[cb16] background story of "operation neutralizing banking malware" and highly developed...
TRANSCRIPT
![Page 1: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/1.jpg)
Copyright© 2016 SecureBrain Corporation, All rights reserved. Copyright© 2016 SecureBrain Corporation, All rights reserved.
Behind “Operation Banking Malware Takedown”and the Progression of Malware Sophistication
2016.10.20 - 21CODE BLUE 2016
SecureBrain CorporationKazuki Takada
![Page 2: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/2.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Profile
• Kazuki Takada
• SecureBrain Corporation
• Software Engineer My regular work is software development. Sometimes security researcher (sometime this is
main work…)
2
![Page 3: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/3.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Background
3
![Page 4: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/4.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Question
4
What’s this number?
3073000000
![Page 5: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/5.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Answer
5
Amount of fraudulent Internet banking money transfer in Japan for 2015
\3,073,000,000
https://www.npa.go.jp/cyber/pdf/H280303_banking.pdf
$30 million
![Page 6: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/6.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Internet Banking Fraud in Japan
6
2013年 2014年 2015年
$29 million$30 million
$14 million
https://www.npa.go.jp/cyber/pdf/H280303_banking.pdf
![Page 7: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/7.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
IPA Top Security Threat List
• Top 10 Security Threats for 2016.
7
![Page 8: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/8.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Overview of “Operation Banking Malware Takedown”
8
![Page 9: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/9.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Operation Banking Malware Takedown
9http://www.keishicho.metro.tokyo.jp/haiteku/haiteku/haiteku504.htm
![Page 10: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/10.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Operation Banking Malware Takedown
10
Victim PC
C&C ServerMPD
Distribution
Bank web server Threat Disabled
MPD : Metropolitan Police Department
![Page 11: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/11.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
The target is
“VAWTRAK”
11https://www.flickr.com/photos/arenamontanus/2125942630
*Other name Neverquest, Snifula
![Page 12: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/12.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
VAWTRAK
12
![Page 13: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/13.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s VAWTRAK
• VAWTRAK has been around in Japan since 2014.• Rewrites MITB communication content
– Browser injection process. (IE, Firefox, Chrome)• Executes the following during Internet Banking
– Falsifies banking credential information– Semi-automatic fraudulent money transfer
13
![Page 14: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/14.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s MITB ?
MITB
Man In The Browser
Browser
VAWTRAK
Victim PC
Injection Rewrite HTMLDummy Screen…etc.
Web server
![Page 15: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/15.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s happened?
15
VAWTRAK
User PC
Registry
infection
Configuration data
C&C server Manipulationserver
BankWeb server
![Page 16: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/16.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s happened?
1616
VAWTRAK
User PC
<html><head>
<title>Internet Banking</title>
Request
Injection<script src=“….”>
Original content
C&C server Manipulationserver
BankWeb server
![Page 17: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/17.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s happened?
17
VAWTRAK
User PC Request malicious JavaScript
Download and execute malicious JavaScript
<html><head>
<title>Internet Banking</title><script src=“….”>
C&C server Manipulationserver
BankWeb server
![Page 18: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/18.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s happened?
1818
VAWTRAK
User PC
Code number
送信
User accountinginformation
*******
C&C server Manipulationserver
BankWeb server
![Page 19: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/19.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Operation Banking Malware Takedown
19
![Page 20: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/20.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 20
A chance for collaboration
![Page 21: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/21.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Semi-automatic remittance fraud
21
ABCダイレクト メインメニュー
Copyright ABC Bank Co.,Ltd All Right Reserved
お客様番号
ワンタイムパスワード
Fraudulent money transfer procedure is executed from victim PC while users are waiting for progress bar to finish.
![Page 22: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/22.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Request flow
22
Victim PC
Login
Bank Manipulation server
Login credential info.
Login processLogin screen
Account info screen
Tap balance info Balance info.
Money transfer info & amount of transfer
Money Transfer process
Progress B
ar
Display some input
screen if necessary
http://www.slideshare.net/MasataNishida/avtokyo2014-obsevation-of-vawtrakja
![Page 23: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/23.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Tried to send to the same request as malicious JavaScript
23
Beneficiary Information
Amount of Transfer (Upper limit / lower limit)
![Page 24: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/24.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Collaboration with Metropolitan Police Department (MPD)
• Share beneficiary account information with the Metropolitan Police Department (MPD), which SecureBrain collected by researching the Manipulation server
• MPD prevented illegal money transfer by utilizing beneficiary account information.
24
Metropolitan Police Dept. and SecureBrain made a cooperative agreement
![Page 25: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/25.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Collaboration with Metropolitan Police Department (MPD)
• MPD has a domain of C&C server.• The domain name was obtained using regular procedure.• They watched the communication between VAWTRAK and
the C&C server.• They identified 82,000 victim clients worldwide, with 44,000
clients located in Japan.
25
MPD considered distributing a new “Configuration data” for the takedown.
![Page 26: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/26.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Technical overview
26
Victim PC
C&C ServerMPD
Distribution
BankWeb server
No longer under threat
Provide neutralization data generation tool.
Get domain and
put under control
![Page 27: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/27.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Who is in charge of each technology...
Metropolitan Police Department• Obtain control of the C&C server and construct data
distribution server.• Testing
SecureBrain• Development of “Command” and “Configuration data”
generation tool. It uses a decryption technique for VAWTRAK.
• Investigate the type of data required to neutralize VAWTRAK.
27
![Page 28: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/28.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Development of neutralization technique
28
![Page 29: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/29.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Feature available for a takedown of VAWTRAK(BOT)
29
C&C Server
Victim PC
Poll the server every minute
When there is an effective communication, it does not
communicate with other C&C servers
![Page 30: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/30.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Command
Identify the 20 commands.• Configure data• Download and execute file• Shutdown, reboot• Steal Cookie• Steal CertStore• Start and Stop Socks server• Start and Stop VNC server• Update• Registry operations ...etc...
30
![Page 31: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/31.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Configuration data
31
Replace data for communicate manipulation server
Decrypted Configuration data
Target URL
Malicious code for injection
![Page 32: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/32.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Component of Configuration data
32
Name Meaning
inject type Type of injection
browser Target browser
pattern match Pattern type to match URL
URL Target URL
string2 Target string
string3 Replace string
string4 Insert string
![Page 33: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/33.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
inject type
Identify the 18 commands.• Close connection• Screen capture• Insert before• Insert after• Replace URL• Replace host• Replace string...etc...
33
![Page 34: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/34.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
browser / pattern
Browser
Internet Explorer
Firefox
Chrome
34
browser
Type Meaning
strstr strstr function
strcmp strcmp function
regexp Regular expression
pattern
![Page 35: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/35.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 35
Try to check the “Configuration data“ again.
![Page 36: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/36.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Configuration data
36
Type Meaning
inject type insert before
browser IE, Firefox, chrome
URL Target URL(Regular expression)
string2 Target string
string3 -
string4 JavaScript for Injection
![Page 37: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/37.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Configuration data
37
種別 意味inject type replace URL
browser IE, Firefox, chrome
URL Target URL
string2 Target string
string3 URL for replace
string4 -
![Page 38: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/38.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
About generation tool
• Execution check environment– Linux OS– Python 2.7.x
• Tool generates the binary data which VAWTRAK can read as input in Command and Configuration
• Because the output data is delivered by the C&C server and read by VAWTRAK, its configuration is renewed.
38
![Page 39: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/39.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Generating flow of Configuration data
39
Encryption process (XOR)
Raw configure data (JSON format)
CRC32 from raw configure data
Compression process (aPLib)
Encrypted configure data (Binary)
![Page 40: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/40.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Demo
• Control of VAWTRAK
40
![Page 41: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/41.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Experiment sandbox environment
41
DummyC&C Server
Mac OSX
VM Ware
Victim PC
Internet
Host machine Mac OSX 10.10
Dummy C&C Ruby 2.0 + Sinatra
Victim PC Various Windows(After XP)
Browser Internet ExplorerChromeFirefox
![Page 42: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/42.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
The body of neutralization data
42
![Page 43: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/43.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Effect of the takedown operation
43
https://www.npa.go.jp/cyber/pdf/H280303_banking.pdf
![Page 44: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/44.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Discussion
• Damage by VAWTRAK increased from mid-2013, but decreased after the operation.
• Because the police carried out the operation, it might have had a psychological effect to technically influence the attacker.
• There are some problems. For example, there is the need to obtain the domain beforehand.
44
![Page 45: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/45.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
The Progression of Malware Sophistication
45
![Page 46: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/46.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Major malware in 2016
46
ROVNIX
URLZONE
VAWTRAK (New)
URSNIF
Other name Cidox
Other name Shiotob, Beblohbd
Other name Neverquest ,Snifula
Other name Gozi
![Page 47: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/47.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 47=Malicious JavaScript
ROVNIX
target 30
Group A Group B=Malicious JavaScript
URLZONEVAWTRAK(New)
target 30
![Page 48: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/48.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 48
The attack method of MITB is almost the same.
![Page 49: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/49.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 49
What changes ?
![Page 50: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/50.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Point
• Prevent rewriting malware communication with C&C server– Private key for “Serpent” is encrypted by public key encryption system
RSA-2048.– RONIX sign contents of communication by RSA-2048.
• Malware is updated frequently– Detection by pattern matching becomes more difficult– It can inject even in the latest browsers.
• Various communication methods– Both HTTP and UDP P2P communications are used to get
Configuration data.
• Sophistication of malicious JavaScript
50
![Page 51: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/51.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
不正 JavaScriptの高機能化 (1)
51
![Page 52: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/52.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Request flow
52
Victim PC
Login
Bank Manipulation server
Login credential info.
Login process
Login Screen
Remittance process
Request of Settlement info.
Dum
my screen of
security software
Settlement info
Display some input screen an necessary
![Page 53: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/53.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Discussion
53
Prevent rewriting communication.Multiplex of communication channel.Concealed information is processed on the server.
Security for attack activity maintenance is strengthened
![Page 54: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/54.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Conclusions
54
![Page 55: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/55.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Conclusions
• It is very important that the police takes the lead in a takedown operation.
• The reaction of the attacker is very quick. We always have to think about new prevention techniques.
• It is difficult to simply apply the ways of this operation to sophisticated malware.
55
![Page 56: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/56.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Effective takedown operation…
56
https://www.flickr.com/photos/hackaday/4658391708
![Page 57: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/57.jpg)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 57
It is essential for the government, the police, the judiciary, and
the company to cooperate together.
![Page 58: [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada](https://reader035.vdocuments.site/reader035/viewer/2022062823/587756c21a28ab84388b776d/html5/thumbnails/58.jpg)