Boy in the Browser – February 2011

February 14, 2010


Imperva's lab, the Application Defense Center (ADC), has recently uncovered a rush of malware with a common underlying technique. This technique, dubbed the “Boy in the Browser” (BitB), devolved from traditional key loggers and browser session records. Yet, a dumbed-down version of the sophisticated as a “Man in the Browser” (MitB) attack. In parallel to the growing popularity of MitB, a surge of BitB attacks are showing that this technique remains on the rise due to several factors:

  • Targets all sorts of online applications, not only banking applications
  • Elusiveness making the Trojan difficult to detect
  • Low-cost Trojan, as opposed to MitB. While a fully functional BitB is coded in a matter of hours, it takes months to create a new valuable MitB
  • Effective for a quick one-shot sting operation

How it works

Once executed on the victim's machine the exploit code makes persistent changes to the way traffic from that machine is routed to the target applications (usually through tampering with the mapping of hostname to network address mechanism). The exploit code is then removed from victim's machine.

Imperva was able to obtain the source code of some of these Trojans and has screenshots of infected machines. We've also witnessed different fraud scams utilizing these Trojans and can describe what we saw and what we learnt.

Why is this technique effective

  • BitB are very difficult to detect by consumers. The victim may have no feedback (whether visual, or as a flagged “suspicious” running process) that communication has been re-routed and is in effect under the control of malicious malware.
  • BitB are very difficult to mitigate using AV software. Due to the simplicity of code, variants are produced in a fast pace that does not allow AV signatures to be created in a timely manner. By the time AV signatures are available, exploit code is no longer residing on the infected machine.
  • Proxy Trojans are a rising trend of hackers, growing in sophistication. Although currently MitB appears in its most sophisticated form, we see that hackers are still using the dumbed-down versions in order to achieve the same effect.
  • The lower cost involved in running BitB operations allows the attacker to use them for a wider variety of targets. Rather than focusing exclusively on the high end banking applications, attacker can now extend the list of potential targets to less lucrative ones (which in terms extend the lifespan of an attack campaign)

What companies should do

While avoiding infection by Proxy Trojans is presumably the responsibility of consumers, these attacks are quickly becoming a concern of online service providers. The actual rate of infection and the proliferation of the many types of this class of malware suggests that providers must be able to serve (and protect) customers who might be infected with one type of malware or another. Just as the evolution of vehicle safety drove manufacturers to include device such as ABS, Air Bags and ESP, rather than rely on us to drive carefully, so will online service providers need to invest in mechanisms that allow them to conduct business with allegedly infected consumers. Among the technologies that should be implemented to deal with this ongoing threat are strong device identification, client profiling, fast security code evolution, session flow tracking and site-to-client authentication.


The BitB malware, once downloaded, tampers with the victim's hosts file. The malware adds entries to this file. This has the effect of re-mapping specific addresses to an attacker-controlled server. The attacker-controlled server could be a phishing site or a proxy to the legitimate destination. At any rate, the attacker has complete control to intercept and/ or modify communication. The victim, on her part, cannot detect this as the browser continues to show the original requested URL address.

We describe here a couple of scams of interest:

  1. Latin American Banks
  2. Ad Fraud

Latin American Banks
Nine Latin American banks were targeted. This provides an additional supporting evidence that BitB is in fact a lucrative scheme. As hackers gain from this sort of attack, they continue to target numerous banks.

Ad fraudIn this case, the BitB re-maps search engine addresses of various regions, for example, and to an attacker controlled server hosted in the UK.

When the victim attempts to access the regional search engine site, the request is in fact sent to the malicious server in the UK, unknowingly to the victim. This server intercepts the request and responds with its own search page as shown in Figure (1). As a result, any time the victim provides a search query, the request is re-directed to another attacker-controlled server, hosted too in the UK. The attacker at this point may commit ad-fraud. The ad fraud is performed by stealing the victim's persistent cookies or attributing ad clicks to the attacker-controlled server.

Boy in the browser

Figure 1: The attacker-controlled server's Web-search page


The information within this advisory is subject to change without notice. Use of this information constitutes acceptance for use in an AS IS condition. Any use of this information is at the user’s own risk. There are no warranties, implied or expressed, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.

Redistribution of this alert electronically is allowed as long as it is not edited in any way. To reprint this alert, in whole or in part, in any medium other than electronic medium, for permission.