How to Stop Man in the Browser Attacks
-
Upload
imperva -
Category
Technology
-
view
1.725 -
download
3
description
Transcript of How to Stop Man in the Browser Attacks
Stopping Fraud – Getting Rid of the Man in Your Browser
Rob Rachwald, Director of Security Strategy Noa Bar-Yosef, Sr. Security Strategist
Agenda
Motivation Problem Definition Shape Based Tests Content Based Tests Overall Solution Strategy Summary
Today’s Presenter Rob Rachwald, Dir. of Security Strategy, Imperva
Research + Directs security strategy + Works with the Imperva Application Defense Center
Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and
Australia
Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today
Graduated from University of California, Berkeley
Today’s Presenter Noa Bar-Yosef, Senior Security Strategist, Imperva
Research + Researches trends in the threat landscape
Security experience + Previously, held the position of Sr. Security
Researcher for Imperva’s Application Defense Center
+ Credited for multiple commercial applications’ vulnerabilities
+ Holds a Master’s thesis specializing in Information Security
Thought leadership + Writes a bi-weekly column on hacker trends and
techniques for SecurityWeek
Motivation
Client Side Attacks - Scope of Problem Major Attack Vectors
Client Side Attacks - Scope of Problem Major Attack Vectors
Exploiting Browser Code Vulnerabilities • Expected to rise with the introduction of HTML5
Exploiting Browser Plug-ins • E.g. Java, Flash, PDF, Media Player
Exploiting OS libraries • E.g. Graphics rendering
Client Side Attacks - Scope of Problem 2010 Vulnerability Figures
Client side
• 77 IE vulnerabilities, 106 Firefox vulnerabilities, 188 Chrome vulnerabilities
• 73 Adobe Flash, 9 Adobe Reader related vulnerabilities
• 72 Various ActiveX related vulnerabilities
Server side
• Only 36 vulnerabilities across IIS, Apache and Tomcat
Client Side Attacks - Scope of Problem Malware Distribution Methods
Drive-By-Download / Malvertizing
Phishing, “Spear Phishing”
Torrent and P2P
Physical
Client Side Attacks - Scope of Problem 2010 Attack Figures
A 2010 report by Kaspersky + ~600M attempts reported to KSN, more than 5 times increase
over 2009
Microsoft detects 60K-100K Zeus-infected machine per month
2010 1H – Microsoft cleaned 6.5M bot infections Rustock spanned 1M computers
Consumers cannot be expected to cope with the technical
problem on their own
From Consumer Attack to a Business Problem
The threat to consumers is
constantly growing •Number of vulnerabilities
•Number of attacks •Types of attacks •Sophistication
Usage is expanding beyond banking and
popular retail applications
We are passed the point of no return •We cannot expect average consumers to avoid infection and mitigate attacks alone
•We cannot deny service to infected consumers
•We cannot let the consumer bear the consequences of a compromise
From Consumer Attack to a Business Problem
Potential consequences (of failing to do so): + Reduced onboarding rate + Reduced activity + Increased refunds + Increased insurance rates
Consumer facing malware threatens online commerce*
Forrester Feb 2011: Malware And Trojans And Bots, Oh My!
From Consumer Attack to a Business Problem
Car User Safety
Online User Safety
Problem Definition
Client Side Trouble – Types of Interaction
• No interaction between malware and application
• Offline interaction between attacker and application using stolen credentials
Key loggers
Client Side Trouble – Types of Interaction
• Some interaction between browser and actual application during attack • Could be used for detection of some
Phishing campaigns • Offline interaction between attacker
and application using stolen credentials
Phishing
Client Side Trouble – Types of Interaction
• Extensive interaction between malware and application during attack
• Offline interaction between attacker and application using stolen credentials
Man in the
Browser
Attacker code runs in context of victim’s browser Original motivation
+ No need to attack infrastructure (DNS, tap into router, etc.) + Defeats SSL
Additional benefits + Access to local resources + Access to application session data
Prominent Actors + ZeuS, Gozi, URLZone, Sinowal, Limbo, and SpyEye + Silentbanker
Man in the Browser Attacks (aka Proxy Trojan)
MitB Attacks - Proxy Trojans in Action
Before After
MitB Attacks - Proxy Trojans in Action
Before After
MitB Attacks - Proxy Trojans in Action
Before After
Proxy Trojan Architecture
Client Machine Web Application
Proxy Trojan Architecture
Client Machine Web Application
Tamper Request
Tamper Page
Extract Data
Inject Fake Transaction
Drop Server
Shape Based Tests
A Typical Change by a Trojan
Clean Infected
Observation: Trojan likes to tamper with plain traffic
Observing Typical Changes by Trojans
• Enforces use of traffic that is easily tampered by the Trojan
• Avoids HTTP/1.1 connections, and compressed data
Encoding of Related Headers
• Ensures identification by the drop server and other attacker controlled components
Client Type Identification
• Extra data provided by an unfortunate victim • Could represent client identification for attacker
controlled components
Additional Parameters
• A consequence of fake transactions Parameter Order
Shape Based Tests
• The application (or a device protecting the application) inspects the shape of incoming messages for changes typical to Trojans
Step 1:
• If a Trojan pattern is detected mark the client (IP address / session / request) as “infected”
Step 2:
Shape Based Tests in Action
Client Machine Web Application
Tamper Request
Tamper Page
Extract Data
Inject Fake Transaction
Drop Server
Apply Shape Tests
Apply Shape Tests
Challenges – Tracking Trojan Discrepancies
• Each Trojan may display a different change • Changes may be reflected in specific request types
• Need to keep track of Trojans • Create a framework for shape based rules • Create a framework for constructing shape tests
Challenges – Avoiding False Positives
• Some real client devices do not support (or choose not to support) HTTP/1.1 or compressed data
Challenge:
• Engage the browser in a challenge response protocol
Solution:
Challenges – Avoiding False Positives
HTTP/1.1 200 OK . . . Content-Encoding: gzip Refresh: 2;url=infection_test.html?infected=no <html> <head> <script>window.navigate('infection_test.html?infected=yes')</script> </head> <body></body> </html>
...........V*//W...Qzi...I...z...J:`.......T$......d.y.%@.^f.R,...(..y.:.J....9.V......%%[email protected]...%6....
Content Based Tests
Observing Content-Tampering Trojans
• Current malware tampers HTML at the network layer (before it is interpreted by browser)
• This is due to simplicity and robustness considerations
Observation:
• Use client side code to verify integrity of HTML page content in coordination with the server
Solution:
OK Solution: Altering the Trojan Behavior
• Step 1: “Provoke” the MitB into making changes • Step 2: Compare the HTML content to known Trojan
behaviors
Naïve Solution
• MitB can be configured to avoid this type of manipulation • Solution requires constant chase after MitB configuration
files Requires constructing an up-to-date database of “known
behaviors”
Challenges
Better Solution: Content-Based Tests
•Server computes a digest of the delivered HTML page Random (invisible) elements are injected into the page before computation
Step 1:
• Server appends a page digest computation function to the HTML page Computation function code includes a random salt
Step 2:
•When page is loaded into the browser, the computation function is invoked, computes the digest and sends it to the server for verification
Step 3:
• If the browser does not send back a digest then infection is assumed
Step 4:
Content Based Tests in Action
Client Machine Web Application
Tamper Request
Tamper Page
Extract Data
Inject Fake Transaction
Drop Server
Compare Digests
Compute Digest and Inject Digest Computation Function
Compute Digest
Content-Based Tests: Strengths
1) Digest cannot be pre-computed by malware due to the random HTML elements
2) Digest cannot be computed by malware without executing the digest computation function + Requires malware to implement / invoke Javascript engine
3) Computation function can be extended to explicitly reference the randomly injected HTML elements through DOM functions + Requires the malware to implement / fake DOM
4) Malware cannot dismiss test
Content-Based Tests: Strengths
5) Does not depend on specific MitB configuration and the expected changes + Only depends on protected application page + Some configuration options should be available to restrict the
parts of the page that are digested – Avoid elements produced by client side code
6) Breaking the tie with attackers + Complexity of the computation process can be increased with
small effort + Resulting changes to malware code are complex and painful,
increasing its footprint
Overall Solution Strategy
Look at the Complete Picture
Apply shape based tests…
… And content-based tests
Interact with Infected Clients
Provide clear visual warnings
Contact customer offline
Apply business access policies • Example 1: Allow data extraction but deny transaction • Example 2: Limit transaction size
Automatically employ extra validation through side channels • Adaptive authentication
Keep a more comprehensive audit trail for the user / session
MitB is Only Part of the Landscape
• Server side fraud detection • Device profiling and reputation • Advanced authentication
Identifying account takeover
• Detect and takedown campaigns • Detect victims in real time
Defeat phishing campaigns
Requires a Flexible Deployment Framework
Cannot change application code whenever capabilities change or threats morph
Create consistency across all applications and flexibility in choosing vendors
Be able to protect legacy applications
Summary
Summary
Threat to consumer is constantly growing and is past the point where we can expect most of our consumers to avoid infection
Consumer infection has become a business problem While providers should urge consumers to be prudent
they MUST learn how to interact with infected consumers and create a safe business environment for them regardless of the general threat
Some car safety mechanisms are already regulated. We can expect the same from business IT security
Summary
Enterprise IT is failing to properly tackle client based attacks within enterprise
The growing number of so called “APT” attacks on organizations demonstrate the effect of “compromised insider”
Failures stem from the same reason: try to avoid infection rather than learn to interact with infected clients
Imperva’s Fraud Solution
SecureSphere 9.0 - Fraud Prevention Services
Is this endpoint safe?
Pass / Block
SecureSphere integrates with Trusteer to detect users infected with malware like SpyEye, Zeus, Gozi & Silon
1. User accesses Website
2. SecureSphere redirects browser to Trusteer
3. Browser downloads, runs malware check
4. Result reaches WAF for analysis
Use Case: Man in the Browser – Fraud Malware
Challenge + Fraud malware performing activities on behalf of
customers, causing money losses & customers dissatisfaction
+ FFIEC compliance requirements
Solution + Detect infected end-devices + Block sensitive areas in the application from infected
devices + Report on users connected from infected end-devices
49
ThreatRadar Fraud Prevention Stopping MitB
SecureSphere provides full event detail to analyze Man in the Browser (MitB) attacks
Centrally Manage Fraud and Web Security
SecureSphere Policy Engine
Known Attack Sources
Bot Detection Web Attack
Detection
Geolocation
User Infected with Malware
Browser and Agent
Combining Web fraud with WAF policies enhances accuracy of fraud detection
User Name
Webinar Materials
Post-Webinar Discussions
Answers to Attendee Questions
Webinar Recording Link Webinar Slides
Get LinkedIn to Imperva Data Security Direct for…
www.imperva.com
- CONFIDENTIAL -