Wednesday 4 October 15:00 - 15:30, Red room
Peter Kálnai (ESET)
Michal Poslušný (ESET)
With the ever-increasing use of banking-related services on the web, browsers have naturally drawn the attention of malware authors. They express an interest in adjusting the behaviour of the browsers for their purposes, namely intercepting the content of web forms, modifying server responses manifested as webinjects, and confirming validity of spoofed SSL certificates. These goals are usually achieved by placing malicious code at certain addresses within a browser process.
It has been more than seven years now since the infamous Zeus bot first successfully took advantage of Mozilla Firefox by hooking specific exported functions, and the very same approach has been widely used by others ever since. Moving to Microsoft Edge, the developers have made their best attempt to mitigate arbitrary code execution, using technologies like Control Guard Integrity (CGI) and Arbitrary Code Guard (ACG), but the focus is on stopping exploitation of the browser itself, rather than preventing execution of injected code delivered by a remote malicious process. Finally, cybercrooks seem to have the greatest trouble adapting their hooks in Google Chrome. Though it might not have been the primary intent of the developers, the custom implementation of the SSL functionality has resulted in a cat-and-mouse game thanks to the fact that the attack points are unexported and change regularly.
In our session we will guide the audience through an overview of the techniques used by major banking trojans in the wild. We are pleased to see that the ease of implementing hijacking methods is decreasing, and that attackers are under constant pressure to adopt changes. Moreover, security solutions offer various browser protections that work very well against existing methods. How do they handle that? Wouldn't it be great to see the mitigation in the first possible layer? We consider this as a topic for discussion. As a side result, we also transform our collected knowledge into a plug-in for the Volatility Framework that extends the functionality of apihooks within the scope of browsers.
Peter Kálnai is a malware researcher at ESET. He realizes that mastering the art of reverse engineering is a lifelong project. He is interested in discovering and extending the features of Volatility Framework. He has actively participated in international conferences including Virus Bulletin, RSA Conference, CARO Workshop, Botconf, AVAR and cyberCentral. In his free time he enjoys table football and playing indie games on his mobile phone.
Michal Poslušný is a malware analyst working at ESET, where he is mainly responsible for reverse engineering of complex malware threats. He also works on developing various internal projects and tools and is a co-author of ESET's CrackMe used for hiring new talents. In his free time he likes to play online games, develop fun projects and spend time with family.
Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)
Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…
John Graham-Cumming (Cloudflare)
In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…
Tiberius Axinte (Bitdefender)
This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…