us-15-Park-Winning-The-Online-Banking-War.pdf

《us-15-Park-Winning-The-Online-Banking-War.pdf》由会员上传分享，免费在线阅读，更多相关内容在学术论文-天天文库。

1、TrendMicroWorkedforoneofbig4banksinAustraliafor6yearsasmalwaresecurityconsultant.DevelopedbankingmalwaredetectionsystemServedatSophos,Symantec,FireEyeandKasperskyCurrentlywithTrendMicroIdentifythecruxoftheonlinebankingwarSetthestrategicdefenseframeworkPoCdesign&implementation:MIPSSpa

2、mServerC&CSiteInfectionURLMalwareCampaignDropperDropSiteGotatokenforyourcorporateaccount?Doyoustillfeelsafe?NowyouarelockedoutwhiletheybuyenoughtimetotransfermoneyThereisnosuchathingas‘PleaseWait’intheonlinebankingpage.What’shappeningwhileyouarewaiting…Evenwhenthereisnovisualsignofinfe

3、ction,itcanhappensilently.C&CcommunicationduringTxpagesWhatisthemalwarereceiving?InjectandMuleMule’sAccountTransferAmountInformation$("#submit").on("click",function(){varid=$("#signin-id").val();varpw=$("#signin-password").val();console.log(">>DOMInject:"+id+“:"+pw);});WebOnlineBrowserBa

4、nkingPOST/mipsMIPSMIPS_INTELInjectBlacklistMalwareIntelligenceMalwareinjectremovesitself,butitstillremainsinthememoryExploitmemoryleakpatternsDanglingreferencesCircularreferencesClosuresDOMbodybuttonscriptonclickscriptvarme=document.currentScript;me.parentNode.removeChild(me);DOMbodyRe

5、fToDomRefToSCriptscriptvarrefToDom=document.body;document.body["refToScript"]=refToDom;DOMbodybuttononclickscriptfunctionAttachEvent(element){element.attachEvent("onclick",MyClickHandler);functionMyClickHandler(){/*Thisclosurereferenceselement*/}}Identifyentrypoints(unload,click,timer)Enu

6、merateeventhandlerselement.onclick=handlerScan:element.onclickelement.addEventListenerScan:getEventListeners(element,“click”)$(element).on(“click”,handler)Scan:$._data(element,"events")$(element).observe(“click”,handler)Scan:element.getStorage().get('prototype_event_registry').get('click')F

7、or$(‘#submit’),‘click‘,Eventhandler’snamespacepropertyismissingNormalDOMStealthbutton01button01button01button01button01button01‘’DOMUser-definedFunctionsWhitelistFunctionFunctionFunctionFunctionFunction?Enumerateuser-definedfunctionsObject.keys(window)