Presentation Material
Abstract
Third Generation Botnets (TGBs) have circumvented the normal stature of the World Wide Web. These botnets harness the power of the HTTP communication model to complete their stealthy operations. To automate the exploit distribution mechanism for infecting users on a large scale, TGBs are collaborating with Browser Exploit Packs (BEPs). TGBs include Zeus, SpyEye, and the present-day botnet ICEX that are explicitly using BEPs such as BlackHole and Phoenix for insidious infections. Several cases of large scale infections have been seen in the recent past. Additionally, TGBs are designed with sophisticated attack techniques such as Form grabbing, Ruskill, Web Injects (WI), Web Fakes (WF), DNS tampering, and other custom plug-ins to steal information. These attack techniques are heavily relied upon in the Man in the Browser (MitB) paradigm. The infection strategies include programs such as spreaders that infect other software to conduct drive-by-download/drive-by-cache attacks. This talk delves deep into the design of present-day malware and advancements in attack techniques and infection strategies. This talk is an outcome of real time case studies. Several demos will be shown to back up the arguments.
AI Generated Summarymay contain errors
Here’s a summary of the content:
The speaker is demonstrating how a VMware machine infected with malware (IsPot) can communicate with its command and control panel. The system is in a “ready state” to send data back to the panel. To show how this works, the speaker opens a Chase.com website and submits fake credentials, which are then captured by the malware. The speaker then checks the command and control panel’s reports, which show the accessed website, operating system, and other details.
The speaker highlights that these types of attacks can target any website, not just banks. They also mention that botnet authors often implement time constraints, such as only connecting to the command and control server after a certain time lag.
The discussion then shifts to how defenders can combat these types of man-in-the-browser attacks. The speaker believes that while it’s an “arms race” between attackers and defenders, there are enough restrictions on what attackers can do that defenders can stay ahead.
One of the challenges in detecting these threats is that anti-virus software relies on signature-based detection, which can be evaded by malware authors using obfuscation techniques like polymorphic encryption. Additionally, inline hooking in browsers is difficult to detect because it uses Microsoft Windows’ built-in hot patching concept.
The speaker concludes that while antivirus engines can provide some assurance, they cannot prevent man-in-the-browser attacks or web injects until the system is detected as infected. The financial incentives for malware authors are significant, making it an ongoing battle between attackers and defenders.