of 27/27
Bypassing malware detection mechanisms in online banking Jakub Kałużny Mateusz Olejarka CONFidence, 25.05.2015

Bypassing malware detection mechanisms in online banking Jakub Kałużny Mateusz Olejarka CONFidence, 25.05.2015

  • View

  • Download

Embed Size (px)

Text of Bypassing malware detection mechanisms in online banking Jakub Kałużny Mateusz Olejarka...

PowerPoint Presentation

Bypassing malware detection mechanisms in online bankingJakub KaunyMateusz OlejarkaCONFidence, 25.05.2015Pentesters @ SecuRingEx-developersExperience with:E-banking and mobile banking systemsMulti-factor and voice recognition authenticationMalware post mortemWho are we?

@[email protected]

Poziom zaawansowania polskich bankowoci2IntroWhy this topic?How its done?Will it blend? Attack vectorsRecommendationQ&A*Agenda3Intro

AVs are not reliableUsers are lazyMarket gap for new solutionsA lot of moneyWhy this topic ? Malware related task are on the riseHuge media coverage of malware related topicsThey steal real money (weve seen it!)Emerging market of anti-malware solutions

Statistics5Interaction with browserWeb injects Other?What it doesSteals credentialsChanges transaction dataAutomates attacks

How malware works?zeusspyeyecarberpcitadelzitmovbclipbanatrixcarbanakeblasterbugattorpighilotigozi6Aim: Detect malware presenceWhat is online malware detection ? BACKENDWEB SERVERBROWSERUSERMALWAREHTTPTRANSACTIONSsignaturesfingerprintUser/browserbehaviourfraud detection systemAction: drop or mark as compromised(JS)7Malware detection methods:HTTP response signatureBrowser fingerprintUser/browser behaviorServer-side behavioral methodsFraud detection systemWhat are the limits ? marketingmagicauditabilityLimitation for each methodBots can simulate everythingThere are no 100% malware-proof solutionsBut at least they should be properly implemented

8We do not represent any vendorWe want to show architecture failuresimplementation errorsWe want to talk about what can be done What is the purpose of this report? 9Attack vectors

Our approachBACKENDWEB SERVERBROWSERUSERMALWAREHTTPTRANSACTIONSfeedanalyze JSanalyze trafficanalyze response11HTTP trafficFirst ideaclean machineactionsysteminfected machineaction12HTTP traffic + JS analysisGoing throughclean machineactionsysteminfected machineaction+ js analysis: Different pathsDifferent subdomainsDifferent data format (e.g. base64)Encryption (e.g. rsa)13Almost thereclean machineactionsysteminfected machineaction14If it bleeds, we can kill itclean machineactionsysteminfected machineactionBYPASSED!15Architecture problemuseractionsystemanti malware magicred lightgreen lightWords of wisdom: adverse inference16Malware spotted!useractionsystemanti malware magicred lightWho sends the alert ? login: user1time: behaviour: suspiciouslogin: user2?17First things firstuseractionsystemanti malware magicred lightJavaScript slowing your page ? BYPASSED!18Security by obscuritymalware detection JavaScriptevalSimple obfuscation base64, hex rsa encryptionsignaturesreasoning engineWeb Servicersa public key19Signatures server-sidebrowserserverwebsite A pleaseHTML + JS malware detectionFragments of website AHey, your website A is webinjected !regexp for website ASignatures client-sidebrowserserverwebsite A pleaseHTML + JS malware detectionHash of web injects signatures contentweb injects signaturesLeaks your malware signaturesThe output is your weaknessConclusions

Buy an anti-malware box? Ask for technical detailsRequest live demoBetter call your crewTrust, but verifyConclusions - banksPay shitload of money for a malware detection box (top secret military grade i cant tell you about technology)? Better call your crewDo not trust vendors. Test your countermeasures.Hybrid approachStrategy, not snake oil

23Online malware detection is a good path, behavioral systems are a future of ITsecBut they are still based on the old HTTP + HTML + JS stackThink about architecture and implementation

Conclusions vendorsDont bullshit a bullshitter24We can analyze and dissect your solution as well, or help you establish one.Interested? -> [email protected] or [email protected]

Whats next?Robimy to?25Q&A*

And now a discussion :)

Thank You [email protected]@securing.plhttps://www.flickr.com/photos/national_library_of_norway/6995182110/in/photolist-bE98W7-bT3SW4-mL4Zdb-kEyrog-mL39dZ-9i6vvx-ayQbtG-4MwCFi-brtmEn-oeFTm4-owvRux-otHW5j-ocbKD9-bUqwDu-5QySwG-5S2CTE-oeV8n5-ocbssh-ovrau4-ouyapC-oygDVz-ou2WgU-of1sQG-ovBEbo-oyaaMT-owdYUM-oyg6AK-oeZcBh-oweo9m-ou8H6S-oyefUZ-ow87cH-osGVz9-occFLB-ovre1n-ocbF47-orDwD1-ottq6N-oye2c8-owqECc-osHVqQ-oey3Ju-oeZnr9-owamDp-oydcGt-ouTQNg-otyRYF-odwWuw-owcFbc-ocSDnG27