Monday, November 2, 2015

Detecting bank trojans with snort and the (fake)User-Agent

Some years ago I wrote a research paper for SANS  'Monitoring Network Traffic for Android Devices' in which I described the process to monitor the traffic produced by Android smartphones in a corporate environment. Moreover, I created some PoC and tests with some real malware in order to detect it through this proposed architecture. This research was used as part of other investigations projects to detect malware. Related to this, and while working on my current malware project I mentioned in previous post, I've analysing the traffic produced by several banking trojans and I have found that they fake the User-Agent in the HTTP header. Even, in some cases the tag 'User-Agent' is not correct (eg:  User-agent instead of User-Agent like the screenshot below). For example for, emmental it is:
  • User-agent: Mozilla/5.0 (Windows NT 5.1; rv:26.0) Gecko/20100101 Firefox/26.0
And for Innus it is:
  • User-Agent: yasuo21

In some other cases the HTTP request is sent without a User-Agent.

As I know which it is the default User-Agent of my device where I run the malware, any other different User-Agent seen in the traffic is suspicious to me. To monitor that, I have created a simple Snort rule like this:

alert tcp any any -> any 80 (msg:"Detect Invalid User-Agent Android ----"; pcre:"/User-Agent:.*/i"; content:!"User-Agent: Mozilla/5.0 (Linux\; Android 5.1.1\; Nexus 5 Build/LMY48I"; sid:2222222; rev:2;)

With this rule I check the existence of any User-Agent which doesn't match the correct User-Agent of my device.

$ tail -f /var/log/snort/alert
***A**** Seq: 0x7B8CD7D9  Ack: 0x209D1779  Win: 0x559  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1371638 1012941375

[**] [1:2222222:2] Detect Invalid User-Agent Android ---- [**]
[Priority: 0]
09/05-18:54:39.433538 ->
TCP TTL:64 TOS:0x0 ID:22830 IpLen:20 DgmLen:161 DF
***AP*** Seq: 0x7B8CDD81  Ack: 0x209D1779  Win: 0x559  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1371638 1012941376