Post on 28-Jun-2020
© 2013 Trustwave Holdings, Inc. 1
August 2013 | Chicago
Using Hacker Tricks in Legit Defensive
Code
Ziv Mador
Director of Security Research
Content developed and presented at RSA with:
Ryan Barnett
Lead Security Researcher
© 2013 Trustwave Holdings, Inc. 2
Turning Bad Guys Against Themselves
The “Dual” Ouroboros
Exploit Kits
Banking
Trojans
© 2013 Trustwave Holdings, Inc. 3
Agenda
• Banking Trojans vs. Web Fraud Detection
• How To Protect Web Fraud Detection Code?
• Web Obfuscation Usage By Exploit Kits
• Applying Obfuscation To Web Fraud Detection Code
• Banking Trojans “Fight Back”
• Leveraging De-Obfuscation Algorithms in Web Security Products
• Summary
© 2013 Trustwave Holdings, Inc. 4
Today’s Adversarial Relationship Pairings
Security Vendors
Web Fraud
Detection
Secure Web
Gateways
Banking
Trojans
Exploit Kits
Cybercriminals
© 2013 Trustwave Holdings, Inc. 5
Banking Trojan Overview
© 2013 Trustwave Holdings, Inc. 6
User
Compormised
website
Exploit
server
Injected
iframe
© 2013 Trustwave Holdings, Inc. 7
Banking Trojan Prevalence in 2013
The State of Financial Trojans 2013 - Symantec
© 2013 Trustwave Holdings, Inc. 8
Zeus C&C Interface: Fraudulent EFTs
© 2013 Trustwave Holdings, Inc. 9
New “ZeusVM” Variant (Feb. 2014)
What’s Wrong With This Picture? Hidden Zeus Config File
Image credit: malwarebytes blog
© 2013 Trustwave Holdings, Inc. 10
Zeus “webinject”: ATM PIN Phishing
© 2013 Trustwave Holdings, Inc. 11
Zeus “webinject”: ATM PIN Phishing
© 2013 Trustwave Holdings, Inc. 12
Web Fraud Detection Overview
© 2013 Trustwave Holdings, Inc. 13
Web Fraud Detection Techniques
Device
Identification
GeoLocation
Webpage Integrity
User Behavior
Time Differential
Linking
Proxy Piercing
Device/User
Reputation
Clickstream
Analysis
© 2013 Trustwave Holdings, Inc. 14
http://panopticlick.eff.org/
© 2013 Trustwave Holdings, Inc. 15
Webpage Integrity Validation
http://www.cs.washington.edu/research/security/web-tripwire.html
© 2013 Trustwave Holdings, Inc. 16
Example Fraud Detection JavaScript
© 2013 Trustwave Holdings, Inc. 17
Fingerprint.js: Browser Characteristics Checked
© 2013 Trustwave Holdings, Inc. 18
Fingerprint Hash Beaconing
© 2013 Trustwave Holdings, Inc. 19
Device Fingerprint Execution
© 2013 Trustwave Holdings, Inc. 20
Web Tripwire XMLHttpRequest
© 2013 Trustwave Holdings, Inc. 21
Web Tripwire Hash Validation
© 2013 Trustwave Holdings, Inc. 22
Banking Trojans Circumvent Web Fraud Detection
© 2013 Trustwave Holdings, Inc. 23
Updated Zeus “webinjects” Configuration: Removes The Fraud Detection Code
© 2013 Trustwave Holdings, Inc. 24
Zeus Strips Fraud Detection JS Code
© 2013 Trustwave Holdings, Inc. 25
Zeus Strips Fraud Detection JS Code
© 2013 Trustwave Holdings, Inc. 26
Exploit Kit Overview
© 2013 Trustwave Holdings, Inc. 27
Exploit Kits
• Serve as malware distribution
mechanisms
• MaaS “Malware As a Service”
• Provide rich configuration and
reporting
© Kahu Security
© 2013 Trustwave Holdings, Inc. 28
© 2013 Trustwave Holdings, Inc. 29
© 2013 Trustwave Holdings, Inc. 30
Exploit Kit Prevalence (Q4 2013)
53.8% 33.7%
4.2%
2.7% 2.7%
1.8%
0.7%
0.2% 0.2%
0.1%
Blackhole
RedKit
Cool
Neutrino
DotCachef
Styx
Whitehole
Bleeding Life
Nuclear
Magnitude
© 2013 Trustwave Holdings, Inc. 31
Malicious Links
• Cybercriminals inject malicious iframe links to
compromised web sites or to malicious web sites
• Then may use phishing campaigns with links to
those sites or simply wait for normal web traffic
User
Compormised
website
Exploit
server
Injected
iframe
© 2013 Trustwave Holdings, Inc. 32
Victim Visits Infected Website
© 2013 Trustwave Holdings, Inc. 33
Malvertising Infection on Yahoo
© hitmanpro blog
© 2013 Trustwave Holdings, Inc. 34
Use of Multiple Vulnerabilities
• Typically attempt to exploit multiple
vulnerabilities in different applications
o One vulnerability suffices for infection
© 2013 Trustwave Holdings, Inc. 35
Using Obfuscation
• Obfuscation fails most static
analyzers
Exploit kit code
The same code, obfuscated
Obfuscation
© 2013 Trustwave Holdings, Inc. 36
Similarity of Challenges
Escaping
detection by
exploit kits
Protecting web
fraud detection
code
© 2013 Trustwave Holdings, Inc. 37
Obfuscation
Leveraging Cybercriminals’ Tactics
Web Fraud
Detection
Banking
Trojans
Exploit Kits
Security Vendors Cybercriminals
Secure Web
Gateways
© 2013 Trustwave Holdings, Inc. 38
Using Exploit Kit Obfuscation for Defense
© 2013 Trustwave Holdings, Inc. 39
Applying Obfuscation to Defensive Code
• If cybercriminals can
protect their code with
obfuscation, why can’t legit
sites do the same?
© 2013 Trustwave Holdings, Inc. 40
Use of Obfuscation for Legit Code
• The idea in general is not new
• Suggested in the past for
o Hindering hacker attacks
o Protecting Intellectual Property (IP)
• Already used by some applications (e.g. Oracle’s
Java cryptography code)
• A recent study about “unhackable” obfuscation for
legit apps (1)
• Similarly, some bank sites are pure Flash
• Here we discuss using techniques from malicious
code (1) http://www.wired.com/wiredscience/2014/02/cryptography-
breakthrough/all/
© 2013 Trustwave Holdings, Inc. 41
Using Exploit Kit Obfuscation Code: CryptJS
© 2013 Trustwave Holdings, Inc. 42
Using Exploit Kit Obfuscation Code: CryptJS
© 2013 Trustwave Holdings, Inc. 43
New Obfuscated HTML
© 2013 Trustwave Holdings, Inc. 44
Still Functionally Equivalent Code
© 2013 Trustwave Holdings, Inc. 45
Zeus “webinjects” No Longer Work!
© 2013 Trustwave Holdings, Inc. 46
January 28, 2014 - SpyEye Creator Arrested
Aleksander Panin SpyEye Malware
© 2013 Trustwave Holdings, Inc. 47
Greed Drives Innovation
© 2013 Trustwave Holdings, Inc. 48
The Arms Race Continues…
© 2013 Trustwave Holdings, Inc. 49
Obfuscation
Leveraging Cybercriminals’ Tactics
Web Fraud
Detection
Secure Web
Gateways
Banking
Trojans
Exploit Kits
Security Vendors Cybercriminals
© 2013 Trustwave Holdings, Inc. 50
New “De-Obfuscation” Flag (O) Added to Zeus
© 2013 Trustwave Holdings, Inc. 51
Modified Zeus “httpgrabber” De-Obfuscation Code
© 2013 Trustwave Holdings, Inc. 52
Modified Zeus Decodes, Removes and Injects
© 2013 Trustwave Holdings, Inc. 53
Leveraging De-obfuscation Algorithms
• De-obfuscation algorithms show clear text
• Sometimes they are complicated and dynamic
• Malware authors may come up with more
efficient algorithms
• Why won’t we leverage their creativity again??
• We can reverse engineer the malware and
identify the de-obfuscation algorithms
• We can now use these de-obfuscation
algorithms in security products that scan web
pages (SWG, AV, Firewall…)
© 2013 Trustwave Holdings, Inc. 54
Obfuscation
Leveraging Cybercriminals’ Tactics
Web Fraud
Detection
Secure Web
Gateways
Banking
Trojans
Exploit Kits
Security Vendors Cybercriminals
De-Obfuscation Reuse
© 2013 Trustwave Holdings, Inc. 55
Polymorphic Variable Names
The Lifecycle Continues
Web Fraud
Detection
Banking
Trojans
Exploit Kits
Security Vendors Cybercriminals
Secure Web
Gateways
© 2013 Trustwave Holdings, Inc. 56
Using Polymorphic Variable Names
© 2013 Trustwave Holdings, Inc. 57
Using Polymorphic Variable Names
© 2013 Trustwave Holdings, Inc. 58
Using Polymorphic Variable Names
© 2013 Trustwave Holdings, Inc. 59
Summary
• In addition to fighting cybercriminals’ techniques,
security vendors can also leverage them in some cases
for better protection
• Algorithms from one cyber gang can be used to protect
against malware from another gang
• It is an iterative process
• More research is welcomed
– Identifying other similar scenarios
– Considering the ethical and legal aspects of this
concept
© 2013 Trustwave Holdings, Inc. 60
Acknowledgments
• We would like to thank fellow SpiderLabs Researchers who helped
with developing the demos
– Daniel Chechik
– Felipe Zimmerle Costa
© 2013 Trustwave Holdings, Inc. 61
Q&A
Ziv Mador
zmador@trustwave.com