Botnets and Browsers – Brothers in a Ghost Shell
Aditya K Sood
Browsers exploitation is on rise. Botnets in conjunction with Browser Exploit Packs (BEP’s) are becoming the source of incredible malware infections. The exploitation revolves around the manipulation of browser architectures thereby infecting victims at large scale. Malware infection is proliferating day by day. In spite of the new advanced protection features, subverting the infections that happen through browsers and take control of the victim’s machine remains an arduous task. Exploit packs and attack toolkits play a critical role in the success of malware infections. Browser Exploit Packs (BEPs) are based on the basic philosophy of exploiting the extensibility of browsers by utilizing the technology and developing a code which should work in line with the browser classes.
- Browser Malware Taxonomy
- Bots & Browsers – Collaborative Design
- Bots & Browsers – Exploitation Paradigm
- Bots & Browsers – Web Injects / Fakes
The big problem is the theft of funds through online attacks.
Browser Malware Taxonomy
Class A – Browser Malware
Exists in the browser process (user-land)
Class B – Browser Malware
Exploits the browser or extensions/plugins
Class C – Browser Malware
Exploits the underlying browser to gain access to Kernel-land
Infection Model – Malware serving
- Exploiting Web Vulnerabilities (XSS/SQLi)
- Obfuscated code injected
- Browser DOM calls
- Browser loads malicious URL
- Vulnerability in browser exploited
- Exploit triggers shellcode
- Malware binary drop
- Parasitic infection occurs
- Malware installed and connect back
Browsers –> Botnets :SDK
Custom designed SDK for communications.
SpyEye has an extensive SDK
Design of Plugins
- Bot requires separate plugin to communicate with C&C
- Botnet sends critical information through GET requests
Why use plugins?
- Provides modularity
SpyEye APi in action
SpyEye Bot –> Custom Connector Plugin –> Gate.php
The custom connector plugin allows for update bot configuration / executables as well as plugin management and 3rd party executable loading.
Bots & Browsers – Exploitation Paradigm
- Ring 3 rootkit
- Hooks DLLs in user-land space
- Perform injection in web process
- Hooks HTTP communication interface
- Infection (Bots & Plugins)
Man in the Browser
- Malware (bot/trojan) having ability to infect browsers
- Capable to modify web pages and perform legitimate actions
- Invisible to the user
- Steal credit card data
- Spying on browser sessions
Hard to protect against in the browser itself. Protections need to be at the server-side. SSL won’t help as the attacker is already in the browser itself.
User-Agent Fingerprinting used to detect the browser exploits to use. UA string provides a great deal of information for an attacker to fingerprint the correct attack vectors. Detection code used by malware writers is often very generic. Entries for everything from Win95 and greater.
Browser Exploits Packs and Bots
- Used in conjunction with botnets
- On successful exploitation, bot is dropped into victim machine
- Harnesses the power of two different frameworks to deliver malware
- Same traces have been seen of ZEUS (botnet) + Blackhole (BEP)
Browser – Screen Scrapers
- Capture screenshots from a victim during banking transactions
- Possible to capture whole system screenshots, not just the browser
- Provides additional support for bots for data exfiltration
- Exploit system level functions
Automatically start capture once a victim connects to a banking website. Private browsing doesn’t help this…
Browser Form Grabbing
- Keylogging produces too much data
- Form grabbing extracts from GET/POST
- Based on the concept of hooking and DLL Injection
- Virtual Keyboards
- Implements the form grabbing in the POST request to avoid issues
- No real protection against malware
All botnets use this technique, and all browsers can be circumvented to execute non-legitimate hooks. Hard to overcome.
Credit Card Grabber – Verification
Why credit card number stealing is a success!
- Botnets are always successful in extracting credentials from POSt requests
- CC Verification – The credit-card number is verified against the LUHN’s algorithm prior to sending to the botnet database
- Trash is dropped
- Doing the same checks that the banks make!
Bots & Browsers – Web Injects / Fakes
Web Injects – Infection on the fly
- Injecting incoming request with malicious content
- Web Page is tampered which looks legitimate
- Primary aim to inject credential stealing forms and input tags
- Similar concept is sued into injection pointers to remote malware sites
- Concept of third generation botnets
Web Injects – How
- SLL Injections
- Long live exploitation techniques
- Browser Libraries
- Hard to edit the FF executable, so DLL injection works best
Being in the browser you can customise the WebInjects to match any website required. Customisable and complex rules on what to capture from GET/POST requests. Extraction of sections of the request only.
- Plugins are used to spoof content to the browser
- Supports both protocols (HTTP/HTTPS)
- Based on the concept of internal URL redirections
- All browsers are affected
User requests their banking website. Using tricks like CSS injection, it returns fake versions of the site to gather the required data. Lists of which site to fake and which to leave are configured in the botnet.