ASERT Threat Intelligence Brief 2013-2 - Citadel's Man-in-the-Firefox: An Implementation Walk-Through
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Arbor Security Report ASERT Threat Intelligence Brief 2013-2 Citadel's Man-in-the-Firefox: An Implementation Walk- Through Dennis Schwarz, Arbor ASERT. September 17, 2013 © Copyright 2013 Arbor Networks, Inc. All rights reserved.
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 Introduction While banking malware or "bankers" have a lot of functionality, they are defined by their Man-in-the-Browser (MITB) implementation. This mechanism allows them to not only steal banking usernames and passwords, but also inject arbitrary content into banking websites in order to social engineer and try and steal additional credentials such as identifying information, pins, and token codes. This paper will walk through Citadel's MITB implementation for the Firefox 21.0 web browser. Citadel was chosen as the malware of interest because at the time of writing it was one of the main banking trojans being used in the wild. The focus will be on Firefox 21.0 because it is an easier target to walk through, but the concepts can be extrapolated to (and have been implemented for) other browsers--Internet Explorer, Opera, and some versions of Chrome [12]. Since its arrival sometime in early 2012, there has been a lot of good analysis on Citadel as a whole, [1] and [2] being good starting points. But, they don't venture very deeply into the MITB functionality. Likewise, there have been a lot of good write-ups and proof of concept code for MITB techniques [3], but they have usually stopped short of showing in the wild, malicious implementations. The goal of this paper is to help bridge that gap. Citadel Samples While the walk-through strives to be generic, the following Citadel version 1.3.5.1 samples were used (some of the configurations were modified slightly for demonstration purposes): The first is available at the time of writing at [4] and [5]. The second is at [8] and [9]. These are live malware samples! Stay safe. MD5 (great.exe) = 45f7ab75c1cd77fbd0844acebd3af501 MD5 (IMG2013-05-31-022019.JPG...................mediaplayer.exe) = 566d525033e9371ae808e2c524f64fa8 A labeled IDA database for "great.exe" will be available on Arbor Network's GitHub [14]. Debugging Citadel Pro Tips The following nice-to-knows were helpful in the course of this research: • Citadel has some basic anti-Virtual Machine functionality. Instructions on how to work around this constraint in VirtualBox can be found here [10]. • The persistent binary was stored in $USER\AppData\Roaming\[random characters]\[random characters].exe. Its size will be approximately 221 KB in size: 2 Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 • Set a just-in-time debugger and make liberal use of 0xCC breakpoints. • Command and Control (C&C) communications happen from injected processes. The initial phone home usually comes from taskhost.exe. • To find the Citadel portion of memory in an injected process, use Process Hacker's memory tab, sort by "Protection". The permissions will be set to "RWX" and the size will be around 236 KB in size: • A research test-bed can be hacked together using MySQL, PHP, the server control panel from the Reddit leak at [11], a client's Login key, and its C&C RC4 key. • The Login key can be found by looking for a 32 character hexadecimal string that looks like a MD5 hash. An example is "F5F4D5EBD5855E904AB8DB757D320604". • The RC4 algorithm is slightly modified and the Login key is XOR'd in as well. To find the RC4 function in Citadel, trace Xrefs for the Login key string and use the pseudo-random generation algorithm (PRGA) description at [13] to identify the code. The following is the Hex-Rays decompiled function: © Copyright 2013 Arbor Networks, Inc. All rights reserved. 3
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 • There are two RC4 key states used. The first to decrypt the base, static configuration and the second for C&C communications. Set a breakpoint on the RC4 function. The second argument will be the key state and it will be 256 bytes in size. • Launch Firefox from a command shell. Set "MOZ_CRASHREPORTER_DISABLE=1" to get just-in- time debugging to work. Conventions The pseudo code used throughout this paper is a mixture of Python, C, and English. This seems the most natural approach to help explain things. Since Citadel is a fork of the Zeus trojan, and the latter's source code has since been leaked [6], the names used in the walk-through will match the source code as much as possible. Finding and Injecting into Firefox There are four methods that Citadel uses to find and inject itself into Firefox processes running on a target system: 1. CoreInject_injectToAll function 2. CoreHook_hookerNtCreateUserProcess function hook 3. CoreHook_hookerNtCreateThread function hook 4. CoreHook_hookerLdrLoadDll function hook 4 Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 CoreInject_injectToAll Function (Mass Injection) During Citadel's start up, a call to CoreInject_injectToAll is made. To find, trace IDA Pro Xrefs for "CreateToolhelp32Snapshot". The call graph is: Core_entryPoint >> Core_runAsBot >> CoreInject_injectToAll As the name implies, it tries to inject itself into all permissible processes, Firefox included. The method used is a traditional process injection technique. The first step is process iteration: // take a snapshot of all processes procs = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, ...) // iterate through first process proc = Process32First(procs, &proc_struct) while proc: pid = proc_struct.th32ProcessID // permission checks CoreInject_injectMalwareToProcess(pid, ...) // iterate through next process proc = Process32Next(procs, &proc_struct) Next, CoreInject_injectMalwareToProcess does three things: allocates memory in the target process, copies Citadel's code to the allocated memory, and then spins up a new remote thread--starting execution at the injected code's entry point. Here is the outline of this function and Core_initNewModule: CoreInject_injectMalwareToProcess(pid, ...) // get handle to process proc_handle = OpenProcess(..., pid) // allocate memory and write Citadel to target process remote_mem = Core_initNewModule(proc_handle, ...) // calculate entry point ep = remote_mem + Core_injectEntryForThreadEntry - base_addr // start remote thread in target CreateRemoteThread(proc_handle, ..., ep, ...) Core_initNewModule(proc_handle, ...): // anti-virus detection PeImage_copyModuleToProcess(base_addr, proc_handle) © Copyright 2013 Arbor Networks, Inc. All rights reserved. 5
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 // update some configuration pieces in the injected code Memory allocation and code injection actually happens in PeImage_copyModuleToProcess. The first argument to this function is the base address of the injecting process's main module--a Portable Executable (PE) file: PeImage_copyModuleToProcess(base_addr, proc_handle): // figure out PE DOS header offset pe_dos_header = base_addr // figure out PE NT headers offset pe_nt_headers = pe_dos_header + pe_dos_header->e_lfanew size = pe_nt_headers->OptionalHeader.SizeOfImage // allocate buffer in remote process. set read, write, execute // permissions remote_mem = VirtualAllocEx(proc_handle, NULL, size, RWX, ...) // rebase injected image WriteProcessMemory(proc_handle, remote_mem, size, ...) Here is a visual of Firefox injected with Citadel. On this run, the size was 0x3B000 (241,664) bytes and the starting address of the remote buffer was 0x22C0000: 6 Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 Rebasing the injected code needs a quick review. A PE file can specify a preferred base address of where in memory it would like to be loaded. Using this base, addresses will be calculated in the executable. As an example, notice how the push instructions (opcode 0x68) references address 0x409284--using a common default preferred base address of 0x400000): If, on load, the preferred base address is already mapped (by a DLL for instance), the Windows loader, with the help of the executable's PE relocation section (.reloc), will choose another base address, recalculate any addresses and update the respective instructions. The "Base Relocations" section of [7] along with a visual PE editor, like CFF Explorer, provides additional insight into the rebasing process. Since Citadel doesn't have the luxury of using the Windows loader when it injects itself into a process, it has to do this rebasing process manually. © Copyright 2013 Arbor Networks, Inc. All rights reserved. 7
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 After process injection and back in CoreInject_injectMalwareToProcess, the entry point for the remote thread is calculated by taking the address of Core_injectEntryForThreadEntry, subtracting the injecting process's base address and then adding the start address of the remotely allocated buffer. This ends up being a wrapper of Core_defaultModuleEntry. CoreHook_hookerNtCreateUserProcess Function Hook The second injection method involves hooking NtCreateUserProcess--an undocumented, low-level function exported from ntdll.dll. The more familiar CreateProcess uses this function to create a new process. If Firefox were launched after the initial mass injection, its process will have been created by explorer.exe (user shell) or another one of its descendants injected with Citadel. The hooking method will be discussed later. For now, whenever explorer.exe (or any other Citadel infected process) calls NtCreateUserProcess, CoreHook_hookerNtCreateUserProcess is called instead. To find the function hook, trace IDA Pro Xrefs for "GetThreadContext": CoreHook_hookerNtCreateUserProcess(...): // call the real NtCreateUserProcess to create process NtCreateUserProcess(...) // allocate memory and write Citadel to target process remote_mem = Core_initNewModule(proc_handle, ...) // calculate entry point ep = remote_mem + Core_injectEntryForModuleEntry - base_addr // get thread context GetThreadContext(..., &thread_context) // check if EIP points to thread start routine if thread_context.Eip == RtlUserThreadStart: // see notes below thread_context.Eax = ep // reset thread context SetThreadContext(..., &thread_context) During initialization, Core_init saves function pointers to the real NtCreateUserProcess function (and others) for use in their respective hooks: Core_init(...): ... ntdll = GetModuleHandle("ntdll.dll") NtCreateThread = GetProcAddress(ntdll, "NtCreateThread") 8 Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 NtCreateUserProcess = GetProcAddress(ntdll, ...) NtQueryInformationProcess = GetProcAddress(ntdll, ...) RtlUserThreadStart = GetProcAddress(ntdll, ...) LdrLoadDll = GetProcAddress(ntdll, ...) LdrGetDllHandle = GetProcAddress(ntdll, ...) On entry to the function hook, the real NtCreateUserProcess is called. After Citadel injects itself into the newly created process via the familiar Core_initNewModule, an entry point to Core_injectEntryForModuleEntry is calculated: Core_injectEntryForModuleEntry(): // Citadel initialization things Core_defaultModuleEntry() // get base address of original executing process // firefox.exe, for example base_addr = GetModuleHandle(NULL) // figure out PE DOS header offset pe_dos_hdr = base_addr // figure out PE NT headers offset pe_nt_hdrs = pe_dos_hdr + pe_dos_hdr->e_lfanew // get original entry point from PE headers // firefox.exe's entry point, for example oep = pe_nt_hdrs->OptionalHeader.AddressOfEntryPoint + base_addr // call original entry point, // i.e. continue launching firefox.exe return oep() Back in the hook, the main thread's context is retrieved from the newly created process via GetThreadContext. The instruction pointer is checked to see if it points to the thread initialization routine RtlUserThreadStart--an undocumented, low-level thread initialization function from ntdll.dll. The convention to change a thread's entry point on resume is to update its context's EAX register to point to the respective address. The context is reset via a SetThreadContext call. CoreHook_hookerNtCreateThread Function Hook If NtCreateUserProcess's address can't be resolved, NtCreateThread will be hooked instead. This is an undocumented, low-level function exported from ntdll.dll that the more familiar CreateThread calls to create new threads. The idea behind this hook is akin to the former except that it operates at the thread level. © Copyright 2013 Arbor Networks, Inc. All rights reserved. 9
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 It starts by determining whether the thread being created is the initial thread of the process and if so, injects itself in. To find the function hook, trace IDA Pro Xrefs for the "NtQueryInformationProcess" string and follow where it gets used: CoreHook_hookerNtCreateThread(...): // get process ID NtQueryInformationProcess(proc_handle, ..., pbi, ...) // get number of threads threads = Process_getCountOfThreadsByProcessId(pid) if threads == 0: // allocate memory and write Citadel to target process rem_mem = Core_initNewModule(proc_handle, ...) // calculate entry point ep = rem_mem + Core_injectEntryForModuleEntry - base_addr // set thread entry point thread_context->Eax = ep // call and return real NtCreateThread NtCreateThread(..., thread_context, ...) The rest of the code is very similar as before except the thread context with the Citadel entry point is passed to the real NtCreateThread function. The entry point is the same, Core_injectEntryForModuleEntry. CoreHook_hookerLdrLoadDll Function Hook The last injection technique isn't really an injection method, but it does offer another way for Citadel to hook Firefox with its MITB code. This technique relies on one of the previous methods to get Citadel into a process. Once it has been injected, it will hook the LdrLoadDll function--another undocumented, low-level function exported from ntdll.dll that the more familiar LoadLibrary function calls to load in libraries. If a Citadel infected process loads "nspr4.dll", CoreHook_hookerLdrLoadDll will be called instead. To find the function hook, trace IDA Pro Xrefs for the "chrome.dll" Unicode string: CoreHook_hookerLdrLoadDll(...) // call the real LdrLoadDll to load in the DLL handle = LdrLoadDll(..., ModuleFileName, ...) // check whether nspr4.dll is being loaded if ModuleFileName == "nspr4.dll": // check whether functions have already been hooked // hook Firefox functions 10 Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 WinApiTables_setNspr4Hooks(ModuleHandle) else: // hook Google Chrome // not relevant for example, removed return handle Function Hooking Citadel uses a couple of different hooking methods depending on the particular function being hooked. It starts in WinApiTables_hookList, which handles some housekeeping. To find the hooking function, trace IDA Pro Xrefs for "VirtualAllocEx". WinApiTables_hookList then calls WaHook_hook to perform the actual hooking. For the Firefox MITB function hooks, the call graphs from the injection entry points are listed here: Core_injectEntryForThreadEntry or Core_injectEntryForModuleEntry >> Core_defaultModuleEntry >> Core_init >> Core_initHooks >> WinApiTables_setNspr4Hooks >> WinApiTables_hookList The call graph from the LdrLoadDll hook is this: CoreHook_hookerLdrLoadDll >> WinApiTables_setNspr4Hooks >> WinApiTables_hookList The WinApiTables_hookList function works on an array of 16 byte WinApiTables.HOOKWINAPI structures. The structure is defined as follows: typedef struct { void *functionForHook; void *hookerFunction; void *originalFunction; int originalFunctionSize; } HOOKWINAPI; An easy way to understand the process is to walk through hooking a single function, for example the Firefox PR_OpenTCPSocket function exported from nspr4.dll. As part of the injected Citadel data, there will be a HOOKWINAPI structure initialized like this: HOOKWINAPI nspr4Hooks[] = { {NULL, Nspr4Hook_hookerPrOpenTcpSocket, NULL, 0} }; © Copyright 2013 Arbor Networks, Inc. All rights reserved. 11
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 In WinApiTables_setNspr4Hooks, PR_OpenTCPSocket's address is resolved via GetProcAddress and assigned to the functionForHook member of its HOOKWINAPI structure. This is where the hook will be set. The array of structures is then sent to WinApiTables_hookList: WinApiTables._setNspr4Hooks(nspr4): // resolve address of real functions nspr4Hooks[0].functionForHook = GetProcAddress(nspr4, "PR_OpenTCPSocket") // hook functions WinApiTables_hookList(nspr4Hooks, number_of_hooks) // save function pointers to "original" functions for later use Nspr4Hook_updateAddresses(nspr4Hooks[0].originalFunction) WinApiTables_hookList in turn takes the array of functions to be hooked, allocates a buffer to hold instruction opcodes from the original functions and does some housekeeping. It then calls WaHook_hook for each. This is what the first few instructions of the original PR_OpenTCPSocket function look like: WaHook_hook is a bit confusing as there are a couple of different hooking methods implemented. There also seems to be some duplicated code that makes things a bit messy. The focus will be on the Firefox MITB hooking method: WaHook_hook(functionForHook, hookerFunction, opcodesBuf): // read first byte of function to hook ReadProcessMemory(..., functionForHook, buf, 1, ...) // jmp opcode == 0xE9 if first instruction is a jmp: 12 Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 // set jmp hook // not relevant for example, removed else: // check if at least 30 bytes of instruction are available WaHook_checkAvailableBytes(functionForHook) // change memory protections to read, write, execute VirtualProtectEx(..., functionForHook, 30, RWX) // allocate and set a local buf to 36 NOP instructions Mem_set(buf, 0x90, 36) // read in first 30 bytes of the original function ReadProcessMemory(..., functionForHook, buf, 30) // in the local buf, skip to at least the 6th byte // it will be the beginning of the push 1 instruction // in the PR_OpenTCPSocket reference above // write a new push (0x68) instruction to local buf // push offset will be to the real PR_OpenTCPSocket+6 // address // in the local buf, write a ret (0xC3) instruction // this is functionally equivalent to the original function // it is just broken into two pieces with a // push/ret combination to link the pieces together // write the local buf to opcodesBuf argument // size = 6 skipped bytes + 6 bytes for push and ret = 12 // see first diagram below WriteProcessMemory(..., opcodesBuf, buf, 12) // below task uses the same local buf, but is logically // separated from the above task // in the local buf, skip to first byte // beginning of mov instruction above © Copyright 2013 Arbor Networks, Inc. All rights reserved. 13
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 // in the local buf, write a push (0x68) instruction // push offset will be to the function hook // address of Nspr4Hook_hookerPrOpenTcpSocket // in the local buf, write a ret (0xC3) instruction // see second diagram below for a visual // if needed, patch Citadel's import table // not relevant for example, removed WinApiTables_hotPatchCallback // write the first 6 bytes of local buf // over original function WriteProcessMemory(..., functionForHook, buf, 6) // see third diagram below to see what OpenTCPSocket // looks like now // function is hooked return 14 Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 Back in WinApiTables_hookList, the originalFunction and originalFunctionSize members of the HOOKWINAPI structure are updated. The former will be a pointer to the opcodesBuf buffer shown in the first diagram above. The latter will be the number of instruction bytes stored there. A good way to think about what is happening is to imagine that the original PR_OpenTCPSocket function is split into two pieces. The first piece starts at originalFunction and contains 12 bytes of code: two original instructions from PR_OpenTCPSocket (mov and push) and then the push/ret combination that links to the second piece. The second piece starts in the original PR_OpenTCPSocket function, but 6 bytes in. The third instruction (push 1) is where execution in the second piece begins. Calling the code starting at opcodesBuf is functionally equivalent to calling the original PR_OpenTCPSocket function. Here's what the HOOKWINAPI structure looks like now: HOOKWINAPI nspr4Hooks[] = { {nspr4_PR_OpenTCPSocket, Nspr4Hook_hookerPrOpenTcpSocket, opcodesBuf, 12} }; To finish things up, WinApiTables_setNspr4Hooks calls Nspr4Hook_updateAddresses to set up a function pointer pointing to the HOOKWINAPI.originalFunction member, effectively to the original PR_OpenTCPSocket function. This will be used later in the function hook. Firefox Function Hooks Now that Citadel is injected inside of Firefox and its hooking mechanism has been analyzed, what functions are hooked and what are they coerced to do? The following table lists the functions of interest. They are all exported from the Netscape Portable Runtime library (nspr4.dll): © Copyright 2013 Arbor Networks, Inc. All rights reserved. 15
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 Function Description Function Hook PR_OpenTCPSocket Creates a new TCP socket Nspr4Hook_hookerPrOpenTcpSocket PR_Close Closes a file or socket Nspr4Hook_hookerPrClose PR_Read Reads bytes from a file or Nspr4Hook_hookerPrRead socket PR_Write Writes a buffer of data to a file Nspr4Hook_hookerPrWrite or socket Citadel keeps track of Firefox connections internally with its own connection management system. Active connections are maintained as an array of 56 byte Nspr4Hook.NSPR4CONNECTION structures: typedef struct { PRFILEDESC *fd; LPSTR url; DWORD writeBytesToSkip; HttpGrabber_INJECTFULLDATA *injects; DWORD injectsCount; LPBYTE response; DWORD responseSize; struct { void *buf; DWORD size; DWORD pos; DWORD realSize; } pendingRequest; struct { void *buf; DWORD size; DWORD pos; 16 Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 } pendingResponse; } NSPR4CONNECTION The connection management functions are listed next: Function Description Nspr4Hook.connectionFind(pr_fd) Find an active connection, return its connection index Nspr4Hook.connectionAdd(pr_fd) Add a new connection Nspr4Hook.connectionRemove(index) Remove a connection Nspr4Hook_hookerPrOpenTcpSocket This function hook calls the real PR_OpenTCPSocket function to open a new socket and then initiates a new connection record via Nspr4Hook_connectionAdd. Nspr4Hook_hookerPrClose Nspr4Hook_hookerPrClose calls the real PR_Close to close out the socket and then uses Nspr4Hook_connectionFind and Nspr4Hook_connectionRemove to delete its corresponding connection record. Nspr4Hook_hookerPrWrite This is the first of two main Firefox MITB function hooks. Before getting into the details, a quick aside is needed to discuss the format of the "WebFilters" section of a Citadel configuration file. This section defines URLs of interest and what to do if a user visits them in their web browser. Here is an example: ... entry "WebFilters" "P*wellsfargo.com/*" "@*payment.com/*" "!http://*.com/*.jpg" end ... The first character of each filter (first two characters are possible for the screenshot option) indicates what to do if the filter is matched. Here are the possible options: © Copyright 2013 Arbor Networks, Inc. All rights reserved. 17
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 Filter Type Description default Log a report ! Don't log a report @ Take a screenshot @@ Take a full screen screenshot ^ Block access # Record video G Report GET requests only P Report POST requests only After the filter type is the URL to match on. Wildcards are supported with "*" indicating a multi-character wildcard and "#" indicating a single character. Since this code can be a bit confusing, a good way to understand the process is to walk through a single filter that encompasses the essence. The focus below will be on the "P*wellsfargo.com/*" filter and its code path. This rule will report on any HTTP POST requests to any wellsfargo.com site. The example URL will be "https://online.wellsfargo.com/das/cgi-bin/session.cgi?screenid=SIGNON": Nspr4Hook_hookerPrWrite(fd, buf, amount): // find associated connection con_idx = Nspr4Hook_connectionFind(fd) // deal with pending data from other PR_Writes // not relevant for example, removed // deal with skipped bytes // not relevant for example, removed // parse the HTTP request into a REQUESTDATA structure // see definition below Nspr4Hook_fillRequestData(request, fd, buf, ...) // analyze request analysis_flags = HttpGrabber_analizeRequestData(request) 18 Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 // analysis_flags are a bitmap and will be touched on later // 0x18 (0x8 and 0x10 bits set) for the example // test analysis_flags against some flags // not relevant for example, removed // housekeeping and clean up // pass on request to real PR_Write prWrite(fd, buf, amount) Nspr4Hook_fillRequestData parses the raw HTTP request from the incoming buffer into a HttpGrabber.REQUESTDATA structure. This 112-byte structure is defined like this: struct REQUESTDATA { int flags; void *handle; void *url; int urlSize; void *acceptLanguage; int acceptLanguageSize; void *acceptEncoding; int acceptEncodingSize; void *userAgent; int userAgentSize; void *cookie; int cookieSize; void *referer; int refererSize; int method; void *contentType; int contentTypeSize; void *postData; int postDataSize; authorizationData authorizationData; © Copyright 2013 Arbor Networks, Inc. All rights reserved. 19
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 int field_58; int field_5C; int field_60; int dynamicConfig; int field_68; int LocalConfig; }; struct authorizationData { void *userName; void *password; void *unknownType; }; The primary tasks of HttpGrabber_analizeRequestData (sic) are the following: 1. Parse any filters from Citadel's configuration 2. Match the request's URL to the filters 3. If there is a match, execute the specific filter action 4. If the particular filter action writes a report, send report to the botnet's C&C server HttpGrabber_analizeRequestData(request): // deal with URL blocking // not relevant for example, removed // get configuration. // configuration details are out of scope // get WebFilters section filters = BinStorage_getItemDataEx(config, CFGID_HTTP_FILTER) // loop through filters // current filter // "P*wellsfargo.com/*" // parse filter type, first character // filter type is "P" 20 Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 // match request URL against filters // taking into account wildcards // url filter is "*wellsfargo.com/*" // url is "https://online.wellsfargo.com/das/cgi-bin/..." HttpGrabber_matchUrlA(current_filter, url) // if URL matches // execute filter action // see filter type table above // write report // don't write report // take screen shot // take full screen screenshot // ... // in this example, the filter action // will be to write a report // don't report on // .swf urls // .flv urls // facebook.com urls // not relevant for example, removed // deal with HttpVipUrls rules in configuration // not relevant for example, removed // parse and set analysis flags // the relevant ones for this example: // check if Content-Type is "application/x-www-form-urlencoded" // POST data is urlencoded // analysis flag bit is 0x10 // write report flag // analysis flag bit is 0x8 // if write report flag © Copyright 2013 Arbor Networks, Inc. All rights reserved. 21
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 // parse out various things for the report // write report // see diagram below // send report to C&C // details are outside of the scope // deal with URL injects // not relevant for example, removed // deal with POST replacement // not relevant for example, removed On the C&C side, the botmaster will have access to the report. Items of interest are the search feature, keyboard logging around the time of the request, and access to the stolen credentials even while the data was sent using SSL/TLS (HTTPS). 22 Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 Nspr4Hook_hookerPrRead The second core MITB function is Nspr4Hook_hookerPrRead. This is where webinjects come into play. A webinject is basically a find and replace rule. Webinjects are defined in the Citadel configuration and can be dynamically updated via the C&C. For this example, a wellsfargo.com rule will be used: set_url https://www.wellsfargo.com/ GP data_before Username data_end data_inject ATM Pin: Password: © Copyright 2013 Arbor Networks, Inc. All rights reserved. 23
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 data_end data_after data_end Just a note: there was no intention to single out Wells Fargo, they just happened to be the target of the Citadel sample used in this analysis. Webinjects can be written for any web site. The "set_url" parameter specifies the URL and the type of HTTP requests to target. "data_before" defines the line of code on the target website after which the malicious code should be injected at. "data_after" defines the line of code on the target website before which the malicious code should be injected at. Everything between the two points will be overwritten with the contents of "data_inject". Here is the function hook: Nspr4Hook_hookerPrRead(fd, buf, amount): // find associated connection con_idx = Nspr4Hook_connectionFind(fd) // deal with pending data from previous PR_Reads // not relevant for example, removed // check if there are any webinjects // call real PR_Read prRead(fd, buf, amount) // remove any X-Frame-Options headers // not relevant for example, removed // parse the HTTP response into a HTTPREQUESTINFO structure Nspr4Hook_analizeHttpResponse(info, response, responseSize) // parse out the request content Nspr4Hook_analizeHttpResponseBody(info, response, responseSize, content, contentSize) // inject injects HttpGrabber_executeInjects(injectsCount, injects, url, content, contentSize) // if request was chunked, adjust 24 Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 // else, adjust Content-Length value // update response buffer Nspr4Hook_analizeHttpResponse (sic) checks a few things like the HTTP version and return status code. It then starts filling a 16-byte Nspr4Hook_HTTPREQUESTINFO structure: typedef struct { int flags; int contentLength; int contentOffset; int contentEndOffset; } HTTPREQUESTINFO; If HTTP chunked encoding is used, "Transfer-Encoding" is set to "chunked" and a flag is set. If a "Content- Length" header is present, its length is noted in the structure and a flag is set. If either the "Connection" or "Proxy-Connection" headers close the connection, another flag is set. Lastly, the offset to the request content is calculated. Nspr4Hook_analizeHttpResponseBody (sic) completes the HTTPREQUESTINFO structure by determining the ending offset of the request content via whatever mechanism was flagged earlier. In this example, the Content-Length will be used. It then carves out the request content into the "content" buffer. Webinjects are parsed and applied in HttpGrabber_executeInjects. The "content" parameter passed to the function is a pointer to the HTML source code of the target website. There are two structures used in conjunction with webinjects. The first, HttpGrabber_INJECTFULLDATA, wraps up all the webinjects into a data structure: typedef struct { int flags; void *urlMask; void *fakeUrl; void *blockOnUrl; void *contextMask; INJECTBLOCK *injects; int injectsSize; } INJECTFULLDATA; The second, HttpInject.INJECTBLOCK, is a header used in front of the various webinject strings: "data_before", "data_after", etc. from above: © Copyright 2013 Arbor Networks, Inc. All rights reserved. 25
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 typedef struct short size; short flags; } INJECTBLOCK; Here is HttpGrabber_executeInjects: // deal with contextMask stuff // not relevant for example, removed // parse out blockPrefix // data_before // parse out blockPostfix // data_after // parse out blockNew // data_inject // match data_before against content // goal is to figure out the data_before offset in // the target website HttpGrabber_matchContextExA(blockPrefix, blockPrefixSize, offsetBegin, content, contentSize) // match data_after against content // goal is to figure out the data_after offset in // the target website HttpGrabber_matchContextExA(blockPostfix, blockPostfixSize, offsetEnd, content, contentSize) // deal with webinject macros // not relevant for example, removed // piece together a new target website // using the above offsets // deal with other flags // not relevant for example, removed 26 Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 This is what takes place behind the scenes. The target website, prior to webinjects, looks like this: After the webinject, there is now a suspicious "ATM Pin" form field: © Copyright 2013 Arbor Networks, Inc. All rights reserved. 27
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 The formatting is a bit off, but that's because this webinject is a bit older and since its creation, Wells Fargo has updated their website code. That aside, the effects are evident. Conclusion The main intent of this paper was to walk through Citadel's Man-in-the-Browser implementation for the Firefox 21.0 web browser and to add another page to the collective body of Citadel malware analysis. Techniques like MITB are making "bankers" incredibly deft at their craft; infecting and affecting a large number of people and companies across the world. A secondary objective was to inspire further deep-dive walk-throughs of advanced malware topics. The more that these tactics are understood the better they can be protected against. Thanks Thanks much to the Arbor Networks' ASERT team, Paul Halliday (@01110000), Rudy Ristich (@rarsec), and Jeff Jarmoc (@jjarmoc) for reviewing and providing feedback! References [1] Malware Analysis: Citadel by AhnLab ASEC [2] Citadel Trojan Malware Analysis by Jason Milletary, Dell SecureWorks Counter Threat Unit 28 Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: ASERT Threat Intelligence Brief 2013-2 [3] Spread throughout the last 20 issues or so of Phrack Magazine by various authors [4] https://malwr.com/analysis/OTRlNDU5ZTk1NjdmNDBjOGJmMjk0MjI3NTYxY2JkYjc/ [5] http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1465&start=50#p20004 [6] https://github.com/Visgean/Zeus [7] An In-Depth Look into the Win32 Portable Executable File Format, Part 2 by Matt Pietrek [8] http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1465&start=50#p19616 [9] https://malwr.com/analysis/OTYzY2M3YWRmOTgyNDVmZjhhOTc5ZTIwYmI4MWE1MjU/ [10] http://www.kernelmode.info/forum/viewtopic.php?f=11&t=1911 [11] http://www.reddit.com/r/Malware/comments/1i0axa/citadel_1351_leaked_and_uncracked/ [12] http://en.wikipedia.org/wiki/Man-in-the-browser [13] http://en.wikipedia.org/wiki/RC4#The_pseudo-random_generation_algorithm_.28PRGA.29 [14] https://github.com/arbor About ASERT The Security Engineering & Response Team (ASERT) at Arbor Networks delivers world-class network security research and analysis for the benefit of today's enterprise and network operators. ASERT engineers and researchers represent the best in information security. They have vast experience working on vulnerability and exploit research and malicious code reverse engineering, as well as incident response and DDoS and botnet tracking and trending. ASERT monitors Internet threats around the clock and around the globe via an advanced malware analysis system and via ATLAS, Arbor's global network of sensors. http://atlas.arbor.net. To view the latest research, news, and trends from Arbor and the information security community at large, visit our Threat Portal at http://www.arbornetworks.com/threats/. © Copyright 2013 Arbor Networks, Inc. All rights reserved. 29
You can also read