The evolution of webinjects

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

The evolution of webinjects
Botnet ZeuS, SpyEye
Malware
Botnet/malware group
Exploit kits
Services
Feature Webinject
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2014 / 2014-09-24
Editor/Conference Virus Bulletin
Link https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Boutin.pdf (Archive copy)
Author Jean-Ian Boutin
Type Conference paper or presentation

Abstract

Webinject fi les are now ubiquitous in the banking trojan world as a means to aid fi nancial fraud. What started as private and malware-family-dependent code has blossomed into a full ecosystem where independent coders are selling their services to botnet herders. This specialization phenomenon can be observed in underground forums, where we see a growing number of offers of comprehensive webinject packages providing all the functionalities required to bypass the latest security measures implemented by financial institutions.

Our research covers the current webinject scene and its commoditization. We will take a look back and show how it has evolved over time, having started with simple phishing-like functionalities and now offering automatic transfer systems (ATS) and two-factor authentication bypass, along with mobile components and fully fl edged web control panels to manage money exfiltration through fraudulent transfers. Nowadays, a piece of malware that can inject arbitrary HTML content into a browser is all that a resourceful botmaster needs, as he can outsource virtually every other step in the process of performing a successful fraudulent financial transfer.

This has been confi rmed by our recent observation of several malware families using the same webinject kits. Our research attempts to answer the question: will we see a consolidation phase, leading to the emergence of a few omnipresent webinject kits, similar to what we have seen in the web exploit kit scene?

Bibtex

 @misc{Boutin2014BFR4748,
   editor = {Virus Bulletin},
   author = {Jean-Ian Boutin},
   title = {The evolution of webinjects},
   date = {24},
   month = Sep,
   year = {2014},
   howpublished = {\url{https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Boutin.pdf}},
 }