Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Bypassing malware detection mechanisms in online banking

396 visualizaciones

Publicado el

  • Sé el primero en comentar

Bypassing malware detection mechanisms in online banking

  1. 1. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Jakub Kałużny Mateusz Olejarka Bypassing malware detection mechanisms in online banking
  2. 2. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Pentesters @ SecuRing • Ex-developers • Experience with: — E-banking and mobile banking systems — Multi-factor and voice recognition authentication — Malware post mortem Who are we? @j_kaluzny @molejarka
  3. 3. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Intro — Why this topic? — How it’s done? — Will it blend? • Vulnerabilities • Conclusions • Q&A* Agenda
  4. 4. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Intro
  5. 5. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • AVs are not reliable • Users are lazy • Market gap for new solutions • A lot of money Why this topic ?
  6. 6. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Interaction with browser — Web injects — Other? • What it does — Steals credentials — Changes transaction data — Automates attacks How malware works? zeus spyeye carberp citadel zitmo vbclip banatrix carbanak eblaster bugat torpig hiloti gozi
  7. 7. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Aim: Detect malware presence What is online malware detection ? BACKEND WEB SERVER BROWSER USER MALWARE HTTP TRANSACTIONS signatures fingerprint User/browser behaviour fraud detection system Action: drop or mark as compromised (JS)
  8. 8. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Malware detection methods: • HTTP response signature • Browser fingerprint • User/browser behavior • Server-side behavioral methods • Fraud detection system What are the limits ? marketing magic auditability
  9. 9. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • We do not represent any vendor • We want to show — architecture failures — implementation errors • We want to talk about what can be done What is the purpose of this report?
  10. 10. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Vulnerabilities
  11. 11. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleOur approach BACKEND WEB SERVER BROWSER USER MALWARE HTTP TRANSACTIONS feed analyze JS analyze traffic analyze response
  12. 12. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style HTTP traffic First idea clean machine action system infected machine action
  13. 13. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style HTTP traffic + JS analysis Going through… clean machine action system infected machine action + js analysis: • Different paths • Different subdomains • Different data format (e.g. base64) • Encryption (e.g. rsa)
  14. 14. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleAlmost there… clean machine action system infected machine action
  15. 15. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleIf it bleeds, we can kill it clean machine action system infected machine action BYPASSED!
  16. 16. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleArchitecture problem user action systemanti malware magic red light green light Words of wisdom: adverse inference
  17. 17. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleMalware spotted! user action systemanti malware magic red light Who sends the alert ? login: user1 time: … behaviour: suspicious login: user2?
  18. 18. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleFirst things first user action systemanti malware magic red light JavaScript slowing your page ? BYPASSED!
  19. 19. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleSecurity by obscurity malware detection JavaScript eval Simple obfuscation – base64, hex rsa encryption signatures reasoning engine Web Service rsa public key
  20. 20. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleSignatures server-side browser server website A please HTML + JS malware detection Fragments of website A Hey, your website A is webinjected ! regexp for website A
  21. 21. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title styleSignatures client-side browser server website A please HTML + JS malware detection Hash of web injects signatures content web injects signatures Leaks your malware signatures The output is your weakness
  22. 22. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Conclusions
  23. 23. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Buy an anti-malware box? • Better call your crew • Trust, but verify • Ask for technical details Conclusions - banks
  24. 24. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Online malware detection is a good path, behavioral systems are a future of ITsec • But they are still based on the old HTTP + HTML + JS stack • Think about architecture and implementation Conclusions – vendors
  25. 25. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style • Recommendations for potential anti-malware buyers – paper, work in progress • Interested? -> malware@securing.pl or antimalware@securing.pl What’s next?
  26. 26. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Click to edit Master title style Thank You Q&A*

×