Current Man-in-the-Browser (MITB) trojans like Trickbot or Dridex are pretty much similar to first generation bots like Zeus or Zbot. They all include a list of targets and corresponding webinjects and still offer essentially the same features such as keylogging, form-data harvesting, and remote control (RAT) capabilities.
Today, we are seeing a number of client-side defense proposals being rushed through the standardization process, such as CSP, Subresource Integrity and HPKP. In part, these standards are a response to the permissiveness of the browser against injection attacks.
We argue that it is important to understand how effective these standards can be against MITB attacks specifically and anticipate how attackers will evolve the MITB trojans in an attempt to defeat those defenses.
In this talk, based on our work, we fast-forward to a not so distant future of MITB attacks by demoing a home grown MITB trojan that: 1) is resistant to a number of current defenses by tampering with headers and by exploiting JavaScript code polymorphism; 2) holds capabilities that range from credential and data leakage to website hijacking. We'll also cover approaches to defeat these next-gen trojans by employing similar code attacking techniques and demoing how to detect and react to these trojans.
This talk is organized in four sections: 1) Man-in-the-Browser (MITB) evolution, 2) Client-side defenses, 3) Crafting the next-gen MITB trojan, and 4) Conclusions and future work.
In the first section, we will present a quick chronological evolution of MITB trojans. We will review important concepts like Browser Helper Objects (BHO), Web Injects, Form Grabbing, Stored data exfiltration, keylogging, etc. Most of these concepts are still relevant as current generation MITB trojans are still very similar to first generation bots like Zeus.
We will focus on some capabilities that were added to trojans to bypass defenses. Even though through the years, they evolved very little, we have seen some trojans moving from static to dynamic webinjects, allowing the attack to adjust to the rollout of new defenses; we have seen them become more resilient to AVs and to static and dynamic analysis; employing Domain Generation Algorithms (DGA) to remain connected with their C&Cs; and even trojans that are able to tamper with HTTP headers (e.g. Tinba). Other traits such as the use of reverse connections via proxy and Remote Access (RAT) capabilities will be covered too.
In section 2, we will cover a number of different defense mechanisms/techniques - some of which are still being standardized - such as Content Security Policy (CSP), Subresource Integrity, JavaScript Sandboxing, WAFs, User behavior analytics and Device Fingerprinting. We will discuss how effective they can be against current MITB attacks and where they fall short. We will draw strategies that can be followed by MITB trojans to defeat or bypass these defenses/techniques.
In section 3, we will dive into the goodies. We will present the capabilities we have designed using a modified implementation of Zeus. These capabilities include HTTP header manipulation, to for instance defeat CSP and other types of defenses based on HTTP headers; the use of metamorphic and polymorphic JavaScript, to avoid detection; etc. We will also explore advanced scenarios like the use of HPKP suicide attacks conveyed by MITB trojans. A demo of our Trojan will be shown at this point.
In section 4, the discussion will move on to identify the strategies that can be followed to fight our bot. We will give our opinion on where the appsec community needs to focus next, in order to be prepared for more sophisticated MITB attacks. We’ll draw our conclusion and present our ideas for future work.
