Attack points in browsers still abused by banking trojans

Wednesday 4 October 15:00 - 15:30, Red room

Peter Kalnai (ESET)
Michal Poslusny (ESET)



With the ever-increasing use of banking-related services on the web, browsers have naturally drawn the attention of malware authors. They express an interest in adjusting the behaviour of the browsers for their purposes, namely intercepting the content of web forms, modifying server responses manifested as webinjects, and confirming validity of spoofed SSL certificates. These goals are usually achieved by placing malicious code at certain addresses within a browser process.

It has been more than seven years now since the infamous Zeus bot first successfully took advantage of Mozilla Firefox by hooking specific exported functions, and the very same approach has been widely used by others ever since. Moving to Microsoft Edge, the developers have made their best attempt to mitigate arbitrary code execution, using technologies like Control Guard Integrity (CGI) and Arbitrary Code Guard (ACG), but the focus is on stopping exploitation of the browser itself, rather than preventing execution of injected code delivered by a remote malicious process. Finally, cybercrooks seem to have the greatest trouble adapting their hooks in Google Chrome. Though it might not have been the primary intent of the developers, the custom implementation of the SSL functionality has resulted in a cat-and-mouse game thanks to the fact that the attack points are unexported and change regularly.

In our session we will guide the audience through an overview of the techniques used by major banking trojans in the wild. We are pleased to see that the ease of implementing hijacking methods is decreasing, and that attackers are under constant pressure to adopt changes. Moreover, security solutions offer various browser protections that work very well against existing methods. How do they handle that? Wouldn't it be great to see the mitigation in the first possible layer? We consider this as a topic for discussion. As a side result, we also transform our collected knowledge into a plug-in for the Volatility Framework that extends the functionality of apihooks within the scope of browsers.



Register.jpg

VB2017 OVERVIEW

CALL FOR LAST-MINUTE PAPERS

WHY ATTEND

SPEAKERS

PROGRAMME

REGISTER NOW!

VENUE

BOOK HOTEL

VB2017 DRINKS RECEPTION

VB2017 FOOSBALL TOURNAMENT

2017 PÉTER SZŐR AWARD


Other VB2017 papers

The state of cybersecurity in Africa: Kenya

Tyrus Kamau (Euclid Consultancy)

The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…