How to Stop Man in the Browser Attacks

Stopping Fraud –
Getting Rid of the Man in Your Browser
Rob Rachwald, Director of Security Strategy
Noa Bar-Yosef, Sr. Security Strategist

Agenda

 Motivation
 Problem Definition
 Shape Based Tests
 Content Based Tests
 Overall Solution Strategy
 Summary

Today’s Presenter
Rob Rachwald, Dir. of Security Strategy, Imperva

 Research
+ Directs security strategy
+ Works with the Imperva Application Defense Center
 Security experience
+ Fortify Software and Coverity
+ Helped secure Intel’s supply chain software
+ Extensive international experience in Japan, China, France, and
Australia
 Thought leadership
+ Presented at RSA, InfoSec, OWASP, ISACA
+ Appearances on CNN, SkyNews, BBC, NY Times, and USA Today
 Graduated from University of California, Berkeley

Today’s Presenter
Noa Bar-Yosef, Senior Security Strategist, Imperva

 Research
+ Researches trends in the threat landscape
 Security experience
+ Previously, held the position of Sr. Security
Researcher for Imperva’s Application Defense
Center
+ Credited for multiple commercial applications’
vulnerabilities
+ Holds a Master’s thesis specializing in Information
Security
 Thought leadership
+ Writes a bi-weekly column on hacker trends and
techniques for SecurityWeek

Client Side Attacks - Scope of Problem
Major Attack Vectors

Major Attack Vectors

Exploiting Browser Code Vulnerabilities
• Expected to rise with the introduction of HTML5

Exploiting Browser Plug-ins
• E.g. Java, Flash, PDF, Media Player

Exploiting OS libraries
• E.g. Graphics rendering

2010 Vulnerability Figures

Client side Server side

• 77 IE vulnerabilities, • Only 36 vulnerabilities
106 Firefox across IIS, Apache
vulnerabilities, 188 and Tomcat
Chrome vulnerabilities
• 73 Adobe Flash, 9
Adobe Reader related
vulnerabilities
• 72 Various ActiveX
related vulnerabilities

Malware Distribution Methods

Drive-By-Download / Malvertizing

Phishing, “Spear Phishing”

Torrent and P2P

Physical

2010 Attack Figures

 A 2010 report by Kaspersky
+ ~600M attempts reported to KSN, more than 5 times increase
over 2009
 Microsoft detects 60K-100K Zeus-infected machine per
month
 2010 1H – Microsoft cleaned 6.5M bot infections
 Rustock spanned 1M computers

Consumers cannot be expected
to cope with the technical
problem on their own

From Consumer Attack to a Business Problem

The threat to
consumers is
constantly growing
•Number of vulnerabilities
•Number of attacks We are passed the point
•Types of attacks of no return
•Sophistication
• We cannot expect average
consumers to avoid infection
and mitigate attacks alone
• We cannot deny service to
infected consumers
• We cannot let the consumer
bear the consequences of a
compromise

Usage is expanding
beyond banking and
popular retail
applications


 Potential consequences (of failing to do so):
+ Reduced onboarding rate
+ Reduced activity
+ Increased refunds
+ Increased insurance rates

Consumer facing malware
threatens online commerce*
Forrester Feb 2011: Malware And Trojans And Bots, Oh My!


Car User Safety Online User Safety

Client Side Trouble – Types of Interaction

Key • No interaction between malware and
application

loggers • Offline interaction between attacker
and application using stolen credentials


• Some interaction between browser and
actual application during attack

Phishing • Could be used for detection of some
Phishing campaigns
• Offline interaction between attacker


Man in • Extensive interaction between malware

the and application during attack
• Offline interaction between attacker

Browser

Man in the Browser Attacks (aka Proxy Trojan)

 Attacker code runs in context of victim’s browser
 Original motivation
+ No need to attack infrastructure (DNS, tap into router, etc.)
+ Defeats SSL
 Additional benefits
+ Access to local resources
+ Access to application session data
 Prominent Actors
+ ZeuS, Gozi, URLZone, Sinowal, Limbo, and SpyEye
+ Silentbanker

MitB Attacks - Proxy Trojans in Action

Before After

Proxy Trojan Architecture

Web Application
Client Machine

Proxy Trojan Architecture

Drop Server

Inject Fake
Transaction
Extract Data
Tamper Page
Web Application
Client Machine

Tamper Request

A Typical Change by a Trojan

Clean Infected

Observation:
Trojan likes to tamper with plain traffic

Observing Typical Changes by Trojans

Encoding of • Enforces use of traffic that is easily tampered by the
Trojan
Related Headers • Avoids HTTP/1.1 connections, and compressed data

Client Type • Ensures identification by the drop server and other
Identification attacker controlled components

Additional • Extra data provided by an unfortunate victim
• Could represent client identification for attacker
Parameters controlled components

Parameter Order • A consequence of fake transactions

Shape Based Tests

Step 1:

• The application (or a device protecting the
application) inspects the shape of incoming
messages for changes typical to Trojans

Step 2:

• If a Trojan pattern is detected mark the client
(IP address / session / request) as “infected”

Shape Based Tests in Action

Drop Server
Apply Shape Tests

Inject Fake
Transaction
Extract Data
Tamper Page
Web Application
Client Machine

Apply Shape Tests

Tamper Request

Challenges – Tracking Trojan Discrepancies

• Each Trojan may • Need to keep
display a different track of Trojans
change • Create a
• Changes may be framework for
reflected in shape based rules
specific request • Create a
types framework for
constructing shape
tests

Challenges – Avoiding False Positives

Challenge:

• Some real client devices do not support (or
choose not to support) HTTP/1.1 or
compressed data

Solution:

• Engage the browser in a challenge response
protocol

Challenges – Avoiding False Positives

HTTP/1.1 200 OK
.
.
.
Content-Encoding: gzip
Refresh: 2;url=infection_test.html?infected=no

<html>
...........V*//W...Qzi...I...z...J:`.......T$......d.y.%@.^f.R,...(..y.:.J....9.V......%%...JV.J~.a...!..
~@.Dqbkc...%6....
<head>
<script>window.navigate('infection_test.html?infected=yes')</script>
</head>
<body></body>
</html>

Observing Content-Tampering Trojans

Observation:

• Current malware tampers HTML at the network
layer (before it is interpreted by browser)
• This is due to simplicity and robustness
considerations

Solution:

• Use client side code to verify integrity of HTML
page content in coordination with the server

OK Solution: Altering the Trojan Behavior

Naïve Solution

• Step 1: “Provoke” the MitB into making changes
• Step 2: Compare the HTML content to known Trojan
behaviors

Challenges

• MitB can be configured to avoid this type of manipulation
• Solution requires constant chase after MitB configuration
files
 Requires constructing an up-to-date database of “known
behaviors”

Better Solution: Content-Based Tests

Step 1:

• Server computes a digest of the delivered HTML page
Random (invisible) elements are injected into the page before computation

Step 2:

• Server appends a page digest computation function to the HTML page
Computation function code includes a random salt

Step 3:

• When page is loaded into the browser, the computation function is invoked,
computes the digest and sends it to the server for verification

Step 4:

• If the browser does not send back a digest then infection is assumed

Content Based Tests in Action

Drop Server Compute Digest and Inject
Digest Computation Function

Inject Fake
Transaction
Extract Data
Tamper Page
Web Application
Client Machine

Compare Digests

Tamper Request

Compute Digest

Content-Based Tests: Strengths

1) Digest cannot be pre-computed by malware due to the
random HTML elements
2) Digest cannot be computed by malware without
executing the digest computation function
+ Requires malware to implement / invoke Javascript engine
3) Computation function can be extended to explicitly
reference the randomly injected HTML elements
through DOM functions
+ Requires the malware to implement / fake DOM
4) Malware cannot dismiss test

Content-Based Tests: Strengths

5) Does not depend on specific MitB configuration and the
expected changes
+ Only depends on protected application page
+ Some configuration options should be available to restrict the
parts of the page that are digested
– Avoid elements produced by client side code

6) Breaking the tie with attackers
+ Complexity of the computation process can be increased with
small effort
+ Resulting changes to malware code are complex and painful,
increasing its footprint

Look at the Complete Picture

Apply shape based … And content-based
tests… tests

Interact with Infected Clients

Provide clear visual warnings

Contact customer offline

Apply business access policies
• Example 1: Allow data extraction but deny transaction
• Example 2: Limit transaction size

Automatically employ extra validation through side channels
• Adaptive authentication

Keep a more comprehensive audit trail for the user / session

MitB is Only Part of the Landscape

Identifying account takeover

• Server side fraud detection
• Device profiling and reputation
• Advanced authentication

Defeat phishing campaigns

• Detect and takedown campaigns
• Detect victims in real time

Requires a Flexible Deployment Framework

Cannot change application code
whenever capabilities change or
threats morph

Be able to protect legacy applications

Create consistency across all
applications and flexibility in choosing
vendors

Summary

 Threat to consumer is constantly growing and is past the
point where we can expect most of our consumers to
avoid infection
 Consumer infection has become a business problem
 While providers should urge consumers to be prudent
they MUST learn how to interact with infected
Some car safety mechanisms are
consumers and create a safe business environment for
them regardless of the general threat
already regulated. We can expect
the same from business IT
security

Summary

 Enterprise IT is failing to properly tackle client based
attacks within enterprise
 The growing number of so called “APT” attacks on
organizations demonstrate the effect of “compromised
insider”
 Failures stem from the same reason: try to avoid
infection rather than learn to interact with infected
clients

SecureSphere 9.0 - Fraud Prevention Services

 SecureSphere integrates with Trusteer to detect users
infected with malware like SpyEye, Zeus, Gozi & Silon
1. User accesses Website
2. SecureSphere redirects browser to Trusteer
3. Browser downloads, runs malware check
4. Result reaches WAF for analysis

Is this endpoint safe?

Pass / Block

Use Case: Man in the Browser – Fraud Malware

 Challenge
+ Fraud malware performing activities on behalf of
customers, causing money losses & customers
dissatisfaction
+ FFIEC compliance requirements

 Solution
+ Detect infected end-devices
+ Block sensitive areas in the application from infected
devices
+ Report on users connected from infected end-devices

49

ThreatRadar Fraud Prevention Stopping MitB

SecureSphere provides full
event detail to analyze Man
in the Browser (MitB) attacks

Centrally Manage Fraud and Web Security

Known Attack
Sources

User Infected
with Malware

Geolocation SecureSphere Policy
Engine

User Name Browser and Agent

Web Attack
Detection Bot Detection

 Combining Web fraud with WAF policies enhances
accuracy of fraud detection

Webinar Materials

Get LinkedIn to
Imperva Data Security Direct for…

Answers to
Post-Webinar
Attendee
Discussions
Questions

Webinar
Webinar Slides
Recording Link

www.imperva.com

- CONFIDENTIAL -

How to Stop Man in the Browser Attacks

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to How to Stop Man in the Browser Attacks (20)

More from Imperva (20)

Recently uploaded (20)

How to Stop Man in the Browser Attacks