Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/10/2014
04:44 PM
50%
50%

Using Attackers' Tactics To Battle Banking Trojans

At the upcoming RSA conference, Trustwave researchers will discuss using obfuscation to break the functionality of banking Trojans, such as ZeuS

Sometimes becoming like your enemy isn't a bad thing.

RSA Conference 2014
Click here for more articles about the RSA Conference.

In a world where malware authors use obfuscation to mask their malicious intent, security researchers may do well to do the same. It is this idea Trustwave researchers Ziv Mador and Ryan Barnett are planning to build on in their upcoming presentation at the RSA Conference in San Francisco next month.

According to Mador, Trustwave's director of security research, the presentation is about leveraging the tactics of attackers in ways that can help an organization's defense -- starting with taking the concept of obfuscation and turning it against the attacker. The ultimate goal, the researchers explain, is to break the Web injection functionality of Trojans, such as ZeuS.

"ZeuS' Web injects functionality happens by hooking into various Windows processes, including wininet.dll," says Barnett, lead security researcher at Trustwave. "This provides raw access to the HTTP data as if it is going across the network. It is at this point, before the data reaches the actual Internet Explorer Web browser process, that ZeuS attempts to modify the HTTP data.

"What we show is that by using even basic HTML/[JavaScript] obfuscation -- we used a basic Caesar Cipher -- it can break the Web injects. Our payloads are automatically decoded by the Web browser and rendered appropriately to the end user. In order to get access to the deobfuscated version of the HTML, banking Trojans would need to hook directly into the Web browser itself and have access to the DOM data."

Even if the Trojan runs within the browser, the obfuscation can protect it, Mador adds, unless it is configured to run after the deobfuscation loop executes.

"Most banking Trojans are not programmed that way," he says. "I would add that exploit kits often use dynamic variable names to randomize the content between different web requests. For example, random variable names are used as randomization seeds for the obfuscation. Web fraud detection code can use similar techniques for protecting itself. For example, the Web inject is configured to remove the protective code from certain location in the page. By randomizing the content of the Web page the same way, Web injects is expected to break. Improving the banking Trojans to remove them from random locations in the page adds complexity to the authors of banking Trojans."

There are some examples of banking Trojans that work as plugins for Mozilla Firefox or Google Chrome that may be able to access the DOM and circumvent the technique, Barnett concedes.

"Web fraud detection vendors have software that can work as extensions/plugins for the user's Web browser," he says. "This is another area where security researchers/vendors can reverse-engineer banking Trojan plugins to better detect and prevent them from working by monitoring and protecting registering these hooks."

In some ways, the idea is similar to the concept of a Russian Matryoshka doll, where a doll is placed inside a larger doll, Barnett says. In this case, the HTML of the bank login page is placed inside a virtual Russian doll, which provides a layer of obfuscation ZeuS is not currently prepared to handle.

"[ZeuS] is looking for that raw HTML, and if it doesn't see it, the Web inject does not work," he says. "So it breaks it."

"What we're saying is look to tactics ... attacker groups are using," he adds. "Perhaps you can use that in a different way, or apply it in a different area."

The presentation is scheduled for Feb. 26. Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
1/11/2014 | 12:28:22 PM
re: Using Attackers' Tactics To Battle Banking Trojans
there is no use to play with band-aids. the actual problem in many cases is un-authorized programming, often called 'malware'

two rules

1. an o/s should never permit itself to be modified by an application program.
2. customers and users must have the ability to restrict what an application program can access.

these are old rules. protected mode originated in System/360 in 1964 and was then enhanced with RACF in 1974. protected mode became available in x86 with the 80386.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.