Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2...
Transcript of Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2...
![Page 1: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/1.jpg)
© 2013 Trustwave Holdings, Inc. 1
August 2013 | Chicago
Using Hacker Tricks in Legit Defensive
Code
Ziv Mador
Director of Security Research
Content developed and presented at RSA with:
Ryan Barnett
Lead Security Researcher
![Page 2: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/2.jpg)
© 2013 Trustwave Holdings, Inc. 2
Turning Bad Guys Against Themselves
The “Dual” Ouroboros
Exploit Kits
Banking
Trojans
![Page 3: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/3.jpg)
© 2013 Trustwave Holdings, Inc. 3
Agenda
• Banking Trojans vs. Web Fraud Detection
• How To Protect Web Fraud Detection Code?
• Web Obfuscation Usage By Exploit Kits
• Applying Obfuscation To Web Fraud Detection Code
• Banking Trojans “Fight Back”
• Leveraging De-Obfuscation Algorithms in Web Security Products
• Summary
![Page 4: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/4.jpg)
© 2013 Trustwave Holdings, Inc. 4
Today’s Adversarial Relationship Pairings
Security Vendors
Web Fraud
Detection
Secure Web
Gateways
Banking
Trojans
Exploit Kits
Cybercriminals
![Page 5: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/5.jpg)
© 2013 Trustwave Holdings, Inc. 5
Banking Trojan Overview
![Page 6: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/6.jpg)
© 2013 Trustwave Holdings, Inc. 6
User
Compormised
website
Exploit
server
Injected
iframe
![Page 7: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/7.jpg)
© 2013 Trustwave Holdings, Inc. 7
Banking Trojan Prevalence in 2013
The State of Financial Trojans 2013 - Symantec
![Page 8: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/8.jpg)
© 2013 Trustwave Holdings, Inc. 8
Zeus C&C Interface: Fraudulent EFTs
![Page 9: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/9.jpg)
© 2013 Trustwave Holdings, Inc. 9
New “ZeusVM” Variant (Feb. 2014)
What’s Wrong With This Picture? Hidden Zeus Config File
Image credit: malwarebytes blog
![Page 10: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/10.jpg)
© 2013 Trustwave Holdings, Inc. 10
Zeus “webinject”: ATM PIN Phishing
![Page 11: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/11.jpg)
© 2013 Trustwave Holdings, Inc. 11
Zeus “webinject”: ATM PIN Phishing
![Page 12: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/12.jpg)
© 2013 Trustwave Holdings, Inc. 12
Web Fraud Detection Overview
![Page 13: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/13.jpg)
© 2013 Trustwave Holdings, Inc. 13
Web Fraud Detection Techniques
Device
Identification
GeoLocation
Webpage Integrity
User Behavior
Time Differential
Linking
Proxy Piercing
Device/User
Reputation
Clickstream
Analysis
![Page 14: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/14.jpg)
© 2013 Trustwave Holdings, Inc. 14
http://panopticlick.eff.org/
![Page 15: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/15.jpg)
© 2013 Trustwave Holdings, Inc. 15
Webpage Integrity Validation
http://www.cs.washington.edu/research/security/web-tripwire.html
![Page 16: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/16.jpg)
© 2013 Trustwave Holdings, Inc. 16
Example Fraud Detection JavaScript
![Page 17: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/17.jpg)
© 2013 Trustwave Holdings, Inc. 17
Fingerprint.js: Browser Characteristics Checked
![Page 18: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/18.jpg)
© 2013 Trustwave Holdings, Inc. 18
Fingerprint Hash Beaconing
![Page 19: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/19.jpg)
© 2013 Trustwave Holdings, Inc. 19
Device Fingerprint Execution
![Page 20: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/20.jpg)
© 2013 Trustwave Holdings, Inc. 20
Web Tripwire XMLHttpRequest
![Page 21: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/21.jpg)
© 2013 Trustwave Holdings, Inc. 21
Web Tripwire Hash Validation
![Page 22: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/22.jpg)
© 2013 Trustwave Holdings, Inc. 22
Banking Trojans Circumvent Web Fraud Detection
![Page 23: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/23.jpg)
© 2013 Trustwave Holdings, Inc. 23
Updated Zeus “webinjects” Configuration: Removes The Fraud Detection Code
![Page 24: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/24.jpg)
© 2013 Trustwave Holdings, Inc. 24
Zeus Strips Fraud Detection JS Code
![Page 25: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/25.jpg)
© 2013 Trustwave Holdings, Inc. 25
Zeus Strips Fraud Detection JS Code
![Page 26: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/26.jpg)
© 2013 Trustwave Holdings, Inc. 26
Exploit Kit Overview
![Page 27: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/27.jpg)
© 2013 Trustwave Holdings, Inc. 27
Exploit Kits
• Serve as malware distribution
mechanisms
• MaaS “Malware As a Service”
• Provide rich configuration and
reporting
© Kahu Security
![Page 28: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/28.jpg)
© 2013 Trustwave Holdings, Inc. 28
![Page 29: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/29.jpg)
© 2013 Trustwave Holdings, Inc. 29
![Page 30: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/30.jpg)
© 2013 Trustwave Holdings, Inc. 30
Exploit Kit Prevalence (Q4 2013)
53.8% 33.7%
4.2%
2.7% 2.7%
1.8%
0.7%
0.2% 0.2%
0.1%
Blackhole
RedKit
Cool
Neutrino
DotCachef
Styx
Whitehole
Bleeding Life
Nuclear
Magnitude
![Page 31: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/31.jpg)
© 2013 Trustwave Holdings, Inc. 31
Malicious Links
• Cybercriminals inject malicious iframe links to
compromised web sites or to malicious web sites
• Then may use phishing campaigns with links to
those sites or simply wait for normal web traffic
User
Compormised
website
Exploit
server
Injected
iframe
![Page 32: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/32.jpg)
© 2013 Trustwave Holdings, Inc. 32
Victim Visits Infected Website
![Page 33: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/33.jpg)
© 2013 Trustwave Holdings, Inc. 33
Malvertising Infection on Yahoo
© hitmanpro blog
![Page 34: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/34.jpg)
© 2013 Trustwave Holdings, Inc. 34
Use of Multiple Vulnerabilities
• Typically attempt to exploit multiple
vulnerabilities in different applications
o One vulnerability suffices for infection
![Page 35: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/35.jpg)
© 2013 Trustwave Holdings, Inc. 35
Using Obfuscation
• Obfuscation fails most static
analyzers
Exploit kit code
The same code, obfuscated
Obfuscation
![Page 36: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/36.jpg)
© 2013 Trustwave Holdings, Inc. 36
Similarity of Challenges
Escaping
detection by
exploit kits
Protecting web
fraud detection
code
![Page 37: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/37.jpg)
© 2013 Trustwave Holdings, Inc. 37
Obfuscation
Leveraging Cybercriminals’ Tactics
Web Fraud
Detection
Banking
Trojans
Exploit Kits
Security Vendors Cybercriminals
Secure Web
Gateways
![Page 38: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/38.jpg)
© 2013 Trustwave Holdings, Inc. 38
Using Exploit Kit Obfuscation for Defense
![Page 39: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/39.jpg)
© 2013 Trustwave Holdings, Inc. 39
Applying Obfuscation to Defensive Code
• If cybercriminals can
protect their code with
obfuscation, why can’t legit
sites do the same?
![Page 40: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/40.jpg)
© 2013 Trustwave Holdings, Inc. 40
Use of Obfuscation for Legit Code
• The idea in general is not new
• Suggested in the past for
o Hindering hacker attacks
o Protecting Intellectual Property (IP)
• Already used by some applications (e.g. Oracle’s
Java cryptography code)
• A recent study about “unhackable” obfuscation for
legit apps (1)
• Similarly, some bank sites are pure Flash
• Here we discuss using techniques from malicious
code (1) http://www.wired.com/wiredscience/2014/02/cryptography-
breakthrough/all/
![Page 41: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/41.jpg)
© 2013 Trustwave Holdings, Inc. 41
Using Exploit Kit Obfuscation Code: CryptJS
![Page 42: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/42.jpg)
© 2013 Trustwave Holdings, Inc. 42
Using Exploit Kit Obfuscation Code: CryptJS
![Page 43: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/43.jpg)
© 2013 Trustwave Holdings, Inc. 43
New Obfuscated HTML
![Page 44: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/44.jpg)
© 2013 Trustwave Holdings, Inc. 44
Still Functionally Equivalent Code
![Page 45: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/45.jpg)
© 2013 Trustwave Holdings, Inc. 45
Zeus “webinjects” No Longer Work!
![Page 46: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/46.jpg)
© 2013 Trustwave Holdings, Inc. 46
January 28, 2014 - SpyEye Creator Arrested
Aleksander Panin SpyEye Malware
![Page 47: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/47.jpg)
© 2013 Trustwave Holdings, Inc. 47
Greed Drives Innovation
![Page 48: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/48.jpg)
© 2013 Trustwave Holdings, Inc. 48
The Arms Race Continues…
![Page 49: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/49.jpg)
© 2013 Trustwave Holdings, Inc. 49
Obfuscation
Leveraging Cybercriminals’ Tactics
Web Fraud
Detection
Secure Web
Gateways
Banking
Trojans
Exploit Kits
Security Vendors Cybercriminals
![Page 50: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/50.jpg)
© 2013 Trustwave Holdings, Inc. 50
New “De-Obfuscation” Flag (O) Added to Zeus
![Page 51: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/51.jpg)
© 2013 Trustwave Holdings, Inc. 51
Modified Zeus “httpgrabber” De-Obfuscation Code
![Page 52: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/52.jpg)
© 2013 Trustwave Holdings, Inc. 52
Modified Zeus Decodes, Removes and Injects
![Page 53: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/53.jpg)
© 2013 Trustwave Holdings, Inc. 53
Leveraging De-obfuscation Algorithms
• De-obfuscation algorithms show clear text
• Sometimes they are complicated and dynamic
• Malware authors may come up with more
efficient algorithms
• Why won’t we leverage their creativity again??
• We can reverse engineer the malware and
identify the de-obfuscation algorithms
• We can now use these de-obfuscation
algorithms in security products that scan web
pages (SWG, AV, Firewall…)
![Page 54: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/54.jpg)
© 2013 Trustwave Holdings, Inc. 54
Obfuscation
Leveraging Cybercriminals’ Tactics
Web Fraud
Detection
Secure Web
Gateways
Banking
Trojans
Exploit Kits
Security Vendors Cybercriminals
De-Obfuscation Reuse
![Page 55: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/55.jpg)
© 2013 Trustwave Holdings, Inc. 55
Polymorphic Variable Names
The Lifecycle Continues
Web Fraud
Detection
Banking
Trojans
Exploit Kits
Security Vendors Cybercriminals
Secure Web
Gateways
![Page 56: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/56.jpg)
© 2013 Trustwave Holdings, Inc. 56
Using Polymorphic Variable Names
![Page 57: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/57.jpg)
© 2013 Trustwave Holdings, Inc. 57
Using Polymorphic Variable Names
![Page 58: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/58.jpg)
© 2013 Trustwave Holdings, Inc. 58
Using Polymorphic Variable Names
![Page 59: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/59.jpg)
© 2013 Trustwave Holdings, Inc. 59
Summary
• In addition to fighting cybercriminals’ techniques,
security vendors can also leverage them in some cases
for better protection
• Algorithms from one cyber gang can be used to protect
against malware from another gang
• It is an iterative process
• More research is welcomed
– Identifying other similar scenarios
– Considering the ethical and legal aspects of this
concept
![Page 60: Using Hacker Tricks in Legit Defensive Code · 2020-01-17 · © 2013 Trustwave Holdings, Inc. 2 Turning Bad Guys Against Themselves The “Dual” Ouroboros Exploit Kits Banking](https://reader033.fdocuments.in/reader033/viewer/2022060412/5f10dd097e708231d44b2de4/html5/thumbnails/60.jpg)
© 2013 Trustwave Holdings, Inc. 60
Acknowledgments
• We would like to thank fellow SpiderLabs Researchers who helped
with developing the demos
– Daniel Chechik
– Felipe Zimmerle Costa