Great talk and demo from Uri Fleyder and Uri Rivner on VNC based Man In The Browser (MITB) attack. The talk started with some general observations of the current state of the malware market, then went into the demo.
Whys rats are spreading in the underground – We are moving to much more advanced underground supply chain. This follows neatly from the Keynote talks around the ever increasing availability of advanced tools.
A great example is the Citadel Trojan kit. Developed from Zeus – this was sold then source code leaked.. Citadel is a live ongoing project, with many add ons from GUI based Trojan development and deployment. Citadel only costs $2399 + modules, yearly membership of the Citadel online ‘aap store’ costs as little as $125 per year. Modules can be bought for low amounts of money such as
Log parser for $295
Automatic iFramer of FTP accounts from logs for $1000
Recent releases of Citadel include multiple enhancements such as injects directly from the control panel.
This highlights just how easy it is to get access to advanced malware creation kits, and how low the cost of entry currently is.
Demonstration of Man In The Browser (MITB) attack showing user accessing a compromised site. The browser appeared to crash, then the user re-opened it and carried on working. The user then accessed their bank and received a security warning saying that some checks were being performed to updated their machines security, these may take a few minutes, please do not close or refresh the browser window.
At the same time the criminal received a text telling him a new machine had been compromised. He then logged into his Zeus control account to see what the machine was and which bot had infected it.
The next step is that the bank site asks the customer to input their credentials including pin + key code to access their account. This is achieved by inserting java script into the banking page on the user’s browser.
From the malicious users machine the criminal has used VNC to log into the users machine and from their into the users bank account. The user inputting their pin and code details will enable the criminal to perform a transaction on their account such as a funds transfer. The criminal does this in the background while the user is waiting for the initial security checks, once the criminal gets to the point where they are stuck and need the users 2-factor credentials they then update the message to request these details as mentioned in the last paragraph.
The criminal is sent the username and password from the initial login;
Then the 2-factor code from the second message;
This works because the user has gone to the banking page they trust, and as they typed the url or went to their saved favourite rather than clicked a link somewhere they assume all is well.
Another advantage for the attacker of this type of attack is that they appear to come from the users machine as they are going through a VNC (remote administration) connection to the users machine. This circumvents and checks the bank (or whatever site) has in place to be more concerned about connections or transactions initiated from unknown devices.
According to European banks something like 30% of all fraud no comes from same device attacks like this.
– VNC embedded in Zeus clones is a dramatic escalation of the threat level. Make sure your defences are ready!
– Continuous monitoring is more resilient – e.g. user behaviour analysis, how fast is the user clicking and entering data, what is their pattern of clicks etc.
– Don’t rely on identifying the device
– Consider randomising, encrypting DOM space
– Zeus and other clones are polymorphic, normal scans are not effective
– Make sure your machines are getting all relevant patches
– We used to rely on something you know, this is broken, now we rely on something you have, this is crumbling.. What next, something you are linked with behavioural analysis?
A lot to think about here..