CONFidence 2015 - Bypassing malware detection mechanisms in online banking
-
Upload
jakub-kaluzny -
Category
Technology
-
view
16 -
download
1
Transcript of CONFidence 2015 - Bypassing malware detection mechanisms in online banking
![Page 1: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/1.jpg)
Bypassing malware detection mechanisms in online banking
Jakub KałużnyMateusz Olejarka
CONFidence, 25.05.2015
![Page 2: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/2.jpg)
Pentesters @ SecuRing
Ex-developers
Experience with:• E-banking and mobile banking systems• Multi-factor and voice recognition
authentication• Malware post mortem
Who are we?
@j_kaluzny @molejarka
![Page 3: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/3.jpg)
• Intro• Why this topic?• How it’s done?• Will it blend?
• Attack vectors
• Recommendation
• Q&A*
Agenda
![Page 4: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/4.jpg)
INTRO
![Page 5: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/5.jpg)
• AVs are not reliable
• Users are lazy
• Market gap for new solutions
• A lot of money
Why this topic ?
![Page 6: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/6.jpg)
• Interaction with browser• Web injects • Other?
• What it does• Steals credentials• Changes transaction data• Automates attacks
How malware works?
zeus
spyeyecarberp
citadel
zitmo
vbclip banatrix
carbanak
eblasterbugat
torpig
hiloti
gozi
![Page 7: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/7.jpg)
Aim: Detect malware presence
What is online malware detection ?
BACKENDWEB SERVERBROWSER
USER
MALWARE
HTTP TRANSACTIONS
signatures
fingerprint
User/browserbehaviour fraud detection system
Action: drop or mark as compromised
(JS)
![Page 8: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/8.jpg)
Malware detection methods:
• HTTP response signature
• Browser fingerprint
• User/browser behavior
• Server-side behavioral methods
• Fraud detection system
What are the limits ?
marketingmagic
auditability
![Page 9: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/9.jpg)
We do not represent any vendor
We want to show • architecture failures• implementation errors
We want to talk about what can be done
What is the purpose of this report?
![Page 10: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/10.jpg)
ATTACK VECTORS
![Page 11: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/11.jpg)
Our approach
BACKENDWEB SERVERBROWSER
USER
MALWARE
HTTP TRANSACTIONS
feed analyze JS
analyze traffic
analyze response
![Page 12: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/12.jpg)
HTTP traffic
First idea
clean machineaction
system
infected machineaction
![Page 13: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/13.jpg)
HTTP traffic + JS analysis
Going through…
clean machineaction
system
infected machineaction
+ js analysis:
• Different paths• Different subdomains
• Different data format (e.g. base64)• Encryption (e.g. rsa)
![Page 14: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/14.jpg)
Almost there…
clean machineaction
system
infected machineaction
![Page 15: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/15.jpg)
If it bleeds, we can kill it
clean machineaction
system
infected machineaction
BYPASSED!
![Page 16: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/16.jpg)
Architecture problem
useraction
systemanti malware
magic
red light
green light
Words of wisdom: adverse inference
![Page 17: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/17.jpg)
Malware spotted!
useraction
systemanti malware
magic
red light
Who sends the alert ?
login: user1time: …behaviour: suspicious
login: user2?
![Page 18: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/18.jpg)
First things first
useraction
systemanti malware
magic
red light
JavaScript slowing your page ? BYPASSED!
![Page 19: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/19.jpg)
Security by obscurity
malware detection JavaScript
evalSimple obfuscation – base64, hex
rsa encryption
signatures
reasoning engine
Web Service
rsa public key
![Page 20: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/20.jpg)
Signatures server-side
browser server
website A please
HTML + JS malware detection
Fragments of website A
Hey, your website A is webinjected !
regexp for website A
![Page 21: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/21.jpg)
Signatures client-side
browser server
website A please
HTML + JS malware detection
Hash of web injects signatures content
web injects signatures
Leaks your malware signatures
The output is your weakness
![Page 22: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/22.jpg)
CONCLUSIONS
![Page 23: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/23.jpg)
• Buy an anti-malware box? • Ask for technical details• Request live demo
• Better call your crew
• Trust, but verify
Conclusions - banks
![Page 24: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/24.jpg)
• Online malware detection is a good path, behavioral systems are a future of ITsec
• But they are still based on the old HTTP + HTML + JS stack
• Think about architecture and implementation
Conclusions – vendors
![Page 25: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/25.jpg)
We can analyze and dissect your solution as well, or help you establish one.
Interested? ->
or
What’s next?
![Page 26: CONFidence 2015 - Bypassing malware detection mechanisms in online banking](https://reader033.fdocuments.in/reader033/viewer/2022042820/55d06b4abb61eb2d7e8b4820/html5/thumbnails/26.jpg)
Q&A*
- And now a discussion :)