Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Bloodletting the Arms Race: Using Attacker's Techniques for Defense

Submitted by Ziv Mador and Ryan Barnett

This blog post will summarize a recent talk that we (Ryan Barnett and Ziv Mador) gave at the RSA 2014 conference where we showed how tactics used by different cyber-criminal gangs could be used by defenders. 

Turning the Bad Guys Against Themselves

You may be familar with the Ouroboros symbol where a Serpent is eating its own tail. It symbolizes cyclicality and self-recreation and is applicable to the constant battles that security vendors/researchers have when facing bad guys. For our presentation, we used a modified version called "Dual Ouroboros" where you have two Serpents eating each other's tails.

9686_66dd7976-e676-4f54-a9a4-c7bb36c119c3

This is the essence of the concept that we wanted to promote in our talk where we want to leverage the tactics and techniques used by one group of criminals and apply them defensively to help protect against a different criminal element.

Standard Adversarial Relationship

Typically, there are are pairings of security vendors (products) vs. malware families. In the following diagram, we have Web Fraud Detection vendors squaring off against Banking Trojan malware such as Zeus/SpyEye. 

11770_c8f77986-8b2a-4536-8156-22207f645d33

During these battles, there is a constant "Arms Race" where defenders try to develop new methods for detection malicious behaviour and criminals try to evade or hide from defensive detection methods. The following cartoon is a perfect example of the type of iterative Arms-Race process we are fighting.

9904_716bb028-917a-48bf-9534-909ad8df92bb

Let's take a quick overview look at these four key players.

Banking Trojans

Symantec released a very good infographic entitled "The State of Financial Trojans 2013" that provides relevant data as to scope and impacts. Here is a table from that report that lists the top banking trojan families.

12186_de254ed1-c070-432c-8fd3-1fbd17d89887

Zeus' Webinject Functionality

One of the key capabilities of banking trojans are "webinjects" where the malware is able to dynamically modify the raw HTTP data just before/after the web browser. Here is an example of different webinjects that manipulate various login page HTML in attempts to phish extra data from users.

12853_fc416231-a44d-4bae-a5f5-d8be88a9f13f

As a real example, we showed the following "webinjects.txt" data in our live presentation demo that attempts to trick the user into providing their ATM PIN number:

12138_db7facdc-b852-4dbc-bea4-0a7a74787fea

When an infected user goes to the "login.html" page on the fake banking site, the login form would look like the following:

12726_f6009c26-934a-4b94-acad-ed927b68b3de

If the user enters in this data, Zeus will grab the information and send it off to a Command & Control (C&C) web site where the banking trojan operator can use this information to conduct account takeovers or to initiate fraudulent Electronic Fund Transfers (EFTs) siphoning money out of the victim's account into money mule accounts. Here is an example screenshot of fraudulent EFTs from the Zeus C&C interface:

12382_e7fbd0c7-3960-4a8c-a4da-df7fc45466f7

Client-side Web Fraud Detection Examples

Web Fraud Detection vendors use many different techniques to identify fraud activities but we will focus on the top two:

11254_b08a98de-0c7f-4028-b77d-84150694a6c5

Client-side Device Identification/Browser Fingerprinting

How unique, and trackable, is your web browser? Web Fraud Detection vendors are able to identify an incredible amount of data about end users by enumerating various device/browser characteristics. If you want to test our your own web browser, go to the Panopticlick website to check. Here is an example snippet when I went there using Google Chrome:

10669_93e07002-ad0c-4abc-b9f3-55d97a6bd642

The webpage checks many different characteristics of my web browser including:

  • User-Agent
  • Accept Headers
  • Browser Plugin Details
  • Time Zone
  • Screen Size
  • System Fonts

By correlating all of this data, my browser was considered unique amongst almost 4M browsers tested. This data, as opposed to IP Address information, is a much more robust method for tracking users of your web application. Here is an example of updated HTML for the fake banking login page with new javascript calls to Web Fraud Detection code:

12275_e2f2aee9-216d-4bf0-b976-faaf2941f085The "md5.js" script simply provides client side hashing capabilities. The "fingerprint.js" file implements many of the same browser environment checks that Panopticlick looks for.

11153_ab393aef-c81e-464b-8a9d-2fefbc368772When this code executes, it will will generate a client fingerprint hash and then send this back to the server in a beacon request -

11655_c4036343-8ceb-4bb0-ba47-5b71579889c9Server-side fraud detection processes can then check this fingerprint against reputation systems to see if this client has been associated with any fraud activities.

Webpage Integrity

The key defensive capability we need to identify if a banking trojan has manipulated the HTML data that left the web application is to be able to validate the data once it reaches the browser. With this concept in mind, we can leverage the work done by the University of Washington Computer Science and Engineering team on a project called "Detecting In-flight Page Changes with Web Tripwires." Here is a a quick visual -

10807_9a809a79-f47d-40b4-acb0-29f921ccbef9The "webtripwire.js" javascript call in the HTML issues an XHR request back to the web server for the same page but this time is includes a new "WebTripwireCheck: On" header:

12191_de482df5-0b85-4fd6-87c0-4936be8a967b

This results in the following request/response -

12855_fc4bd58d-0000-4fe9-8ecc-2799f9c69df2

The HTTP response now includes the "WebTripwireHash" header. The client-side javascript then calculates the hash of the actual response and then compares it with the header hash. If they do not match, then an alert issued to the user:

9854_6f0bb19b-c4ce-4903-ab35-b3ce2e038de3

Zeus Removes Fraud Code

The "webinject" functionality is actually a misnomer. In addition to being able to "add" extra data to the HTML, it also has the ability to REMOVE or manipulate data. It is this capability where Zeus can be used to neuter client-side fraud detection code. Here is an updated webinject entry that will strip out all data in between the "data_before" and "data_after" HTML.

9177_4d5a3734-6dea-4761-aa6b-68b832cba2be

This technique effectively renders the Fraud Detection code useless.... How can we protect our defensive code against webinject removal from Zeus?

Exploit Kits

Exploit kits are the mechanisms used to exploit client-side vulnerabilities to deliver malware payloads to victim's computers. Here is a quick list of the top Exploit Kits SpiderLabs tracked for Q4 2013 -

8345_23dd4dd0-f036-4dc2-b0b5-b00fdb5c333dHere is the typical Exploit Kit attack flow where a user goes to a website that has been compromised and it includes a malicious IFRAME that points to the actual Exploit Kit code.

8392_2742e612-f297-4551-9fc4-200e963c3dcb

Use of Obfuscation

Here is an example of some Blackhole Exploit Kit code that checks for various plug-in/software versions before sending the exploit payloads -

10779_98e24d8d-d445-4263-8678-ba0229cdaaa5

This code would be easily identified by static signature detection systems. In order to evade detection, Exploit Kits use obfuscation techniques. Here is an example of the same code, however it has been put through a basic Ceasar Cipher data substitution change -

9481_5be858ea-0bdd-4a2d-bf03-a8e5c463bf4d

This is functionally equivalent code as web browsers would execute the javascript and it would return the original code.

10684_94891f97-6a1c-430e-87ff-a16ed38fe3a0

Interestingly, both Exploit Kits and Web Fraud Detection Code have the same challenge: How can they protect their code and evade detection by their adversary?

Using Exploit Kit Obfuscation Techniques for Defense

Why can't we re-use the same type of Obfuscation used by Exploit Kits to protect our Web Fraud Detection code?

9096_49f96628-09e7-4793-8062-44efb297818d

The idea is to take our stanard banking login HTML and place it inside a layer of javascript obfuscation. Here is what the new HTML looks like for our login page -

9609_6313dead-a386-4500-953f-2930bf835844

Again, the user notices no different in functionality as the page renders properly and our Anti-Fraud code triggers as normal. Zeus, on the other hand has problems. Zeus gains access to the raw HTTP data stream by using the wininet.dll library. It modifies the data outside the context of the Internet Explorer web browser. This means that, at the point in time where webinjects would run, the layer of javascript obfuscation prevents webinject from triggering on the normal HTML tags.

So Defenders Win, right?!?!?

The Arms Race Continues...

The use of Exploit Kit Obfuscation techniques used to protect defensive code is a novel idea, however in the end this is only a roadblock. Banking Trojan operators have way too much money on the line to just give up. Therefore, we surmize that they would respond to this type of defense by modifying Zeus source code to implement De-Obfuscation algorithms.

8321_22a31027-2172-40a2-a7a0-39aff179ba9d

Here is an example of the modified "httpgrabber" Zeus code that includes the new De-Obfuscation algorithm -

10964_a1ad4029-215e-4c58-a0d3-40674e7171d4

This code can be used by specifying the new "O" flag in the "set_url" definition -

8670_344d07ff-ba97-48a8-9efb-a7276159f95b

This modified configuration would result in the following -

  • Zeus would de-obfuscate the raw HTTP data in intercepts with wininet.dll
  • Strip out the Anti-Fraud Detection javascript code
  • Issue a webinject to add in the fake "ATM PIN" form field

Backporting De-Obfuscation Routines to Secure Web Gateways

As we work through our gaming theory of probably response actions, we have come to the place in time where Banking Trojan authors have implemented de-obfuscation routines within their code to try and normalize the data. We could then take this updated de-obfuscation functionality and supplement the existing ones within the SWG appliances.

9822_6dd93e7c-cf3e-4526-9fa9-508e0805c963

The end result being that one cyber criminal element (Banking Trojan authors) would be helping security vendors to better detect another cyber criminal element (Exploit Kits).

Beyond Obfuscation

We demonstrated one defensive technique in this blog post, obfuscation, however Exploit Kits also use other tacticts that we leverage. One example is polymorphic variable names where the values of key variables change upon each invocation of the page. Here is an example screenshot of the polymorphic variables in our demo -

9127_4af3363a-1dc2-4a3f-80d5-47a6796bb1b5By changing these variables each time the page is loaded, it makes it more challenging for static analyzers (or banking trojans) to normalize.

Conclusion

What we demonstrated in this blog post is a single tactical example (using Exploit Kit obfuscation to protect defensive code) of a more strategic concept (using attacker tactics for defense). While this particular use-case to break the functionality of banking trojan webinjects is cool, it is not panacea. What we really want to promote as a takeaway concept for this topic is this -

Know Your "Friend's" Enemy

Far too often, defensive security personnel are stuck in an echo chamber as they are locked in on battling their adversary. You may in fact gain inspiration and revelation by talking with security practitioners/researchers in a different knowledge domain. This often happens when the SpiderLabs Research malware, client/server and vulnerability teams interact with each other. The result is that each team comes away with new ideas to implement within their own security domains.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More