2011-11-01
Abstract
Botnets such as Zeus, SpyEye and others use the effective technique of form grabbing to steal sensitive information from victims’ machines. Aditya Sood and his colleagues take a detailed look at the form-grabbing technique.
Copyright © 2011 Virus Bulletin
Third generation banking botnets pose a great threat to the online banking industry. Botnets such as Zeus, SpyEye and others use the effective technique of form grabbing to steal sensitive information from victims’ machines. This paper takes a detailed look at the form-grabbing technique.
Third generation botnets such as Zeus and SpyEye exploit their victims’ user sessions with banking websites in order to steal financial information. There are a number of different information-stealing techniques available:
Keylogging is an established technique in which all the keystrokes on a victim’s machine are captured and sent back to the C&C server for analysis, and the desired information is extracted from the keystroke logs. This technique captures all types of data including keystrokes such as white space and backslashes. From an attacker’s perspective, the technique works well in certain scenarios, but in a distributed infection environment the enormous amount of data generated can be overwhelming. In addition, defensive strategies such as the use of virtual keyboards have been developed to hide critical information from keyloggers.
Screen scraping (aka screen shot capturing) is another technique that is used extensively. Here, the bot is able to take a screenshot of the victim’s machine when a particular key is pressed and send this to the attacker’s server. This technique can circumvent virtual keyboard technology. Screen scraping generates huge data sets and significant effort is required to extract the desired information. In spite of the extra effort required, this technique has been deployed successfully as part of botnet functionalities.
Browser protected storage is a built-in browser storage mechanism which stores user credentials as part of the browser’s form auto-complete feature. A botnet can extract information such as login credentials, SSL certificates and other user preferences. Successful use of this technique depends on the user having selected the ‘Remember my password’ option, or the option being on by default.
Redirection through phishing and pharming is a technique that redirects the victim’s browser to a malicious domain when the user clicks a certain link. This technique is not limited to phishing emails. Malware installed on the victim’s machine can independently inject location headers in responses to redirect the browser to a malware-driven website. Other similar sets of attacks such as cross site scripting (XSS) or header spoofing can be used to support this technique.
Form grabbing is currently one of the most widely used methods for stealing information and specifically targets the information entered into web forms. Third generation botnets use this technique to extract information from a victim’s browser when the victim has an active session with a banking website. A detailed explanation of form grabbing follows in the next section.
Every method currently employed by botnets for stealing information in browsers has both advantages and disadvantages depending on the environment in which it is implemented. Currently, form grabbing is the most widely used and most profitable method of extracting information.
Form grabbing has proven to be a very effective technique for stealing information. One valuable aspect of the technique is that information is extracted from forms, so it is very easy to identify desirable information such as account details and passwords. This technique has been put into practice to bypass several browser protection mechanisms. The basic idea is to intercept form information before it is sent to the Internet – the GET/POST data. Form grabbing uses two basic methods to steal the information:
All the GET/POST data is sniffed from the outgoing data using PCAP (Packet Capture). However, this technique only works for unencrypted communication (i.e. it doesn’t work if SSL/TLS is implemented over HTTP).
Robust form grabbing uses hooking. In this approach, malware residing on the victim’s machine hooks the browser’s Dynamic Link Libraries (DLLs) in order to steal the content before it is sent to the server. If done correctly, the content can be stolen before it is encrypted. This theft can be accomplished by a variety of hooking mechanisms – a malicious browser add-on is one example.
Within browser exploitation, form grabbing can occur as part of a man-in-the-browser (MITB) attack [1], [2]. In this type of attack, malware installed on the system can modify web pages and perform illegitimate operations on behalf of the user. All the malware classes as described in our Browser Malware Taxonomy (BMT) [3] can execute this type of attack. Since the MITB malware resides on the victim’s machine and does not interact with traffic on the wire, this type of attack is effective even if SSL/TLS or two-factor authentication is enforced. A MITB attack can be deployed in a variety of environments depending on the browser behaviour. MITB is very robust.
In order to implement form grabbing effectively, the following cycle of activities must be maintained:
A victim must be lured into visiting a malicious domain configured with malware. As soon as the victim’s browser opens the infected website, a drive-by download exploits a vulnerability in the browser to drop malware onto the victim’s system. The malware could be a bot which is designed to conduct a MITB attack to allow form grabbing.
Once the downloaded malware (bot) is installed on the victim’s machine it automatically hooks the browser’s DLL. A variety of hooking techniques can be applied such as inline hooking, Import Address Table (IAT) hooking [4] or the Create Remote Thread (CRT) method. Generally, browser hooking is done in user mode.
Form grabbing controls the ingress and egress browser traffic to and from the victim’s browser. Generally, the malware captures all the GET/POST data present in web forms and sends it back to the attacker’s domain. Form grabbing provides the attacker with legitimate credentials, IP address and target website address. The technique differs from keylogging in that form data is labelled so the desired data is readily available.
Attackers prefer inline hooking. Import Address Table (IAT) hooking is less desirable because it requires binding time when the API is called. With inline hooking the designed hook replaces (overwrites) the first two to three bytes of data with a legitimate JMP instruction to redirect the code flow. This technique is quite robust, and can be used in either kernel land or user land. For example, the Zeus and SpyEye bots are ring 3 malware, which means that the hooks execute in user land rather than kernel land. Inline hooking, also known as hot patching, is a process in which a vulnerable function is patched with a hot-fix function during runtime by overwriting the function’s prolog. Consider the function prolog as presented in Listing 1:
MOV EDI, EDI
PUSH EBP
MOV EBP, ESP
Listing 1: Function prolog with hot patching instruction.
In Listing 1, PUSH EBP and MOV EBP/ESP is the generic code for every function prolog which establishes a stack frame pointer to the base register. The MOV EDI, EDI instruction is a two-byte NOP instruction provided by Microsoft in certain versions of Windows such as XP SP2, which enables hot patching. It means it is possible to replace the MOV EDI, EDI instruction or overwrite it with other code when the target function is hooked by the malware. Possible overwrites include a short jump to a long jump instruction that jumps to attacker-defined code. This process does not require a system reboot but is executed silently.
An alternative to inline hooking is the CreateRemoteThread hooking technique. For example, in Internet Explorer the wininet.dll library is loaded in order to hook the HttpSendRequestA function using CreateRemoteThread.
The prototype presented in Listing 2 can be used to handle the data in GET/POST requests in Internet Explorer. We need to find the address of WININT DLL using LoadLibrary, which is mostly loaded at the same address for every process in any particular version of Windows. The CreateToolhelp32Snapshot function is applied to take a snapshot of the required process and its memory structures such as heaps, modules and respective threads that are used by a specified process. The GetProcAddress function is called to load the address of the imported function from a particular library (in this case wininet.dll). The Process32 function is invoked to retrieve the information about the next process recorded in the system snapshot using CreateToolhelp32Snapshot. After this step, the target process is opened using the OpenProcess function (with full privileges) and VirtualAllocEx is used to allocate memory to hold the path to the DLL file (injected data) in the process’s memory. Once the required memory is allocated, the WriteProcessMemory function is called to write the path to the target DLL (wininet.dll) in the specified location. In the final step, CreateRemoteThread is used to create a remote thread in the address space of iexplorer.exe in order to perform the hooking during runtime. As the HttpSendRequestA function is hooked in wininet.dll, the data is sent back to the attacker’s domain.
# Include requisite libraries for importing functions.
#include< *.h> [*= required libraries ]
# Declaring a function for injecting data
typedef struct {
DWORD *HttpSend;
} Inject_Data;
int Inject(Inject_Data *hooked);
# Defining the main routine of the code
int main()
{
# Declare browser DLL�s as name as variables to be called in the code
Inject_Data Data;
LPVOID memory;
HANDLE remoteThread;
LPCSTR kernel_dll = <DLL Name>;
LPCSTR winint_dll = <DLL Name>;
# Creating a snapshot of the process
HANDLE handle = CreateToolhelp32Snapshot();
PROCESSENTRY32 ProcessInfo;
ProcessInfo.dwSize = sizeof(PROCESSENTRY32);
# Calling Load Library and GetProcAddress function
LoadLibrary();
hooked.HttpSend = (DWORD*)GetProcAddress(GetModuleHandle(Winnit),�HttpSendRequestA�);
Process32First();
# Start iteration
while(Process32Next())
{
# Open the target process
handle = OpenProcess();
# Allocate memory and then write memory
memory = VirtualAllocEx();
WriteProcessMemory();
# Create remote thread in the target process
remoteThread = CreateRemoteThread();
WaitForSingleObject();
loseHandle(handle);
}
return 0;
}
Listing 2: Prototype for hooking wininet.dll. (Note: All the required arguments and values required
to run this code have been removed explicitly.)
The form-grabbing module depends a lot on the browser type because of architectural differences and the way DLLs work. The attacker can design the form-grabber plug-in to steal data from the victim’s machine and send it back to the attacker’s domain via an email using socket functions. To determine the data exfiltration mechanisms we analysed an independent form-grabbing module which is used by some malware. This module is similar to the form grabber used by botnets such as Zeus and SpyEye. Figure 1 shows how the form-grabbing module works in Internet Explorer and Mozilla Firefox respectively.
When the malware is installed on the system, it first performs DLL injection into the requisite browser process (firefox.exe or iexplore.exe) and then performs hooking into the context of the respective running process. During analysis of the malware, we found that the form-grabbing module performs DLL injection using CreateRemoteThread and WriteProcessMemory, as presented in Figure 2.
Once the injection is successful, the malware hooks the pr_write function in nspr4.dll for Firefox and EncryptMessage in the secure32.dll library for Internet Explorer, as shown in Figure 3 and Figure 4 respectively.
In this case, GetProcAddress and GetModuleHandleA are used collaboratively to load a specific function for injecting a hook into the requisite process. The malware attempts to generate a log file that consists of all the data from GET/POST requests which are used in submission forms on banking websites. Figure 5 shows the creation of the log file.
The last step requires the stolen content to be sent to the data server. The malware creates a file using CreateFileA with the supplied name of ‘injector_form_log.txt’ where the stolen information is logged using WriteFile. This file acts as a data repository which is later sent back to the attacker. Figure 6 shows the way the analysed sample of malware performs this step.
The malware sends a POST request to an embedded domain name. It sets the HTTP headers required to execute the POST request successfully. The Content-Type parameter is set to ‘application/x-www-form-urlencoded’, which handles the form data. The Content-Length parameter shows the size of data to be posted with the HTTP request. In this way a complete HTTP request is sent to the attacker’s domain for collecting form credentials.
In this case study, we have presented a detailed layout of a form-grabbing module. This method of stealing information has become popular and one of the preferred choices of attackers. It is very difficult to design any protection mechanism against this kind of attack because it exploits the built-in hooking mechanism. Since the malware possessing this characteristic falls into the rootkit [5], [6] category, any anti-virus protection used must be able to detect rootkits.
In this paper, we have discussed different information-stealing methods used by malware. In particular, we have presented details of a form-grabbing method which is used extensively in botnet operations to steal information from victim machines. This method requires careful attention because malware exploits this technique in conjunction with other infection strategies to achieve maximum damage.
[1] Man In The Browser. http://blog.fireeye.com/research/2010/02/man-in-the-browser.html.
[2] Gühring, P. Concepts against man in the browser attacks. http://www.cacert.at/svn/sourcerer/CAcert/SecureClient.pdf.
[3] Sood, A.K.; Enbody, R.J. A browser malware taxonomy. http://www.virusbtn.com/virusbulletin/archive/2011/06/vb201106-browser-malware-taxonomy.
[4] Import Address Table. http://win32assembly.online.fr/pe-tut6.html.
[5] Butler, J.; Silberman, P. Rootkit Analysis, Identification and Elimination. Black Hat Europe 2006. http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Silberman-Butler.pdf.
[6] Kasslin, K. Hide and seek – full stealth is back. Virus Bulletin International Conference 2005. http://www.virusbtn.com/pdf/conference_slides/2005/Kimmo%20Kasslin.pdf.