banking malware zeu s zombies are using in online banking theft
TRANSCRIPT
Nahidul Kibria
Co-Leader, OWASP Bangladesh Chapter,Principal Software Engineer, Orbitax Bangladesh Ltd.
Writing code for fun and food. Security enthusiastic.
Twitter:@nahidupa
About OWASPOWASP’s mission is “to make application security visible, so
that people and organizations can make informed decisions about true application”
Attacker not use black art to exploit your application
www.owasp.org
|4
Bangladesh Chapter
Financial Malware: ZeuS zombies are using in online banking theft.
Process of login your banking account getting more and more complicated.
6
Extra pin code
7
8
10
11
Show picture in login window
12
13
All of this is to save you …
14
15
16
ZeuS and Spy Eye
18
Zeus modify Bank financial statement
ZombiesIn computer science, a zombie is
a computer connected to the Internet that has been compromised.
Zombies are part of botnet
What Is a Botnet?
21
What Does a Botnet Do?
22
First Generation
Internet Relay Chat (IRC) Protocol
Second Generation
Peer-to-Peer (P2P) Protocol
Third Generation
Hyper Text Transfer Protocol (HTTP)
Hybrid
Mix of characteristics of different generations
of botnets
Botnet evolution
24
25
26
So how ZeuS bypass your in
placed security mechanism?
27
Classical defense does not
work
How financial malware bypass anti virus ?
Lets look at how most of anti virus work.
31
32
Match the signature
33
Zeus variant
34
It’s take time to analyze new binary
35
Two-factor authentication
36
37
38
We move to pin code generator device
39
40
41
Bypasses two-factor authentication
42
Evil VS Good
Bot Spreading Mechanisms
• Browser Exploit Packs
• Drive-by-Download frameworks
• Spreaders
• USB Spreading
• Install-by-Install
43
Top 10 Web Threats
Prevalence Chart Q3 2012
Propagations tactics
Facebook update scam leading to Zeus Trojan
Bogus SEO result for ‘MailMarshal
Exploiting Web Hosting
Several websites are hosted on a single server sharing IP address
– DNS names are mapped virtually to the same IP
45
Exploitation
46
47
Exploiting Browsers/HTTP
– Man in the Browser
– Form grabbing
– Web Injects
48
Exploit Kit(s)
Lifecycle of a vulnerability
Symantec's chart shows a distribution of zero-day exploits based on how long they persist
before being discovered. The average is close to 10 months.
Persistence and hiding activity
Files and Directories
Processes
Registry Keys
Services
TCP/UPD ports
Communication hiding (• Covert Channels)
Technical name is rootkit
53
File hiding
55
56
Hiding the network traffic
Cryptography - Make message unreadable
Stegonography - Hide the message in another message
Metaferography - Hide the message in the carrier
Easy to design, hard to detect
Covert Channels
• Clever measure of network protocols
• Nearly undetectable
“They’ll never see me coming!”
60
So malware can become FUD (Fully undetected )
62
Now you may think!!!
63
64
65
Mule Recruiting• “Work From Home” scam
• Person is told they are working in a customer service
or billing position
• Person uses their personal checking account to
receive funds
• And after they do the wire transfer and are burned…
• …their identity is sold on the black market and they
get burned a second time
68
69
I’m Copying images from Google search
thanks all.
71
Subscribe mailing listhttps://www.owasp.org/index.php/Bangladeshhttps://www.facebook.com/OWASP.Bangladesh
Keep up to date!Twitter:@nahidupa
Twitter:@owaspbangladesh