Browser attack points still abused by banking trojans

Wednesday 4 October 15:00 - 15:30, Red room

Peter Kálnai (ESET)
Michal Poslušný (ESET)

With the ever-increasing use of banking-related services on the web, browsers have naturally drawn the attention of malware authors. They express an interest in adjusting the behaviour of the browsers for their purposes, namely intercepting the content of web forms, modifying server responses manifested as webinjects, and confirming validity of spoofed SSL certificates. These goals are usually achieved by placing malicious code at certain addresses within a browser process.

It has been more than seven years now since the infamous Zeus bot first successfully took advantage of Mozilla Firefox by hooking specific exported functions, and the very same approach has been widely used by others ever since. Moving to Microsoft Edge, the developers have made their best attempt to mitigate arbitrary code execution, using technologies like Control Guard Integrity (CGI) and Arbitrary Code Guard (ACG), but the focus is on stopping exploitation of the browser itself, rather than preventing execution of injected code delivered by a remote malicious process. Finally, cybercrooks seem to have the greatest trouble adapting their hooks in Google Chrome. Though it might not have been the primary intent of the developers, the custom implementation of the SSL functionality has resulted in a cat-and-mouse game thanks to the fact that the attack points are unexported and change regularly.

In our session we will guide the audience through an overview of the techniques used by major banking trojans in the wild. We are pleased to see that the ease of implementing hijacking methods is decreasing, and that attackers are under constant pressure to adopt changes. Moreover, security solutions offer various browser protections that work very well against existing methods. How do they handle that? Wouldn't it be great to see the mitigation in the first possible layer? We consider this as a topic for discussion. As a side result, we also transform our collected knowledge into a plug-in for the Volatility Framework that extends the functionality of apihooks within the scope of browsers.




Peter Kálnai

Peter Kálnai is a malware researcher at ESET. He realizes that mastering the art of reverse engineering is a lifelong project. He is interested in discovering and extending the features of Volatility Framework. He has actively participated in international conferences including Virus Bulletin, RSA Conference, CARO Workshop, Botconf, AVAR and cyberCentral. In his free time he enjoys table football and playing indie games on his mobile phone.




Michal Poslušný

Michal Poslušný is a malware analyst working at ESET, where he is mainly responsible for reverse engineering of complex malware threats. He also works on developing various internal projects and tools and is a co-author of ESET's CrackMe used for hiring new talents. In his free time he likes to play online games, develop fun projects and spend time with family.

   Download slides    Read paper    Watch video






Other VB2017 papers

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

The state of cybersecurity in Africa: Kenya

Tyrus Kamau (Euclid Consultancy)

The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.