Tải bản đầy đủ - 0 (trang)
Chapter 6. Crimeware in the Browser

Chapter 6. Crimeware in the Browser

Tải bản đầy đủ - 0trang

machineandwaitsfortheusertologintoabankingorretailsite.Once

theauthenticationcompletes,websitestypicallyissueasessioncookie

usedtoauthenticatesubsequentmessagesfromthebrowser.These

sessioncookiesresideinthebrowserandarefullyaccessibleto

malware.ATGcanthuswaitfortheusertosecurelylogintothesiteand

thenusethesessioncookietoissuetransactionsonbehalfoftheuser,

transferringfundsoutoftheuser'saccountorpurchasinggoodsand

mailingthemoffas"gifts."Tothewebsite,atransactionissuedbyaTG

looksidenticaltoalegitimatetransactionissuedbytheuser—itoriginates

fromtheuser'snormalIPaddressattheusualtimeofday—makingit

hardforanalytictoolstodetect.

BecauseTGstypicallyliveinsidetheuser'sbrowserasabrowser

extension,SSLprovidesnodefenseagainstaTG.Moreover,acleverTG

canhideitstransactionsusingstealthtechniquesdiscussedinthenext

section.Todate,wehaveseenonlyfewreportsofTGsinthewild[374],

butweanticipateseeingmanymorereportsasadoptionofstronger

authenticationbecomeswidespread.

InSection6.1.3,weexploreanumberofmitigationtechniques,including

transactionconfirmation.Atransactionconfirmationsystemconsistsof

isolatedclient-sidesoftwareandatrustedpathtotheuserthatenables

websitestorequestconfirmationfortransactionsthatthesitedeems

risky.

Cross-SiteRequestForgery.Atafirstglance,aTGmayappeartobe

relatedtocross-siterequestforgery(CSRF)[72].ACSRFvulnerabilityis

causedbyanincorrectimplementationofuserauthenticationattheweb

site.TopreventCSRFattacks,thewebsiteneedonlyimplementasmall

changetoitsuserauthenticationsystem;thismodificationistransparent

totheuser.Incontrast,aTGrunninginsideaclientbrowserismuch

hardertoblock,anddefensesagainstitrequirechangestotheuser

experienceatthesite.



6.1.1.BuildingaTransactionGenerator

TGscanleadtomanytypesofillegalactivity:

Pump-and-dumpstockschemes[324].TheTGbuysprespecified

stockonaprespecifieddatetoartificiallyincreasethevalueofpenny



stock.

Purchasinggoods.TheTGpurchasesgoodsandhasthemshipped

toaforwardingaddressacquiredearlierbythephisher.

Electionsystemfraud.Forvoting-at-homesystems,suchasthose

usedforcollectingshareholdervotes,aTGcanbeusedtoalter

votesinonewayoranother.

Financialtheft.ATGcanuseabill-payservicetotransferfundsout

ofavictimaccount.

Example.BuildingaTGistrivial,asshowninthefollowinghypothetical

example.ThisFirefoxextensionwaitsfortheusertolandonthe

www.retailer.com/loggedinpage,whichisreachedoncetheuserhas

properlyloggedinattheretailer.TheTGthenissuesapurchaserequest

towww.retailer.com/buyandorders10blenderstobesenttosome

addressinKansas.PresumablythephisherhiredthepersoninKansas

toshiptheblenderstoanoffshoreaddress.ThepersoninKansas(the

"mule")mayhavenoideathatheorsheisinvolvedinillegalactivity.






there.is.only.xul">





6.1.2.StealthyTransactionGenerators



TransactionsgeneratedbyaTGwillshowuponanytransactionreport

page(e.g.,an"itemspurchased"page)atthewebsite.AcleverTGin

theuser'sbrowsercaninterceptreportpagesanderaseitsown

transactionsfromthereport.Asaresult,theusercannottellthatfraud

occurredjustbylookingatpagesatthesite.Forexample,thefollowing

singleJavaScriptlineremovesalltablerowsonatransactionhistory

pagethatrefertoablender:

document.body.innerHTML=

document.body.innerHTML.replace(

/.*?blender.*?<\/tr>/gi,"");



Wehavetestedthiscodeonseveralmajorretailerwebsites.

Moreover,supposeauserpayshercreditcardbillsonline.TheTGcan

waitfortheusertologintohercreditcardprovidersiteandthenerase

thefraudulenttransactionsfromtheprovider'sreportpage,usingthe

samelineofJavaScriptshownpreviously.Thesumtotalamountremains

unchanged,butthefraudulenttransactiondoesnotappearinthelistof

transactions.Becausemostconsumersdonotbothertocheckthe

arithmeticonreportpagesfromtheirbank,theconsumerwillpayher

creditcardbillinfullandremainunawarethatthebillincludesastealthy

fraudulenttransaction.Thisbehaviorisanalogoustohowrootkitshide

themselvesbyhidingtheirfootprintsontheinfectedsystem.

Thenetresultofstealthtechniquesisthattheconsumerwillneverknow

thathermachineissuedanonconfirmedtransactionandwillneverknow

thatshepaidforthetransaction.



6.1.3.Countermeasures

MitigationTechniques

WediscussthreepotentialmitigationtechniquesagainstthestealthyTGs

discussedintheprevioussection.Thefirsttwoareeasytodeploy,but

canbedefeated.Thethirdapproachistheoneweadvocate.

1. CAPTCHA.ACAPTCHA(CompletelyAutomatedPublicTuringtest

totellComputersandHumansApart)ontheretailer'scheckoutpage



willmakeitharderforaTGtoissuetransactionsautomatically.

Retailers,however,balkatthisideabecausetheCAPTCHA

complicatesthecheckoutprocedureandcanreduceconversion

rates.Therearealsosecurityconcernsbecausephisherscanhire

realpeopletosolveCAPTCHAs.Afterall,ifonecanbuya$50

blenderforfree,itisworthpaying$0.10forsomeonetomanually

solvethechallengeoftheCAPTCHA.Alternatively,themalwaremay

trytofooltheauthenticateduserintosolvingtheCAPTCHAfora

malicioustransaction,whiletheuserthinksheorsheissolvingthe

CAPTCHAforsomeotherpurpose.Overall,webelieveCAPTCHAs

cannotdefeatacleverTG.

2. RandomizedTransactionPages.Asmentionedearlier,astealthy

TGcanremoveitstransactionsfromanonlinecreditcardbill,thus

hidingitstracks.Creditcardproviderscanmakethisalittlemore

difficultbypresentingthebillasanimageorbyrandomizingthe

structureofthebill.Asaresult,itismoredifficultforaTGtomake

surgicalchangestothebill.

3. TransactionConfirmation:ARobustDefense.Anonlinemerchant

canprotectitselffromTGsbyusingaconfirmationsystemthat

enablesuserstoconfirmeverytransaction.Theconfirmationsystem

shouldbeunobtrusiveandeasytouse.

Hereweproposeasimpleweb-basedconfirmationsystemthatcanbe

deployedwithminimalchangestothewebsite.Thesystemcombines

confirmationwiththecheckoutprocess.Ontheclientside,thesystem

consistsoftwocomponents:

Aconfirmationagentthatisisolatedfrommalwareinfectingthe

browser.Inourprototypeimplementation(calledSpyBlock),the

browserrunsinavirtualmachine(VM)whiletheagentrunsoutside

theVM.Alternatively,theconfirmationagentmightliveonaseparate

hardwaredevicesuchasaUSBtokenoraBluetoothcellphone.

Abrowserextensionthatfunctionsasanuntrustedrelaybetween

theconfirmationagentandtheremotewebsite.

Webrieflydescribetheconfirmationprocesshere.Theconfirmation

agentandremotewebsiteshareanephemeralsecretkeygeneratedby



anidentitysystemsuchasCardSpaceduringuserlogin.During

checkout,theremotewebsitecanrequesttransactionconfirmationby

embeddingthefollowingsimpleJavaScriptonthecheckoutpage:

if(window.spyblock){

spyblock.confirm(document.form1.transaction,{

observe:function(subject,topic,data){

document.form1.transactionMAC.value=data;

}};}



Thisscriptinteractswiththeuntrustedbrowserextensionthatrelaysthe

transactiondetailstotheconfirmationagent.Theconfirmationagent

displaysthedetailstotheuserandaskstheusertoconfirmthe

transaction.Iftheuserconfirms,theagentsendsbackaMACofthe

transactiondetailstothebrowserextension,whichthenforwardsthe

MACtotheremotewebsite.ThewebsiteverifiesthattheMACisvalid:if

itisvalid,thewebsitefulfillsthetransaction.

Securityreliesontwoproperties.First,theagent'ssecretkeymustbe

isolatedfrommalware.Second,theconfirmationdialogmustnotbe

obscuredbyamalwarepop-uptoensurethattheuserconfirmsthe

correcttransactiondetails.Similarly,malwaremustbepreventedfrom

injectingmouseclicksintotheagent'sdialog.Notethatsimplyspoofing

theconfirmationdialogisofnousetotheTG,becauseitcannotgenerate

thenecessaryMACitself.



ANonsolution

Clearly,apotentialsolutiontotheTGproblemistopreventmalwarefrom

gettingintothebrowserinthefirstplace.However,thewidespread

penetrationofend-usermachinesbyspywareandbotnetworks[263]

underscoresthevulnerabilityofmanyoftoday'smachinestomalware

attacks.Wedonotexpectthissituationtochangeanytimesoon.



Chapter6.CrimewareintheBrowser

DanBoneh,MonaGandhi,CollinJackson,MarkusJakobsson,John

Mitchell,ZulfikarRamzan,JacobRatkiewicz,andSidStamm

Thischapterconsiderscrimewarethatexecutessolelyintheuser'sweb

browser,butthatdoesnotexploitavulnerabilityonthatbrowser.The

chapterstartswithadiscussionoftransactiongenerators,whichcanbe

usedtomodifyonlinetransactions(performedusingawebbrowser)in

realtime.Next,theconceptofadrive-bypharmingattackisstudied—this

attackshowshowhomerouterDNSsettingscanbechangedwhenthe

victimsimplyviewsanexternalwebpage.Finally,thischapterconsiders

badvertisements,whichdemonstratehowJavaScriptcanbeusedto

simulatefraudulentclicksononlineadvertisements.



6.1.TransactionGenerators:Rootkitsforthe

Web[*]

[*]ThissectionisbyCollinJackson,DanBoneh,andJohnMitchell.



Currentphishingattacksstealusercredentials,eitherbydirectingusers

toaspoofedwebpagethatfoolsthemintorevealingapassword,orby

installingkeyloggingmalwarethatrecordsuserpasswordsandsends

themtothephisher.Inresponse,websitesaredeployingavarietyof

back-endanalytictools[74,301,325]thatusepastuserbehaviorto

determinetransactionrisk,suchasthetimeofdaywhentheuseris

typicallyactiveandtheuser'sIPaddressandlocation.Somesitesare

movingtostrongerauthenticationusingone-timepasswordtokenssuch

asRSASecurID[359].Thesemethods,aswellasmanyotherantiphishingproposals[86,163,206,300,357,486],focusprimarilyon

reducingthevaluethatphishersderivefromstolenpasswords.

Fortunatelyforthieves,andunfortunatelyfortherestofus,anewformof

attackusingatransactiongenerator(TG)allowscriminalstomanipulate

useraccountsdirectlywithoutstealingusercredentialsorsubverting

authenticationmechanisms.TGattacksgeneratefraudulenttransactions

fromtheuser'scomputer,throughmaliciousbrowserextensions,afterthe

userhasauthenticatedtothesite.ATGquietlysitsontheuser's



machineandwaitsfortheusertologintoabankingorretailsite.Once

theauthenticationcompletes,websitestypicallyissueasessioncookie

usedtoauthenticatesubsequentmessagesfromthebrowser.These

sessioncookiesresideinthebrowserandarefullyaccessibleto

malware.ATGcanthuswaitfortheusertosecurelylogintothesiteand

thenusethesessioncookietoissuetransactionsonbehalfoftheuser,

transferringfundsoutoftheuser'saccountorpurchasinggoodsand

mailingthemoffas"gifts."Tothewebsite,atransactionissuedbyaTG

looksidenticaltoalegitimatetransactionissuedbytheuser—itoriginates

fromtheuser'snormalIPaddressattheusualtimeofday—makingit

hardforanalytictoolstodetect.

BecauseTGstypicallyliveinsidetheuser'sbrowserasabrowser

extension,SSLprovidesnodefenseagainstaTG.Moreover,acleverTG

canhideitstransactionsusingstealthtechniquesdiscussedinthenext

section.Todate,wehaveseenonlyfewreportsofTGsinthewild[374],

butweanticipateseeingmanymorereportsasadoptionofstronger

authenticationbecomeswidespread.

InSection6.1.3,weexploreanumberofmitigationtechniques,including

transactionconfirmation.Atransactionconfirmationsystemconsistsof

isolatedclient-sidesoftwareandatrustedpathtotheuserthatenables

websitestorequestconfirmationfortransactionsthatthesitedeems

risky.

Cross-SiteRequestForgery.Atafirstglance,aTGmayappeartobe

relatedtocross-siterequestforgery(CSRF)[72].ACSRFvulnerabilityis

causedbyanincorrectimplementationofuserauthenticationattheweb

site.TopreventCSRFattacks,thewebsiteneedonlyimplementasmall

changetoitsuserauthenticationsystem;thismodificationistransparent

totheuser.Incontrast,aTGrunninginsideaclientbrowserismuch

hardertoblock,anddefensesagainstitrequirechangestotheuser

experienceatthesite.



6.1.1.BuildingaTransactionGenerator

TGscanleadtomanytypesofillegalactivity:

Pump-and-dumpstockschemes[324].TheTGbuysprespecified

stockonaprespecifieddatetoartificiallyincreasethevalueofpenny



stock.

Purchasinggoods.TheTGpurchasesgoodsandhasthemshipped

toaforwardingaddressacquiredearlierbythephisher.

Electionsystemfraud.Forvoting-at-homesystems,suchasthose

usedforcollectingshareholdervotes,aTGcanbeusedtoalter

votesinonewayoranother.

Financialtheft.ATGcanuseabill-payservicetotransferfundsout

ofavictimaccount.

Example.BuildingaTGistrivial,asshowninthefollowinghypothetical

example.ThisFirefoxextensionwaitsfortheusertolandonthe

www.retailer.com/loggedinpage,whichisreachedoncetheuserhas

properlyloggedinattheretailer.TheTGthenissuesapurchaserequest

towww.retailer.com/buyandorders10blenderstobesenttosome

addressinKansas.PresumablythephisherhiredthepersoninKansas

toshiptheblenderstoanoffshoreaddress.ThepersoninKansas(the

"mule")mayhavenoideathatheorsheisinvolvedinillegalactivity.






there.is.only.xul">





6.1.2.StealthyTransactionGenerators



TransactionsgeneratedbyaTGwillshowuponanytransactionreport

page(e.g.,an"itemspurchased"page)atthewebsite.AcleverTGin

theuser'sbrowsercaninterceptreportpagesanderaseitsown

transactionsfromthereport.Asaresult,theusercannottellthatfraud

occurredjustbylookingatpagesatthesite.Forexample,thefollowing

singleJavaScriptlineremovesalltablerowsonatransactionhistory

pagethatrefertoablender:

document.body.innerHTML=

document.body.innerHTML.replace(

/.*?blender.*?<\/tr>/gi,"");



Wehavetestedthiscodeonseveralmajorretailerwebsites.

Moreover,supposeauserpayshercreditcardbillsonline.TheTGcan

waitfortheusertologintohercreditcardprovidersiteandthenerase

thefraudulenttransactionsfromtheprovider'sreportpage,usingthe

samelineofJavaScriptshownpreviously.Thesumtotalamountremains

unchanged,butthefraudulenttransactiondoesnotappearinthelistof

transactions.Becausemostconsumersdonotbothertocheckthe

arithmeticonreportpagesfromtheirbank,theconsumerwillpayher

creditcardbillinfullandremainunawarethatthebillincludesastealthy

fraudulenttransaction.Thisbehaviorisanalogoustohowrootkitshide

themselvesbyhidingtheirfootprintsontheinfectedsystem.

Thenetresultofstealthtechniquesisthattheconsumerwillneverknow

thathermachineissuedanonconfirmedtransactionandwillneverknow

thatshepaidforthetransaction.



6.1.3.Countermeasures

MitigationTechniques

WediscussthreepotentialmitigationtechniquesagainstthestealthyTGs

discussedintheprevioussection.Thefirsttwoareeasytodeploy,but

canbedefeated.Thethirdapproachistheoneweadvocate.

1. CAPTCHA.ACAPTCHA(CompletelyAutomatedPublicTuringtest

totellComputersandHumansApart)ontheretailer'scheckoutpage



willmakeitharderforaTGtoissuetransactionsautomatically.

Retailers,however,balkatthisideabecausetheCAPTCHA

complicatesthecheckoutprocedureandcanreduceconversion

rates.Therearealsosecurityconcernsbecausephisherscanhire

realpeopletosolveCAPTCHAs.Afterall,ifonecanbuya$50

blenderforfree,itisworthpaying$0.10forsomeonetomanually

solvethechallengeoftheCAPTCHA.Alternatively,themalwaremay

trytofooltheauthenticateduserintosolvingtheCAPTCHAfora

malicioustransaction,whiletheuserthinksheorsheissolvingthe

CAPTCHAforsomeotherpurpose.Overall,webelieveCAPTCHAs

cannotdefeatacleverTG.

2. RandomizedTransactionPages.Asmentionedearlier,astealthy

TGcanremoveitstransactionsfromanonlinecreditcardbill,thus

hidingitstracks.Creditcardproviderscanmakethisalittlemore

difficultbypresentingthebillasanimageorbyrandomizingthe

structureofthebill.Asaresult,itismoredifficultforaTGtomake

surgicalchangestothebill.

3. TransactionConfirmation:ARobustDefense.Anonlinemerchant

canprotectitselffromTGsbyusingaconfirmationsystemthat

enablesuserstoconfirmeverytransaction.Theconfirmationsystem

shouldbeunobtrusiveandeasytouse.

Hereweproposeasimpleweb-basedconfirmationsystemthatcanbe

deployedwithminimalchangestothewebsite.Thesystemcombines

confirmationwiththecheckoutprocess.Ontheclientside,thesystem

consistsoftwocomponents:

Aconfirmationagentthatisisolatedfrommalwareinfectingthe

browser.Inourprototypeimplementation(calledSpyBlock),the

browserrunsinavirtualmachine(VM)whiletheagentrunsoutside

theVM.Alternatively,theconfirmationagentmightliveonaseparate

hardwaredevicesuchasaUSBtokenoraBluetoothcellphone.

Abrowserextensionthatfunctionsasanuntrustedrelaybetween

theconfirmationagentandtheremotewebsite.

Webrieflydescribetheconfirmationprocesshere.Theconfirmation

agentandremotewebsiteshareanephemeralsecretkeygeneratedby



anidentitysystemsuchasCardSpaceduringuserlogin.During

checkout,theremotewebsitecanrequesttransactionconfirmationby

embeddingthefollowingsimpleJavaScriptonthecheckoutpage:

if(window.spyblock){

spyblock.confirm(document.form1.transaction,{

observe:function(subject,topic,data){

document.form1.transactionMAC.value=data;

}};}



Thisscriptinteractswiththeuntrustedbrowserextensionthatrelaysthe

transactiondetailstotheconfirmationagent.Theconfirmationagent

displaysthedetailstotheuserandaskstheusertoconfirmthe

transaction.Iftheuserconfirms,theagentsendsbackaMACofthe

transactiondetailstothebrowserextension,whichthenforwardsthe

MACtotheremotewebsite.ThewebsiteverifiesthattheMACisvalid:if

itisvalid,thewebsitefulfillsthetransaction.

Securityreliesontwoproperties.First,theagent'ssecretkeymustbe

isolatedfrommalware.Second,theconfirmationdialogmustnotbe

obscuredbyamalwarepop-uptoensurethattheuserconfirmsthe

correcttransactiondetails.Similarly,malwaremustbepreventedfrom

injectingmouseclicksintotheagent'sdialog.Notethatsimplyspoofing

theconfirmationdialogisofnousetotheTG,becauseitcannotgenerate

thenecessaryMACitself.



ANonsolution

Clearly,apotentialsolutiontotheTGproblemistopreventmalwarefrom

gettingintothebrowserinthefirstplace.However,thewidespread

penetrationofend-usermachinesbyspywareandbotnetworks[263]

underscoresthevulnerabilityofmanyoftoday'smachinestomalware

attacks.Wedonotexpectthissituationtochangeanytimesoon.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 6. Crimeware in the Browser

Tải bản đầy đủ ngay(0 tr)

×