1 / 24

Learning from the bad guys is learning from the best

A practical overview on how the bad guys adopt and circumvent security initiatives. Learning from the bad guys is learning from the best. Alex Shipp Imagineer. Commercial – in - Confidence. Zeus. One of the most successful rootkits Features

morela
Télécharger la présentation

Learning from the bad guys is learning from the best

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A practical overview on how the bad guys adopt and circumvent security initiatives Learning from the bad guys is learning from the best • Alex Shipp • Imagineer Commercial – in - Confidence

  2. Zeus • One of the most successful rootkits • Features • It steals user private and confidential information (form grabber) • can inject arbitrary HTML code into any website (also encrypted websites) • can steal certificates • will take screenshots to defeat virtual keyboards • backconnect feature (SOCKS, BackConnect, VNC) • Everything is encrypted

  3. Zeus v2.0 • Enhanced Zeus v2 core engine • Able to infect Mozilla Firefox • Able to infect Windows Vista and Windows 7 • They do everything in user-mode (!) • New Encryption method • Details in the TrustDefender Labs report

  4. Zeus plugins • Zeus supports a plugin style infrastructure • New BackConnect mechanism • E.g. Real-time notification via IM once a victim is online • SOCKS / VNC works even behind NAT • Extensive Javascript engine that can be plugged into Zeus v1 or Zeus v2

  5. Javascript Engine • Dramatically increased functionality with javascript code where they can • harvest any challenge/response and/or token values in real-time and in a more interactive way. • Allows bypass of nearly all challenge mechanisms • (e.g. SMS/email/VRU OOB, token, secret questions/answers, elaborate challenge/response)

  6. Javascript Engine • Observations • No “static” HTML injections anymore • Nothing happens until after the login • Dynamic connection to C&C server • Send/receive data within one webpage • transparent to the Webbrowser • Dynamic content delivery • E.g. After compromise, they return “24h maintenance” page • But let’s have a look 

  7. Login page (unmodified)

  8. Account verification

  9. Cover your tracks

  10. WesCorp login

  11. Ok, I have to use the token (nothing ususual)

  12. Authorizing... (60 down to 0)

  13. Ups... timeout

  14. After restart, the machine is gone

  15. Javascript Engine • As well as manipulating user-supplied content, they can also access system supplied content. • Bad news if you “encrypt” the password on the client side • Zeus canjust inject code into your JavaScript files (!)

  16. Javascript Engine • Watch the download of the loginPin.js • And once it’s downloaded...

  17. Completely transparent

  18. Device fingerprinting won’t help • BackConnect feature via SOCKS or VNC • Undermines any device fingerprinting

  19. How is Zeus distributed? • Drive-by attacks • PDF, Flash or any othersoftware • Phishing attacks • Heavily geo baseddistribution • This is done via a flash object that calls URLMON.DLL.URLDownloadToFileA to save http://<<hostname>>/l.php?i=18 locally to pdfupd.exe and then execute it with WinExec • More details in the next TrustDefender Labs Report

  20. What is mebroot doing? • Mebroot is by far the most successful rootkit that is able to stay under the radar • Technically sophisticated, but also very clever • We know that they could infect much more machines, but don’t do so • Bad news: They have a comprehensive javascript engine as well • However not used yet (AFAWK)

  21. What is mebroot doing? • Sizzler CSS Selector Engine • If it looks scary, it is scary • Watch out for simple device authentication

  22. Phishing with transactional 2FA • Phishing still works (!) • Real world example • Bank uses transactional 2FA hardware tokens • Phishing site asks for login credentials + private phone number • Fraudsters ring the customer and tell him that his account got compromised (which is true!) and tell him that in order to get it reconnected, they should enter the following number into their token and confirm the reply!

  23. TrustDefender Labs • ... is the R&D arm of TrustDefender • TrustDefender is a online-transaction security solution providing • Real-time customer endpoint risk-assessment & protection for online transactions • More info • http://www.trustdefender.com/blog

  24. Questions? • Bad guys adopt heavily • Protect all parts of the chain. • If one breaks, the chain is broken

More Related