Anton Cherepanov - Hesperbot
-
Upload
defconrussia -
Category
Technology
-
view
620 -
download
3
description
Transcript of Anton Cherepanov - Hesperbot
![Page 2: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/2.jpg)
ZeroNights 2013
The Discovery…
• Early testing variants: Turkey – April 2013
(Malware operators probably active even earlier)
• Peak activity in Turkey: July – September 2013
• Czech spreading campaigns: since August 8, 2013
![Page 3: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/3.jpg)
ZeroNights 2013
The beginning of Czech campaign
![Page 4: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/4.jpg)
ZeroNights 2013
Targeted Countries
• tr-botnet
• cz-botnet
• pt-botnet
• uk-botnet
+ few other test botnets
Thailand
United Kingdom Portugal
Rest of the world
![Page 5: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/5.jpg)
ZeroNights 2013
Win32/Spy.Hesperbot Architecture
Downloadable Modules
• x86 & x64 versions
![Page 6: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/6.jpg)
ZeroNights 2013
Win32/Spy.Hesperbot Dropper
Injects core into explorer.exe
I. Spawn new explorer.exe, patch NtGetContextThread
II. “PowerLoader trick”:
Shell_TrayWnd / SetWindowLong /
SendNotifyMessage
III. Common CreateRemoteThread method
![Page 7: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/7.jpg)
ZeroNights 2013
Win32/Spy.Hesperbot Core
• C&C communication (Hard-coded domain + DGA)
• Enumerating SmartCards
• Launch plug-in modules:
• socks, keylog, hvnc, sch, nethk, httphk, httpi
![Page 8: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/8.jpg)
ZeroNights 2013
Network Traffic Interception
Intercepting HTTP and HTTPS:
• Form-grabbing
• Web-injects
The following browsers are affected:
• Internet Explorer, Mozilla Firefox, Google Chrome, Opera,
Safari, Yandex Browser, SeaMonkey, K-Meleon, Maxthon,
Avant Browser, Sleipnir, Deepnet Explorer
![Page 9: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/9.jpg)
ZeroNights 2013
Network Traffic Interception
1. Creates local proxy
2. Hooks mswsock.dll functions
Embedded Certs for HTTPS:
• self-signed certificate
![Page 10: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/10.jpg)
ZeroNights 2013
![Page 11: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/11.jpg)
ZeroNights 2013
Certificate Pinning
![Page 12: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/12.jpg)
ZeroNights 2013
Certificate Pinning
![Page 13: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/13.jpg)
ZeroNights 2013
Bypassing Certificate Verification
Browser process Hooked functions
iexplore.exe
CertVerifyCertificateChainPolicy and
CertGetCertificateChain in crypt32.dll
maxthon.exe
avant.exe
sleipnir.exe
webkit2webprocess.exe
browser.exe
chrome.exe
deepnet.exe
firefox.exe CERT_VerifyCertificate, CERT_VerifyCert,
CERT_VerifyCertificateNow,
CERT_VerifyCertNow and
CERT_VerifyCertName in nss3.dll
seamonkey.exe
k-meleon.exe
opera.exe Function in opera.dll
![Page 14: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/14.jpg)
ZeroNights 2013
Network Traffic Interception
![Page 15: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/15.jpg)
ZeroNights 2013
Example Configuration Files
![Page 16: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/16.jpg)
ZeroNights 2013
Example Configuration Files
![Page 17: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/17.jpg)
ZeroNights 2013
Example Configuration Files
![Page 18: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/18.jpg)
ZeroNights 2013
Example Configuration Files
![Page 19: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/19.jpg)
ZeroNights 2013
![Page 20: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/20.jpg)
ZeroNights 2013
![Page 21: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/21.jpg)
ZeroNights 2013
![Page 22: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/22.jpg)
ZeroNights 2013
Mobile component
• Android
• BlackBerry
• Symbian
![Page 23: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/23.jpg)
ZeroNights 2013
Comparison with Gataka
Gataka Hesperbot
Web-injects ✔ ✔ Supported browsers IE, Firefox, Chrome, Opera,
Safari + some less known
ones
Form-grabbing Via web-injects Through local proxy
Video capturing ✔ ✔ Keylogger ✔ Modular architecture ✔ ✔ Configuration format database file
C&C communication XOR encrypted HTTPS
Remote access VNC VNC
Mobile component ? ✔ Price ~3300 EUR (Zutick) ?
Most targeted Germany, Netherlands, Scandinavia
Turkey, Czech Republic, Portugal
![Page 24: Anton Cherepanov - Hesperbot](https://reader034.fdocuments.in/reader034/viewer/2022051312/54639989b4af9f533f8b45ca/html5/thumbnails/24.jpg)
ZeroNights 2013
Conclusion
• New code written from scratch
• Real money stolen
• On-going investigation
• Similar / Reusable web-inject format
• Monitoring botnet activity, tracking new versions…
• Strictly localized campaigns