TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No...
Transcript of TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No...
![Page 1: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/1.jpg)
TrendMicro
![Page 2: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/2.jpg)
� Worked for one of big 4 banks in Australia for 6 years as malware security consultant.
� Developed banking malware detection system � Served at Sophos, Symantec, FireEye and
Kaspersky � Currently with TrendMicro
![Page 3: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/3.jpg)
� Identify the crux of the online banking war � Set the strategic defense framework � PoC design & implementation: MIPS
![Page 4: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/4.jpg)
Infection URL Malware
Drop Site
Dropper
C&C Site Spam Server
Campaign
![Page 5: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/5.jpg)
![Page 6: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/6.jpg)
![Page 7: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/7.jpg)
� Got a token for your corporate account? Do you still feel safe?
![Page 8: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/8.jpg)
� Now you are locked out while they buy enough time to transfer money
![Page 9: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/9.jpg)
� There is no such a thing as ‘Please Wait’ in the online banking page.
![Page 10: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/10.jpg)
� What’s happening while you are waiting…
![Page 11: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/11.jpg)
![Page 12: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/12.jpg)
� Even when there is no visual sign of infection, it can happen silently.
� C&C communication during Tx pages
![Page 13: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/13.jpg)
� What is the malware receiving? à Inject and Mule
Mule’s Account Information
Transfer Amount
![Page 14: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/14.jpg)
![Page 15: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/15.jpg)
$("#submit").on("click", function(){
var id = $("#signin-id").val();
var pw = $("#signin-password").val();
console.log(">> DOM Inject: "+id+“:"+pw);
});
![Page 16: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/16.jpg)
Online Banking
Web Browser
Inject
MIPS
Blacklist
Malware Intelligence
POST /mips MIPS_INTEL
![Page 17: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/17.jpg)
![Page 18: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/18.jpg)
� Malware inject removes itself, but it still remains in the memory
� Exploit memory leak patterns � Dangling references � Circular references � Closures
![Page 19: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/19.jpg)
var me = document.currentScript;
me.parentNode.removeChild(me);
script
onclick
DOM
body
script
button
![Page 20: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/20.jpg)
var refToDom = document.body;
document.body["refToScript"] = refToDom;
script
RefToSCript
DOM
body
RefToDom
![Page 21: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/21.jpg)
function AttachEvent(element) {
element.attachEvent("onclick", MyClickHandler);
function MyClickHandler() {
/* This closure references element*/}
}
script
onclick
DOM
body
button
![Page 22: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/22.jpg)
� Identify entry points (unload, click, timer) � Enumerate event handlers
element.onclick = handler Scan: element.onclick
element.addEventListener Scan: getEventListeners(element, “click”)
$(element).on(“click”, handler) Scan: $._data(element, "events" )
$(element).observe(“click”, handler) Scan: element.getStorage().
get('prototype_event_registry').get('click')
![Page 23: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/23.jpg)
button01
button01 button01
For $(‘#submit’),‘click‘, Event handler’s namespace property is missing
‘ ’
button01
button01 button01
Normal DOM Stealth
![Page 24: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/24.jpg)
� Enumerate user-defined functions � Object.keys(window).filter( !/\[native code\]/)
� Compare functions discovered in DOM against whitelist � Implementation challenges
� Check on server side or client side? � Reducing data size
Function
DOM User-defined Functions Function
Function
White list
Function Function
?
![Page 25: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/25.jpg)
![Page 26: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/26.jpg)
Online Banking
Web Browser
Inject
MIPS
POST/mips A,B,C
POST/mips A,B,C
…
POST/mips A,B,C,D
POST/mips A,B,C
![Page 27: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/27.jpg)
Online Banking
Web Browser
Inject
MIPS
POST/mips K,Y,Q
POST/mips T,X,A
…
POST/mips Z,B,K,T
� Original MIPS intel gets transformed differently each time using the random variable
![Page 28: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/28.jpg)
� Hook Salt() and modify hashes OR � Block MIPS & call MIPS functions as necessary
Web Browser
Inject
MIPS
Hash Salt DomScan Ajax
![Page 29: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/29.jpg)
var scripts = DomScan(mips_code);
scripts = Modify(scripts);
var hashes = Hash(scripts);
var salted_hashes = Salt(hashes);
var check = CheckIntegrity();
check = Modify(check)
Ajax(mips, salted_hashes, check);
� Insert or replace with bypass code within MIPS code
� Tamper with intermediate MIPS data
![Page 30: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/30.jpg)
var scripts = DomScan(mips_code);
var hashes = Hash(scripts);
var salted_hashes = Salt(hashes);
var check = CheckIntegrity();
Ajax(mips, salted_hashes, check);
Var hashes = clean_hash_set;
var salted_hashes = Salt(hashes);
Ajax(mips, salted_hashes, clean_integrity_check);
� Reverse engineer MIPS � Deactivate MIPS and Reconstruct MIPS code
![Page 31: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/31.jpg)
• What you are up against • Dynamic analysis
• Use static analysis tools (Google closure compiler, spider monkey, custom tools, etc)
• Understand program structure by setting breakpoints and evaluating expressions
• Bypass dead code • Monitor network traffic • Targeted reverse engineering by searching
keywords (i.e. ‘script’, ‘/mips’) • Activity monitoring
� Blind obfuscation is not resistant to targeted code inspection/modification
![Page 32: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/32.jpg)
Web Browser
� Malware has all info to simulate outcome � key, encryption algorithm
Online Banking
key
Ekey(Msg)
Inject
MIPS
![Page 33: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/33.jpg)
� Blind application of traditional metamorphic/polymorphic techniques without understanding the attack vector will fail � Dead code insertion � Polymorphic variable/function names � Control flow manipulation � Function restructuring � Opaque predicate � etc
![Page 34: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/34.jpg)
� Call stack context var Check = function(na, nb) {
var SecureCheck = function(na, nb) {
var callee = na ^ crc32(arguments.callee);
var caller = nb ^ crc32(arguments.callee.caller);
return callee ^ caller ^ DomCheck();
};
return SecureCheck(na, nb);
};
var na = 32053221, nb = 4321053;
result = Check(na, nb);
![Page 35: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/35.jpg)
MIPS
DOM Web App
Library (jQuery)
![Page 36: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/36.jpg)
� Problem with integrity check � Malware Regexes, modifies and reconstruct
MIPS � Malware simulates MIPS with bypass code
� Strategy � Polymorphism � Maintain a set of algorithmically
heterogeneous MIPS code � Fragmented random MIPS scripts with different
names
![Page 37: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/37.jpg)
� Chain of Randomisations starting with basic blocks (BBLs) of MIPS code
MIPS BBLs
BBL Connection
Connection Method
Metamorphism ::
![Page 38: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/38.jpg)
OpaquePredicate
No Yes
� Retrieve call context in deeply buried OP � Insert part of main logic within OP
GetCallContext() UpdateVerifyTable() Verify
Table
…
…
![Page 39: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/39.jpg)
![Page 40: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/40.jpg)
var original_func = document.getElementsByTagName;
document.getElementsByTagName = function () {
r = original_func.apply(document, arguments);
for(var i=0; i<r.length; i++) {
var inject_signature = ‘string_in_my_inject';
if(r[i].text.search(inject_signature) != -1) {
r[i].remove();
console.log('Injejct Rootkitted!');
break;
}
}
return r;
};
![Page 41: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/41.jpg)
� Hook critical MIPS functions � DomScan(), Hash(), Salt()
� Hook DOM/jQuery � document.getElementsByTagName(selector)
� Modify the returned HTMLCollection � jQuery.find(selector, doc, ret)
� Modify the returned array
� Hook system information � Object.keys() � Function.prototype.toString()
![Page 42: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/42.jpg)
• Collect signatures of chain of functions used by MIPS in multiple different ways.
� Online banking server detects any change
DOM
MIPS
DomScan
Hash
![Page 43: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/43.jpg)
var hooked = Function.prototype.toString; Function.prototype.toString = function() {
hooked.apply(this, arguments); } // DOM Rootkit var TriggerException = function(){ try { Function.prototype.toString.call('hooktest') } catch(err) { console.log(err.stack); } } TriggerException();
� Deliberately trigger exception à Call stack
![Page 44: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/44.jpg)
TypeError: Function.prototype.toString is not generic
at String.toString (native)
at String.Function.toString(/login?next=%2F:173:7)
at TriggerException (/login?next=%2F:177:29)
at https://mybank.org/login?next=%2F:183:1
� Is the red line present in a clean session?
![Page 45: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/45.jpg)
![Page 46: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/46.jpg)
Online Banking
Web Browser
Inject
MIPS
…
![Page 47: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/47.jpg)
� MISSING-MIPS Event should be implemented on the online banking server side if MIPS is not the integral part of online banking logic
� Method � Ensure MIPS intel is not cached by the proxy in-
between � Correlate web access log with MIPS log
![Page 48: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/48.jpg)
� Detect evolving injects � Effective on minor inject upgrade
� Methods � Locality sensitive hashing (i.e. TLSH)
![Page 49: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/49.jpg)
![Page 50: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/50.jpg)
Online Banking Web Browser
Ma == Mb?
Ma
salt, B
Ma
secret A
K
B secret
K
Mb
I, A
� Over-simplified Secure Remote Password
![Page 51: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/51.jpg)
� No secrets on the wire any more!
![Page 52: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/52.jpg)
� MITM attack � No shared secrets get transmitted on the wire
(password, OTP code) � Passive sniffing
� Force attackers to place injects (so we can detect it!)
� MIPS hardening � DOM function integrity data � MIPS integrity data � MIPS rootkit detection data � MIPS intelligence format
![Page 53: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/53.jpg)
� Diversity of implementation is the key for survival
� Be creative and out-smart the cybercriminals! � Perform application security check � Never explicitly block on the spot on
detection!
![Page 54: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/54.jpg)
MIPS
![Page 55: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/55.jpg)
� Majority of the attacks presented came from the observation in real online banking war
� DOM stealth, rootkit and MIPS infiltration are a natural evolution of the attack
� Online banking must respond with superior defense including at least code randomisation, MIPS integrity verification and rootkit detection
![Page 56: TrendMicro · 2018-05-11 · jQuery.find(selector, doc, ret) ! Modify the returned array ! ... No secrets on the wire any more! ! MITM attack ! No shared secrets get transmitted on](https://reader033.fdocuments.net/reader033/viewer/2022050314/5f76da1dd37c4430ab589281/html5/thumbnails/56.jpg)
TrendMicro