RISE OF THE BANKING TROJANS - IT-SECX – IT-Security … · 2014-11-10 · RISE OF THE BANKING...
Transcript of RISE OF THE BANKING TROJANS - IT-SECX – IT-Security … · 2014-11-10 · RISE OF THE BANKING...
Marion Marschalek
@pinkflawd
http://hqwallbase.com/28103-lego-stormtroopers-wallpaper-2560x1600
ZEUS mode of operation
1. Drop executable in users %APP% folder
2. Create and execute a batch file to delete dropper
3. Maintain registry key for persistence
4. Inject payload to system processes
5. Download customized configuration
ZEUS
E(DDIE)
VASION
%APP%\Uwirpa 10.12.2013 23:50
%APP%\Woyxhi 10.12.2013 23:50
%APP%\Hibyo 19.12.2013 00:10
%APP%\Nezah 19.12.2013 00:10
%APP%\Afqag 19.12.2013 23:29
%APP%\Zasi 19.12.2013 23:29
%APP%\Eqzauf 20.12.2013 22:23
%APP%\Ubapo 20.12.2013 22:23
%APP%\Ydgowa 20.12.2013 22:23
%APP%\Olosu 20.12.2013 23:03
%APP%\Taal 20.12.2013 23:03
%APP%\Taosep 20.12.2013 23:03
%APP%\Wokyco 16.01.2014 13:22
%APP%\Semi 17.01.2014 16:34
%APP%\Uheh 17.01.2014 16:34
E(DDIE)VASIONon the system level
OpenProcess
Check AccessToken
WriteProcessMemory
CreateRemoteThread
Boom.
• Update URL & Config Backup URL
• Upload URL
• Injection Information
• URL Masks:• For identifying websites to log
• For identifying websites to screenshot
• URL Mappings for Redirection
• IP/URL Mappings to insert to host file to override DNS lookups
CONFIGURATION
SUMMING IT UP
DROPPERkilf.exe
C&C SERVER
control communication and updates
DELETE SCRIPTKUQ9491.bat
ZBOTvogiap.exeCONFIGURATION
ehri.ofu
drop Zbotfiles
delete dropper
PROCESSexplorer.exe
inject code
ZitMo Zeus in the Mobile
Zeus Infection
Installation of ZitMo
Social Engineering
Spying of Online-Banking credentials
Capture mTAN
Do Transaction
ZeusVM / KINS
Born December 2011
Sold as a kit since 2013
Heavily based on Zeus source code
http://blog.fox-it.com/2013/07/25/analysis-of-the-kins-malware/
Carberp
There is no honour among thieves:
“Leaking the source code was not like the leaking of a weapon, but more like the leaking of a tank factory”
1.9GB Sourceshttp://krebsonsecurity.com/
ZBERP ..?Infection Routine
Anti-Disassembly
Invisible Persistence
Graphical Configuration
Virtual Machine Execution
Encrypted C&C communication
Suspend-Thread Code Injection
Hooking Technique
ZEUSKINS
CARBERP
HUNTING ZEUS
1. Drive-by infections
2. Anomalies in network traffic
3. Threat intelligence feeds to follow C&Cs
4. File system & registry key changes
5. Watch your data
malware Kill chain
Awareness | Behavior | Correlation | Intelligence | Encryption
LURE
EXPLOIT
INFECTCALL
HOMESTEAL
DATA
RESOURCES
• Eddie Sources:• http://www.guitarworld.com/photo-gallery-many-faces-iron-maidens-eddie
• http://maiden-world.com/articles/history-of-eddie.html
• http://ultimateclassicrock.com/iron-maiden-eddie-album-covers-retrospective/
• http://www.cyactive.com/zberp-baby-super-trojan/
• https://blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/
• http://www.fortiguard.com/legacy/analysis/zeusanalysis.html
• http://www.symantec.com/connect/blogs/brief-look-zeuszbot-20
• http://www.reuters.com/article/2007/07/17/us-internet-attack-idUSN1638118020070717