Zarathustra: Extracting WebInject Signatures from Banking Trojans

Authors

Claudio Criscione, Fabio Bosatelli, Stefano Zanero, Federico Maggi

Venue

Proceedings of the 12th Annual International Conference on Privacy, Security and Trust (PST), July 2014

Abstract

Modern trojans are equipped with a functionality, called WebInject, that can be used to silently modify a web page on the infected end host. Given its flexibility, WebInject-based malware is becoming a popular information-stealing mechanism. In addition, the structured and well-organized malware-as-a-service model makes revenue out of customization kits, which in turns leads to high volumes of binary variants. Analysis approaches based on memory carving to extract the decrypted webinject.txt and config.bin files at runtime make the strong assumption that the malware will never change the way such files are handled internally, and therefore are not future proof by design. In addition, developers of sensitive web applications (e.g., online banking) have no tools that they can possibly use to even mitigate the effect of WebInjects.

BibTeX

@inproceedings{Criscione2014Zarathustra_Extracting,
  title     = {{Zarathustra: Extracting WebInject Signatures from Banking Trojans}},
  author    = {Criscione, Claudio and Bosatelli, Fabio and Zanero, Stefano and Maggi, Federico},
  booktitle = {Proceedings of the 12th Annual International Conference on Privacy, Security and Trust (PST)},
  month     = {July},
  year      = {2014},
  address   = {Toronto, Canada},
  isbn      = {978-1-4799-3502-4},
  pages     = {139--148},
  publisher = {IEEE Computer Society}
}