Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... ·...
Transcript of Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... ·...
![Page 1: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/1.jpg)
© Copyright Fortinet Inc. All rights reserved.
Advanced Banking Malware Via Tor
October 29, 2015 - UBC
Raul Alvarez
![Page 2: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/2.jpg)
About Me
![Page 3: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/3.jpg)
3
About Me
� Senior Security Researcher @ Fortinet � 21 published articles in
Virus Bulletin �Regular contributor in our
company blog
Confidential
![Page 4: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/4.jpg)
Tools
![Page 5: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/5.jpg)
5
Tools for Malware Analysis (Initial Look)
� Sysinternals � (https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx) � Process Explorer � Process Monitor � etc
� for rootkits �GMER (http://www.gmer.net/) � IceSword
� PEStudio(http://www.winitor.com/) � v8.46
Confidential
![Page 6: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/6.jpg)
6
Tools for Malware Analysis (Deeper View)
�OllyDbg (http://www.ollydbg.de/) by Oleh Yuschuk � 64-bit (05-Feb-2014)
� Immunity Debugger(http://debugger.immunityinc.com/) � x64_dbg(http://x64dbg.com/) – open source x64/x32 debugger
� 30 December 2014 – latest version � IDA Pro
� (https://www.hex-rays.com/products/ida/support/download_freeware.shtml)
� v5.0 is FREE � volatility (http://www.volatilityfoundation.org/)
�memory forensic
Confidential
![Page 7: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/7.jpg)
Different Types of Malware
![Page 8: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/8.jpg)
8
Different Types Of Malware
� Viruses (file infectors) � Trojans � Botnet �Ransomware � POS Malware � Banking Malware
Confidential
![Page 9: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/9.jpg)
Agenda
![Page 10: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/10.jpg)
10
Agenda
Confidential
¾ Vawtrak � Different features � Different layers � Multiple armoring strategies within the layers � Domain Name Generator(DGA ) for its C&Cs � Use of Tor2web
¾ Tor
� Hidden Services + .onion addresses � Tor installation � Creating your own hidden service � Personalizing your own .onion address
¾ Can Vawtrak really use DGA to create a randomized Tor C&Cs?
![Page 11: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/11.jpg)
Banking Malware
![Page 12: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/12.jpg)
12
Banking Malware and C&C
Confidential
Binary updates/enhancements
Operational commands
Storage of stolen banking credentials
Latest configuration
![Page 13: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/13.jpg)
13
Banking Malware Protection Strategy
Confidential
Binary armoring to avoid detection
Continuous monitoring of AV detection
Using DGA to minimize takedowns
Hiding its C&C via Tor
![Page 14: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/14.jpg)
Vawtrak
![Page 15: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/15.jpg)
15
What is Vawtrak?
Confidential
Also known as Neverquest
A banking trojan
Uses layering techniques similar to a Matryoshka doll
Uses multiple armoring strategies
Uses DGA
Uses Tor2web
![Page 16: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/16.jpg)
Layers Of Vawtrak
![Page 17: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/17.jpg)
17
Armoring Strategies Within The Layers
Confidential
Anti-Emulator Anti-Debugger Anti-Analysis
Encryption/ Decryption
Code injection
Compression/ Decompression
Garbage Collection
Hashing
![Page 18: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/18.jpg)
18
overlay
Layers of Vawtrak
Confidential
Layer 1
Anti-Emulator
Anti-Debugger
Anti-Analysis
decryption Layer 2 (encrypted) decoy
Layer 2
decryption
garbage collection Layer 3
decrypted + compressed
Layer 3 decompressed
Decompression RtlDecompressBuffer
Layer 2
Layer 3
Self-code Injection
resource section
Anti-Antimalware
hashing for validity
decryption Layer 4
![Page 19: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/19.jpg)
19
Layer 1
Confidential
Layer 1
Anti-Emulator
Anti-Debugger
Anti-Analysis
decryption
Layer 2
decryption
garbage collection Layer 3
decrypted + compressed
Layer 3 decompressed
Decompression RtlDecompressBuffer
Layer 2
Layer 3
Self-code Injection
resource section
Anti-Antimalware
hashing for validity
decryption Layer 4
overlay
Layer 2 (encrypted) decoy
![Page 20: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/20.jpg)
20
Layer 1
Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR DS:[eax],al
Anti-Debugger Parses the PEB to check for BeingDebugged Flag PEB – Process Environment Block
Anti-Analysis Uses RETN instruction to call the API Pushes all parameters in stack memory including the API address (to hide the actual API call)
Encryption/ Decryption
Decrypts the encrypted 2nd layer Decrypts the decoy file
![Page 21: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/21.jpg)
21
Decoy File
Confidential
![Page 22: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/22.jpg)
22
Layer 2
Confidential
Layer 2
Layer 3
Self-code Injection
resource section
Anti-Antimalware
hashing for validity
decryption Layer 4
Layer 2
decryption
garbage collection Layer 3
decrypted + compressed
Layer 3 decompressed
Decompression RtlDecompressBuffer
Layer 1
Anti-Emulator
Anti-Debugger
Anti-Analysis
decryption
overlay
Layer 2 (encrypted) decoy
Self-code Injection
![Page 23: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/23.jpg)
23
Layer 2
Encryption/ Decryption
Decrypts the encrypted-compressed 3rd layer Decryption algorithm is embedded with the garbage code
Garbage Collection
Contains instructions/code that is not relevant to the malware
Compression/ Decompression
Uses RtlDecompressBuffer API to decompress the 3rd layer
Self-Code Injection
Injects the decompressed 3rd layer at the location of the 2nd layer
![Page 24: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/24.jpg)
24
Layer 3
Confidential
Layer 2
Layer 3
Self-code Injection
resource section
Anti-Antimalware
hashing for validity
decryption Layer 4
Layer 2
decryption
garbage collection Layer 3
decrypted + compressed
Layer 3 decompressed
Decompression RtlDecompressBuffer
Layer 1
Anti-Emulator
Anti-Debugger
Anti-Analysis
decryption
overlay
Layer 2 (encrypted) decoy
Layer 2
Layer 3
Self-code Injection
resource section
Anti-Antimalware
hashing for validity
decryption
Layer 2
Layer 3 resource section
Anti-Antimalware
hashing for validity
decryption Layer 4
![Page 25: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/25.jpg)
25
Layer 3
Anti-antimalware
Disables the installed antimalware/antivirus/security applications in the system
Hashing Checks the hash of the encrypted layer 4
Encryption/ Decryption
Decrypts the 4th layer 4th layer is the payload executable
![Page 26: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/26.jpg)
DGA – Hiding is not enough
![Page 27: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/27.jpg)
27
DGA
Confidential
¾ DGA – Domain name Generation Algorithm ¾ Also called PrDGA (Pseudo-random DGA) ¾ Generates a binary seed
� Can be a constant value � Can be generated from the current time and date
¾ Generates a string of random alpha-numeric characters ¾ Adds a variation of TLDs, such as com, org, info
![Page 28: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/28.jpg)
28
DGA
Confidential
¾ Normal Domains • yahoo.com • google.com • youtube.com
¾ DGA
• zxrryy1223.ru • stslkflkjf.com • oiojlkmkdlkjklj.org
![Page 29: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/29.jpg)
29
How DGA works
Confidential
¾ Client-side and Server-side uses the same algorithm ¾ The server-side registers one or more generated domain names ¾ The client-side tries all possible combination of generated
domain names ¾ The client-side establishes connection to the server-side ¾ The server-side un-registers the registered domain to avoid
detection
![Page 30: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/30.jpg)
C&C
![Page 31: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/31.jpg)
31
C&C
Confidential
Not a fixed string
Derived from a DWORD value
Controlled by 40-byte XOR key
Different variants, different domains
![Page 32: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/32.jpg)
32
Vawtrak’s DGA
Confidential
seed
alphanumeric generator
byte generator
![Page 33: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/33.jpg)
33
Different variants, different domains
Confidential
sample #1
![Page 34: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/34.jpg)
34
Different variants, different domains
Confidential
sample #2
![Page 35: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/35.jpg)
35
Different variants, different domains
Confidential
sample #3
![Page 36: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/36.jpg)
36
Different variants, different domains
Confidential
sample #4
![Page 37: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/37.jpg)
Tor2Web C&C
![Page 38: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/38.jpg)
38
Vawtrak’s DGA
Confidential
![Page 39: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/39.jpg)
39
Tor2Web C&C
Confidential
sample #2
![Page 40: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/40.jpg)
40
Tor2Web C&C
Confidential
sample #4
![Page 41: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/41.jpg)
Can Vawtrak really use DGA to create a randomized Tor C&Cs?
![Page 42: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/42.jpg)
How Tor Works
![Page 43: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/43.jpg)
43
How Tor Works
Confidential
Image taken from torproject.org
![Page 44: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/44.jpg)
44
How Tor Works
Confidential
Image taken from torproject.org
![Page 45: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/45.jpg)
45
How Tor Works
Confidential
Image taken from torproject.org
![Page 46: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/46.jpg)
Tor and Hidden Services
![Page 47: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/47.jpg)
47
Hidden Service: Deep Web Radio
Confidential
![Page 48: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/48.jpg)
48
Hidden Service: Electronic Store
Confidential
![Page 49: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/49.jpg)
49
Hidden Service: Online News
Confidential
![Page 50: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/50.jpg)
50
Hidden Service: Free Email
Confidential
![Page 51: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/51.jpg)
51
Hidden Service: File Storage
Confidential
![Page 52: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/52.jpg)
52
Hidden Service: Tor Supermarket
Confidential
![Page 53: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/53.jpg)
53
Hidden Service: Chat Rooms
Confidential
![Page 54: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/54.jpg)
54
Hidden Service: The Hidden Wiki
Confidential
![Page 55: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/55.jpg)
55
And so much more …
Confidential
� Email/Messaging � Books � Financial � Audio/Music � Domain/Hosting � Security � Blogs � Social networks � Forums � And so much more …
![Page 56: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/56.jpg)
Creating Your Own Tor hidden Service
![Page 57: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/57.jpg)
57
Warning!
Confidential
http://weknowmemes.com/wp-content/uploads/2011/12/dont-try-what-youre-about-to-see-at-home-mythbusters.jpg
![Page 58: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/58.jpg)
58
Tor Setup
Confidential
¾ Download Tor from the official website
![Page 59: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/59.jpg)
59
Tor Setup
Confidential
¾ Tor browser
![Page 60: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/60.jpg)
60
Hidden Service
Confidential
¾ Install Apache HTTP Server ¾ Create a simple html file
![Page 61: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/61.jpg)
61
.onion Address
Confidential
¾ .onion is a Pseudo-TLD(top level domain) ¾ 16-character hashes ¾ consisting of letters and numbers
![Page 62: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/62.jpg)
62
Personalized .onion address
Confidential
¾ Install Shallot
![Page 63: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/63.jpg)
Tor2Web
![Page 64: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/64.jpg)
64
Tor2Web
Confidential
¾ Browsing hidden services via a normal web browser
![Page 65: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/65.jpg)
65
Tor2Web
Confidential
¾ Header page
![Page 66: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/66.jpg)
Can Vawtrak really use DGA to create a randomized Tor C&Cs?
![Page 67: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/67.jpg)
67
Tor2Web C&C
Confidential
Pre-set .onion domains
Pseudorandom DGA will not work
Tor2Web C&C not so random
![Page 68: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/68.jpg)
68
Tor2Web C&C
Confidential
sample #2
![Page 69: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/69.jpg)
69
Tor2Web C&C
Confidential
sample #4
otsxxxxgxbcwvrqs 4bpxxxxz4e7n6gnb
bc3xxxxf4m3lnw4o
![Page 70: Advanced Banking Malware Via Torcourses.ece.ubc.ca/cpen442/previous_years/2015/sessions/... · 2016-10-17 · 20 Layer 1 Anti-Emulator Uses hundreds of instruction 0x00 ADD BYTE PTR](https://reader034.fdocuments.in/reader034/viewer/2022050600/5fa7a0cab1d7d6791a461410/html5/thumbnails/70.jpg)