.Tatanarg

Injected process required ?

Yes No Yes

Encrypts/decrypts secure communication ?

No No Yes

Detection Scan injected browser process

In browser security Scan injected browser process

Summary of MITB

Malware Reverse Engineering 27

Conclusion• Attackers are using newer ways to infect machines

– Targeted attacks– Use of web tool kits

• Comprehensive analysis of a malware involves combination of black-boxing and white-boxing techniques

• MITB is an innovative way used by attackers to break security• MITB prevention is still work in progress (Good research

project!)• Malware reverse engineering as a profession has a broad scope

Malware Reverse Engineering 28

Reverse engineering tools• Hex View

– http://www.hiew.ru/• Unpacking tools

– http://www.woodmann.com/collaborative/tools/index.php/Category:Unpacking_Tools• Resource hacker

– http://www.angusj.com/resourcehacker/• Monitoring tools

– http://www.woodmann.com/collaborative/tools/index.php/Category:Monitoring_Tools• OllyDbg

– http://www.ollydbg.de/• IdaPro

– http://www.hex-rays.com/• Process Dumper

– http://www.microsoft.com/en-us/download/details.aspx?id=4060– http://www.woodmann.com/collaborative/tools/index.php/Category:Process_Dumpers

Malware Reverse Engineering 29

References• http://www.symantec.com/content/en/us/enterprise/media/security_respo

nse/whitepapers/inside_trojan_clampi.pdf• http://www.symantec.com/content/en/us/enterprise/media/security_respo

nse/whitepapers/Trojan_Neloweg_Bank_Robbing_Bot_in_the_Browser.pdf• http://www.symantec.com/connect/blogs/banking-proxy-trojantatanarg• http://www.symantec.com/threatreport/• https://www.owasp.org/index.php/OWASP_Anti-Malware_-_Knowledge_Bas

e#Appendix_A:_Security_Considerations_about_Authentication_Solutions_and_Malware

• http://www.scis.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf

Malware Reverse Engineering 30

VIDEO

• http://www.youtube.com/watch?v=USCHPIQB8_Y

Malware Reverse Engineering 31

Thank you!

Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Malware Reverse Engineering 32

Jeet Morparia

jeet.morparia@gmail.com