[e-gold-list] Real-time man-in-the-middle attack

Wed Mar 12 11:04:25 MST 2008

http://www.symantec.com/enterprise/security_response/weblog/2008/01/banking_in_silence.html

Banking in Silence

Targeting over 400 banks (including my own :( ! ) and having the ability
to circumvent two-factor authentication are just two of the features
that push Trojan.Silentbanker into the limelight. The scale and
sophistication of this emerging banking Trojan is worrying, even for
someone who sees banking Trojans on a daily basis.

This Trojan downloads a configuration file that contains the domain
names of over 400 banks. Not only are the usual large American banks
targeted but banks in many other countries are also targeted, including
France, Spain, Ireland, the UK, Finland, Turkey—the list goes on.

The ability of this Trojan to perform man-in-the-middle attacks on valid
transactions is what is most worrying. The Trojan can intercept
transactions that require two-factor authentication. It can then
silently change the user-entered destination bank account details to the
attacker's account details instead. Of course the Trojan ensures that
the user does not notice this change by presenting the user with the
details they expect to see, while all the time sending the bank the
attacker's details instead. Since the user doesn’t notice anything wrong
with the transaction, they will enter the second authentication
password, in effect handing over their money to the attackers. The
Trojan intercepts all of this traffic before it is encrypted, so even if
the transaction takes place over SSL the attack is still valid.
Unfortunately, we were unable to reproduce exactly such a transaction in
the lab. However, through analysis of the Trojan's code it can be seen
that this feature is available to the attackers.

The Trojan does not use this attack vector for all banks, however. It
only uses this route when an easier route is not available. If a
transaction can occur at the targeted bank using just a username and
password then the Trojan will take that information, if a certificate is
also required the Trojan can steal that too, if cookies are required the
Trojan will steal those. In fact, even if the attacker is missing a
piece of information to conduct a transaction, extra HTML can be added
to the page to ask the user for that extra information. (In the example
below the user is asked to enter their encryption key, in addition to
the regular information.)

Here is the login form viewed on a clean machine:

Below the form presented to an infected user is shown, the input box
added by the Trojan has been marked in red:

When instructed, the Trojan can also redirect users to an
attacker-controlled server instead of the real bank in order to perform
a classic man-in-the-middle attack. Currently there is only one bank
targeted in this way; however, recent updates to the Trojan change the
user's DNS settings to point to an attacker-controlled server. Using
this technique the Trojan can start redirecting any site to an attacker
site at any time. This feature could also mean that if the Trojan is
removed but the DNS settings are left unchanged then the user may still
be at risk. (See below for the attackers' DNS server addresses.)

Add to all of the above the ability to steal FTP, POP, Web mail,
protected storage, and cached passwords and then we start to see the
capabilities of this Trojan. But, it doesn’t stop there – don't forget
the porn! The Trojan also contains over 600 pornographic Web site URLs
that can be shown to the infected user so that the attacker can make
money from the referrals.

Lastly, the Trojan can also download updates, which it regularly does.
It can also download other executables and it can use the infected
machine as a proxy or as a Web server on any chosen port (in tests the
http port used was 18102).

...

---
You are currently subscribed to e-gold-list as: e-gold-list at kobly.com
To unsubscribe send a blank email to leave-e-gold-list-512001C at talk.e-gold.com

Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.