RSA Conference Europe 2012 – The Science Lab: Live RAT Dissection

Great talk and demo from Uri Fleyder and Uri Rivner on VNC based Man In The Browser (MITB) attack.  The talk started with some general observations of the current state of the malware market, then went into the demo.

Whys rats are spreading in the underground – We are moving to much more advanced underground supply chain.  This follows neatly from the Keynote talks around the ever increasing availability of advanced tools.

A great example is the Citadel Trojan kit.  Developed from Zeus – this was sold then source code leaked..  Citadel is a live ongoing project, with many add ons from GUI based Trojan development and deployment.  Citadel only costs $2399 + modules, yearly membership of the Citadel online ‘aap store’ costs as little as $125 per year.  Modules can be bought for low amounts of money such as

Log parser for $295

Automatic iFramer of FTP accounts from logs for $1000

Recent releases of Citadel include multiple enhancements such as injects directly from the control panel.

This highlights just how easy it is to get access to advanced malware creation kits, and how low the cost of entry currently is.

Demonstration of Man In The Browser (MITB) attack showing user accessing a compromised site.  The browser appeared to crash, then the user re-opened it and carried on working.  The user then accessed their bank and received a security warning saying that some checks were being performed to updated their machines security, these may take a few minutes, please do not close or refresh the browser window.

At the same time the criminal received a text telling him a new machine had been compromised.  He then logged into his Zeus control account to see what the machine was and which bot had infected it.

The next step is that the bank site asks the customer to input their credentials including pin + key code to access their account.  This is achieved by inserting java script into the banking page on the user’s browser.

From the malicious users machine the criminal has used VNC to log into the users machine and from their into the users bank account.  The user inputting their pin and code details will enable the criminal to perform a transaction on their account such as a funds transfer.  The criminal does this in the background while the user is waiting for the initial security checks, once the criminal gets to the point where they are stuck and need the users 2-factor credentials they then update the message to request these details as mentioned in the last paragraph.

The criminal is sent the username and password from the initial login;

Then the 2-factor code from the second message;

The criminal then sends a sorry site down for maintenance screen to the user again by injecting it via JavaScript to the bank page the user thinks they are accessing.  This is to try and allay any fears or concerns so the user (victim) does not immediately suspect something malicious has occurred.

This works because the user has gone to the banking page they trust, and as they typed the url or went to their saved favourite rather than clicked a link somewhere they assume all is well.

Another advantage for the attacker of this type of attack is that they appear to come from the users machine as they are going through a VNC (remote administration) connection to the users machine.  This circumvents and checks the bank (or whatever site) has in place to be more concerned about connections or transactions initiated from unknown devices.

According to European banks something like 30% of all fraud no comes from same device attacks like this.


–          VNC embedded in Zeus clones is a dramatic escalation of the threat level.  Make sure your defences are ready!

–          Continuous monitoring is more resilient – e.g. user behaviour analysis, how fast is the user clicking and entering data, what is their pattern of clicks etc.

–          Don’t rely on identifying the device

–          Consider randomising, encrypting DOM space

–          Zeus and other clones are polymorphic, normal scans are not effective

–          Make sure your machines are getting all relevant patches

–          We used to rely on something you know, this is broken, now we rely on something you have, this is crumbling.. What next, something you are linked with behavioural analysis?

A lot to think about here..


APT – new threat or just a new name? And just what does it mean?

The term Advanced Persistent Threat (APT) has become the de facto term for criminals, organisations and governments spending considerable time, effort and expertise attempting to gain access to another organisations data.

Now this is clearly not a new phenomenon as people with the resources to do so have always put time into getting the information they want using technical and non-technical techniques including;

– Dumpster diving

– Social engineering (over the phone, and in person on site)

– Viruses / Trojans / Worms delivered via email / usb / floppy disk / CD etc.

– Phishing / spear-phishing (or what ever targeted emails / mails used to be called)

etc. etc.

The question is, has this problem suddenly become much larger and more of a concern, or is the new name and much of the news there to create fear and market security tools / services?

I am completely in favour of people having a common language, so giving a simple and agreed term to “criminals, organisations and governments spending considerable time, effort and expertise attempting to gain access to another organisations data.” is definitely a good thing.  However this needs to be used with caution, so that the accusation of spreading unnecessary fear and uncertainty cannot be levied against the security industry.

For example how many of the attacks that are reported to have been launched from China by the Chinese government were actually launched from botnets in China enabled by the fact that users in the country have amongst the highest levels of unpatched machines in the world?  I don’t know the answer but while reading for this article I found conflicting thoughts and statements on this topic.

There is clearly a need for clarity and openness, everyone in the security industry, and increasingly people not in the industry, are aware that there are many risks out there especially to machines without AV, and not kept patched up to date.  The risk does however need to be fairly and realistically reported.

If a company is compromised, it is currently much less damaging to report it as an APT attack rather than owning up to some unpatched machines or a misconfigured firewall, or someone clicking on a phishing mail while logged in with administrative privileges etc.

Equally though when there is clear evidence of APT, this should be clearly reported, especially if in doing so the techniques used can be revealed to help protect other potential victims.  Should government agents be clearly implicated, this should be reported as governments are supposed to be beholden to international laws and not behave in a criminal manner.  I guess the same could and should be said of individuals and criminal organisations!

In short, clearly agreed universal terminology is a good thing to aid understanding and communication even if it is not describing something new, but clear and open reporting of threats is key if people are to make informed and correct decisions about the real risks and how much time and expense should go into mitigating them vs. other threats and business needs.

Future posts will cover exactly what APT is in more detail, and also ask is the cloud something new?