Financial trojans, a particular kind of information-stealing malware, are one of the prevalent Internet threats. Their purpose is to automatically commit fraudulent transactions by silently stealing users' credentials to bank accounts of infected machines. Their level of sophistication has steadily grown in the last few years, keeping up at the same pace with reinforced security measures introduced by financial institutions. The attack schema is devious, as, in many cases, it produces no traces of the attack, leaving the victim unaware of the fraud, often, for a long period. These attacks leverage the API hooking techniques, to install a malicious payload in the victim's browser, in order to steal user credentials or modify web-pages inserting new content (so called web-injection). We propose an automated system, Apollo, capable of extracting web-injection signatures from financial trojans by analyzing two different versions of the same visited web-page, prior and after the malicious injections, and identifying the portions of the original page source that trigger the malicious behavior of the malware under analysis. The system is able to elicit the malware's behavior on specified web-pages as well as to extract the web-injection targets through dynamic memory inspection. We evaluated Apollo against a dataset of working financial trojan samples showing that our method successfully extracts correct web-injection signatures together with the corresponding URL targets.

Apollo : eliciting and analyzing advanced WebInject-based malware

RODI, SAMUELE
2015/2016

Abstract

Financial trojans, a particular kind of information-stealing malware, are one of the prevalent Internet threats. Their purpose is to automatically commit fraudulent transactions by silently stealing users' credentials to bank accounts of infected machines. Their level of sophistication has steadily grown in the last few years, keeping up at the same pace with reinforced security measures introduced by financial institutions. The attack schema is devious, as, in many cases, it produces no traces of the attack, leaving the victim unaware of the fraud, often, for a long period. These attacks leverage the API hooking techniques, to install a malicious payload in the victim's browser, in order to steal user credentials or modify web-pages inserting new content (so called web-injection). We propose an automated system, Apollo, capable of extracting web-injection signatures from financial trojans by analyzing two different versions of the same visited web-page, prior and after the malicious injections, and identifying the portions of the original page source that trigger the malicious behavior of the malware under analysis. The system is able to elicit the malware's behavior on specified web-pages as well as to extract the web-injection targets through dynamic memory inspection. We evaluated Apollo against a dataset of working financial trojan samples showing that our method successfully extracts correct web-injection signatures together with the corresponding URL targets.
CONTINELLA, ANDREA
ZANERO, STEFANO
ING - Scuola di Ingegneria Industriale e dell'Informazione
27-lug-2016
2015/2016
Tesi di laurea Magistrale
File allegati
File Dimensione Formato  
Samuele Rodi - Master Thesis v2.0.pdf

accessibile in internet per tutti

Descrizione: Master Thesis v2.0
Dimensione 2.87 MB
Formato Adobe PDF
2.87 MB Adobe PDF Visualizza/Apri

I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/10589/122746