Learning from the bad guys is learning from the best
A practical overview on how the bad guys adopt and circumvent security initiatives
Commercial – in - Confidence
Alex ShippImagineer
Commercial – in - Confidence
Zeus
One of the most successful rootkits Features
It steals user private and confidential information (form grabber)
can inject arbitrary HTML code into any website (also encrypted websites)
can steal certificates will take screenshots to defeat virtual keyboards backconnect feature (SOCKS, BackConnect, VNC) Everything is encrypted
Commercial – in - Confidence
Zeus v2.0
Enhanced Zeus v2 core engine Able to infect Mozilla Firefox Able to infect Windows Vista and
Windows 7▪ They do everything in user-mode (!)
New Encryption method
Details in the TrustDefender Labs report
Commercial – in - Confidence
Zeus plugins
Zeus supports a plugin style infrastructure New BackConnect mechanism▪ E.g. Real-time notification via IM once a
victim is online▪ SOCKS / VNC works even behind NAT
Extensive Javascript engine that can be plugged into Zeus v1 or Zeus v2
Commercial – in - Confidence
Javascript Engine
Dramatically increased functionality with javascript code where they can harvest any challenge/response and/or token
values in real-time and in a more interactive way.
Allows bypass of nearly all challenge mechanisms (e.g. SMS/email/VRU OOB, token, secret
questions/answers, elaborate challenge/response)
Commercial – in - Confidence
Javascript Engine
Observations No “static” HTML injections anymore Nothing happens until after the login Dynamic connection to C&C server▪ Send/receive data within one webpage▪ transparent to the Webbrowser
Dynamic content delivery▪ E.g. After compromise, they return “24h
maintenance” page
But let’s have a look
Commercial – in - Confidence
Login page (unmodified)
Commercial – in - Confidence
Account verification
Commercial – in - Confidence
Cover your tracks
Commercial – in - Confidence
WesCorp login
Commercial – in - Confidence
Ok, I have to use the token (nothing ususual)
Commercial – in - Confidence
Authorizing... (60 down to 0)
Commercial – in - Confidence
Ups... timeout
Commercial – in - Confidence
After restart, the machine is gone
Commercial – in - Confidence
Javascript Engine
As well as manipulating user-supplied content, they can also access system supplied content.
Bad news if you “encrypt” the password on the client side Zeus can just inject code into your
JavaScript files (!)
Commercial – in - Confidence
Javascript Engine
Watch the download of the loginPin.js
And once it’s downloaded...
Commercial – in - Confidence
Completely transparent
Commercial – in - Confidence
Device fingerprinting won’t help
BackConnect feature via SOCKS or VNC Undermines any device fingerprinting
Commercial – in - Confidence
How is Zeus distributed?
Drive-by attacks PDF, Flash or any other
software Phishing attacks
Heavily geo baseddistribution
This is done via a flash object that calls URLMON.DLL.URLDownloadToFileA to save http://<<hostname>>/l.php?i=18 locally to pdfupd.exe and then execute it with WinExec
More details in the next TrustDefender Labs Report
Commercial – in - Confidence
Mebroot is by far the most successful rootkit that is able to stay under the radar
Technically sophisticated, but also very clever We know that they could infect much more
machines, but don’t do so
Bad news: They have a comprehensive javascript engine as well However not used yet (AFAWK)
What is mebroot doing?
Commercial – in - Confidence
Sizzler CSS Selector Engine
If it looks scary, it is scary Watch out for simple device authentication
What is mebroot doing?
Commercial – in - Confidence
Phishing still works (!) Real world example
Bank uses transactional 2FA hardware tokens Phishing site asks for login credentials +
private phone number Fraudsters ring the customer and tell him
that his account got compromised (which is true!) and tell him that in order to get it reconnected, they should enter the following number into their token and confirm the reply!
Phishing with transactional 2FA
Commercial – in - Confidence
... is the R&D arm of TrustDefender TrustDefender is a online-transaction
security solution providing Real-time customer endpoint risk-
assessment & protection for online transactions
More info http://www.trustdefender.com/blog
TrustDefender Labs
Commercial – in - Confidence
Bad guys adopt heavily Protect all parts of the chain.
If one breaks, the chain is broken
Questions?