The art of stealing banking information – form grabbing on fire

2011-11-01

Aditya K. Sood

Michigan State University, USA

Richard J. Enbody

Michigan State University, USA

Rohit Bansal

SecNiche Security, USA
Editor: Helen Martin

Abstract

Botnets such as Zeus, SpyEye and others use the effective technique of form grabbing to steal sensitive information from victims’ machines. Aditya Sood and his colleagues take a detailed look at the form-grabbing technique.


Third generation banking botnets pose a great threat to the online banking industry. Botnets such as Zeus, SpyEye and others use the effective technique of form grabbing to steal sensitive information from victims’ machines. This paper takes a detailed look at the form-grabbing technique.

Information stealing

Third generation botnets such as Zeus and SpyEye exploit their victims’ user sessions with banking websites in order to steal financial information. There are a number of different information-stealing techniques available:

  • Keylogging is an established technique in which all the keystrokes on a victim’s machine are captured and sent back to the C&C server for analysis, and the desired information is extracted from the keystroke logs. This technique captures all types of data including keystrokes such as white space and backslashes. From an attacker’s perspective, the technique works well in certain scenarios, but in a distributed infection environment the enormous amount of data generated can be overwhelming. In addition, defensive strategies such as the use of virtual keyboards have been developed to hide critical information from keyloggers.

  • Screen scraping (aka screen shot capturing) is another technique that is used extensively. Here, the bot is able to take a screenshot of the victim’s machine when a particular key is pressed and send this to the attacker’s server. This technique can circumvent virtual keyboard technology. Screen scraping generates huge data sets and significant effort is required to extract the desired information. In spite of the extra effort required, this technique has been deployed successfully as part of botnet functionalities.

  • Browser protected storage is a built-in browser storage mechanism which stores user credentials as part of the browser’s form auto-complete feature. A botnet can extract information such as login credentials, SSL certificates and other user preferences. Successful use of this technique depends on the user having selected the ‘Remember my password’ option, or the option being on by default.

  • Redirection through phishing and pharming is a technique that redirects the victim’s browser to a malicious domain when the user clicks a certain link. This technique is not limited to phishing emails. Malware installed on the victim’s machine can independently inject location headers in responses to redirect the browser to a malware-driven website. Other similar sets of attacks such as cross site scripting (XSS) or header spoofing can be used to support this technique.

  • Form grabbing is currently one of the most widely used methods for stealing information and specifically targets the information entered into web forms. Third generation botnets use this technique to extract information from a victim’s browser when the victim has an active session with a banking website. A detailed explanation of form grabbing follows in the next section.

Every method currently employed by botnets for stealing information in browsers has both advantages and disadvantages depending on the environment in which it is implemented. Currently, form grabbing is the most widely used and most profitable method of extracting information.

Form grabbing and man-in-the-browser (MITB) anatomy

Form grabbing has proven to be a very effective technique for stealing information. One valuable aspect of the technique is that information is extracted from forms, so it is very easy to identify desirable information such as account details and passwords. This technique has been put into practice to bypass several browser protection mechanisms. The basic idea is to intercept form information before it is sent to the Internet – the GET/POST data. Form grabbing uses two basic methods to steal the information:

  • All the GET/POST data is sniffed from the outgoing data using PCAP (Packet Capture). However, this technique only works for unencrypted communication (i.e. it doesn’t work if SSL/TLS is implemented over HTTP).

  • Robust form grabbing uses hooking. In this approach, malware residing on the victim’s machine hooks the browser’s Dynamic Link Libraries (DLLs) in order to steal the content before it is sent to the server. If done correctly, the content can be stolen before it is encrypted. This theft can be accomplished by a variety of hooking mechanisms – a malicious browser add-on is one example.

Within browser exploitation, form grabbing can occur as part of a man-in-the-browser (MITB) attack [1], [2]. In this type of attack, malware installed on the system can modify web pages and perform illegitimate operations on behalf of the user. All the malware classes as described in our Browser Malware Taxonomy (BMT) [3] can execute this type of attack. Since the MITB malware resides on the victim’s machine and does not interact with traffic on the wire, this type of attack is effective even if SSL/TLS or two-factor authentication is enforced. A MITB attack can be deployed in a variety of environments depending on the browser behaviour. MITB is very robust.

Life cycle – form-grabbing technique

In order to implement form grabbing effectively, the following cycle of activities must be maintained:

  • A victim must be lured into visiting a malicious domain configured with malware. As soon as the victim’s browser opens the infected website, a drive-by download exploits a vulnerability in the browser to drop malware onto the victim’s system. The malware could be a bot which is designed to conduct a MITB attack to allow form grabbing.

  • Once the downloaded malware (bot) is installed on the victim’s machine it automatically hooks the browser’s DLL. A variety of hooking techniques can be applied such as inline hooking, Import Address Table (IAT) hooking [4] or the Create Remote Thread (CRT) method. Generally, browser hooking is done in user mode.

  • Form grabbing controls the ingress and egress browser traffic to and from the victim’s browser. Generally, the malware captures all the GET/POST data present in web forms and sends it back to the attacker’s domain. Form grabbing provides the attacker with legitimate credentials, IP address and target website address. The technique differs from keylogging in that form data is labelled so the desired data is readily available.

Exploiting hot patching – DLL injection and hooking

Attackers prefer inline hooking. Import Address Table (IAT) hooking is less desirable because it requires binding time when the API is called. With inline hooking the designed hook replaces (overwrites) the first two to three bytes of data with a legitimate JMP instruction to redirect the code flow. This technique is quite robust, and can be used in either kernel land or user land. For example, the Zeus and SpyEye bots are ring 3 malware, which means that the hooks execute in user land rather than kernel land. Inline hooking, also known as hot patching, is a process in which a vulnerable function is patched with a hot-fix function during runtime by overwriting the function’s prolog. Consider the function prolog as presented in Listing 1:

MOV  EDI, EDI
PUSH EBP
MOV  EBP, ESP

Listing 1: Function prolog with hot patching instruction.

In Listing 1, PUSH EBP and MOV EBP/ESP is the generic code for every function prolog which establishes a stack frame pointer to the base register. The MOV EDI, EDI instruction is a two-byte NOP instruction provided by Microsoft in certain versions of Windows such as XP SP2, which enables hot patching. It means it is possible to replace the MOV EDI, EDI instruction or overwrite it with other code when the target function is hooked by the malware. Possible overwrites include a short jump to a long jump instruction that jumps to attacker-defined code. This process does not require a system reboot but is executed silently.

An alternative to inline hooking is the CreateRemoteThread hooking technique. For example, in Internet Explorer the wininet.dll library is loaded in order to hook the HttpSendRequestA function using CreateRemoteThread.

The prototype presented in Listing 2 can be used to handle the data in GET/POST requests in Internet Explorer. We need to find the address of WININT DLL using LoadLibrary, which is mostly loaded at the same address for every process in any particular version of Windows. The CreateToolhelp32Snapshot function is applied to take a snapshot of the required process and its memory structures such as heaps, modules and respective threads that are used by a specified process. The GetProcAddress function is called to load the address of the imported function from a particular library (in this case wininet.dll). The Process32 function is invoked to retrieve the information about the next process recorded in the system snapshot using CreateToolhelp32Snapshot. After this step, the target process is opened using the OpenProcess function (with full privileges) and VirtualAllocEx is used to allocate memory to hold the path to the DLL file (injected data) in the process’s memory. Once the required memory is allocated, the WriteProcessMemory function is called to write the path to the target DLL (wininet.dll) in the specified location. In the final step, CreateRemoteThread is used to create a remote thread in the address space of iexplorer.exe in order to perform the hooking during runtime. As the HttpSendRequestA function is hooked in wininet.dll, the data is sent back to the attacker’s domain.

# Include requisite libraries for importing functions.
#include< *.h> [*= required libraries ]

# Declaring a function for injecting data
typedef struct {
DWORD *HttpSend;
} Inject_Data;
int Inject(Inject_Data *hooked);

# Defining the main routine of the code 
int main()
{
# Declare browser DLL�s as name as variables to be called in the code
        Inject_Data Data;
        LPVOID memory;
        HANDLE remoteThread;
        LPCSTR kernel_dll = <DLL Name>;
        LPCSTR  winint_dll = <DLL Name>;
 
# Creating a snapshot of the process
        HANDLE handle = CreateToolhelp32Snapshot();
        PROCESSENTRY32 ProcessInfo;
        ProcessInfo.dwSize = sizeof(PROCESSENTRY32);

# Calling Load Library and GetProcAddress function
        LoadLibrary();
        hooked.HttpSend = (DWORD*)GetProcAddress(GetModuleHandle(Winnit),�HttpSendRequestA�);
        Process32First();

# Start iteration 
        while(Process32Next())
        {
# Open the target process
                handle = OpenProcess();

# Allocate memory and then write memory
                memory = VirtualAllocEx();
                WriteProcessMemory();
                
# Create remote thread in the target process
                remoteThread = CreateRemoteThread();
                WaitForSingleObject();
                loseHandle(handle);
        }
        return 0;
}
 
Listing 2: Prototype for hooking wininet.dll. (Note: All the required arguments and values required 
to run this code have been removed explicitly.)

Form grabber – case study

The form-grabbing module depends a lot on the browser type because of architectural differences and the way DLLs work. The attacker can design the form-grabber plug-in to steal data from the victim’s machine and send it back to the attacker’s domain via an email using socket functions. To determine the data exfiltration mechanisms we analysed an independent form-grabbing module which is used by some malware. This module is similar to the form grabber used by botnets such as Zeus and SpyEye. Figure 1 shows how the form-grabbing module works in Internet Explorer and Mozilla Firefox respectively.

Form-grabbing process in action.

Figure 1. Form-grabbing process in action.

When the malware is installed on the system, it first performs DLL injection into the requisite browser process (firefox.exe or iexplore.exe) and then performs hooking into the context of the respective running process. During analysis of the malware, we found that the form-grabbing module performs DLL injection using CreateRemoteThread and WriteProcessMemory, as presented in Figure 2.

WriteProcessMemory in action.

Figure 2. WriteProcessMemory in action.

Once the injection is successful, the malware hooks the pr_write function in nspr4.dll for Firefox and EncryptMessage in the secure32.dll library for Internet Explorer, as shown in Figure 3 and Figure 4 respectively.

Hooking pr_write function in nspr4.dll.

Figure 3. Hooking pr_write function in nspr4.dll.

Hooking EncryptMessage in secure32.dll.

Figure 4. Hooking EncryptMessage in secure32.dll.

In this case, GetProcAddress and GetModuleHandleA are used collaboratively to load a specific function for injecting a hook into the requisite process. The malware attempts to generate a log file that consists of all the data from GET/POST requests which are used in submission forms on banking websites. Figure 5 shows the creation of the log file.

Log file with form data.

Figure 5. Log file with form data.

The last step requires the stolen content to be sent to the data server. The malware creates a file using CreateFileA with the supplied name of ‘injector_form_log.txt’ where the stolen information is logged using WriteFile. This file acts as a data repository which is later sent back to the attacker. Figure 6 shows the way the analysed sample of malware performs this step.

Sending stolen data to the attacker’s server.

Figure 6. Sending stolen data to the attacker’s server.

The malware sends a POST request to an embedded domain name. It sets the HTTP headers required to execute the POST request successfully. The Content-Type parameter is set to ‘application/x-www-form-urlencoded’, which handles the form data. The Content-Length parameter shows the size of data to be posted with the HTTP request. In this way a complete HTTP request is sent to the attacker’s domain for collecting form credentials.

In this case study, we have presented a detailed layout of a form-grabbing module. This method of stealing information has become popular and one of the preferred choices of attackers. It is very difficult to design any protection mechanism against this kind of attack because it exploits the built-in hooking mechanism. Since the malware possessing this characteristic falls into the rootkit [5], [6] category, any anti-virus protection used must be able to detect rootkits.

Conclusion

In this paper, we have discussed different information-stealing methods used by malware. In particular, we have presented details of a form-grabbing method which is used extensively in botnet operations to steal information from victim machines. This method requires careful attention because malware exploits this technique in conjunction with other infection strategies to achieve maximum damage.

Bibliography

[2] Gühring, P. Concepts against man in the browser attacks. http://www.cacert.at/svn/sourcerer/CAcert/SecureClient.pdf.

[3] Sood, A.K.; Enbody, R.J. A browser malware taxonomy. http://www.virusbtn.com/virusbulletin/archive/2011/06/vb201106-browser-malware-taxonomy.

[5] Butler, J.; Silberman, P. Rootkit Analysis, Identification and Elimination. Black Hat Europe 2006. http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Silberman-Butler.pdf.

[6] Kasslin, K. Hide and seek – full stealth is back. Virus Bulletin International Conference 2005. http://www.virusbtn.com/pdf/conference_slides/2005/Kimmo%20Kasslin.pdf.

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest articles:

Throwback Thursday: Michelangelo - Graffiti Not Art

In early 1992, a boot sector virus captured the imagination of the press and kicked up a media storm. Following a number of reports of the virus spreading in the UK, VB decided to publish an analysis. Fridrik Skulason brought us all the details of…

Throwback Thursday: Once a Researcher...

The author of Flushot, one of the world's first anti-virus programs, Ross Greenberg had already distanced himself from the main AV industry by 1995 - finding himself put off by the antics of certain vendors, whom he considered less than ethical in…

VB2016 paper: APT reports and OPSEC evolution, or: these are not the APT reports you are looking for

While APT reports should have threat actors scrambling to keep up, in reality they are providing APT actors with the information they need to implement new operational security practices and technologies that have defenders working as hard as ever to…

Throwback Thursday: A Troubled World

In early 1991, the world was a troubled place and conflict and violence were being reported globally on a daily basis. With this as a backdrop, the world of "indiscriminate" computer viruses which "victimise in a random and unpredictable manner"…

The journey and evolution of God Mode in 2016: CVE-2016-0189

Exploits for the CVE‑2016‑0189 vulnerability offer both reliability and complexity, so it is little wonder that it was the most commonly exploited vulnerability in 2016. Ankit Anubhav traces the journey and evolution of the 'God Mode' exploitation…