nullcon 2011 - zeus mitmo – a real case of banking fraud through mobile phones
DESCRIPTION
ZeuS MitMo – A real case of banking fraud through mobile phones by Mikel Gastesi &Jose Miguel EsparzTRANSCRIPT
![Page 1: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/1.jpg)
ZeuS MitMo
Mikel Gastesi 2011-02-25S21sec e-crime analyst
http://null.co.in/ http://nullcon.net/
![Page 2: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/2.jpg)
ZeuS MitMo
• Introduction• Banking protections• Banking trojans
– ZeuS / Zbot• ZeuS MitMo• Conclusion
http://null.co.in/ http://nullcon.net/
![Page 3: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/3.jpg)
Introduction
http://null.co.in/ http://nullcon.net/
![Page 4: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/4.jpg)
Introduction
• Target–Why the user??
http://null.co.in/ http://nullcon.net/
![Page 5: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/5.jpg)
Banking protections
• User / password• User / password + extra password for
transactions• Code card• OTP
– mTAN = mobile Transaction authentication number
http://null.co.in/ http://nullcon.net/
![Page 6: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/6.jpg)
Cat and mouse game
• User / password Form grabbing• User / password + extra password for
transactions Form grabbing• Code card HTML Injection• OTP
– mTAN = mobile Transaction authentication number Zitmo, MITB
– Token?
http://null.co.in/ http://nullcon.net/
![Page 7: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/7.jpg)
Attacking the user
• Phishing• Trojans
– One shot trojans– Modifying host file– Form grabbing– HTML injection
http://null.co.in/ http://nullcon.net/
![Page 8: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/8.jpg)
Banking trojans
• ZeuS / Zbot• SpyEye• Bankpatch• SilentBanker• Sinowal• Gozi• Carberp• …
http://null.co.in/ http://nullcon.net/
![Page 9: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/9.jpg)
Zbot
• You can buy it for less than 600$ !– Easy to install– Easy to configure– Creates an easy-to-manage botnet– Very powerful– Add-ons
• IM / Jabber• Zitmo has been seen for sale!! ¿?¿?
http://null.co.in/ http://nullcon.net/
![Page 10: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/10.jpg)
Zbot
Characteristics:– Creates a botnet– Configuration file update– Binary file update– /etc/hosts modification– Socks proxy– HTML injection– HTML redirection
http://null.co.in/ http://nullcon.net/
![Page 11: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/11.jpg)
Zbot
Characteristics:– Screenshots– Captures virtual keyboards– Captures form data– Steals certificates– KillOS function!– Encrypts configuration file and data
http://null.co.in/ http://nullcon.net/
![Page 12: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/12.jpg)
Zbot
http://null.co.in/ http://nullcon.net/
Executable Config & Data Mutex / Pipe Version
ntos.exe \wsnpoem\video.dll\wsnpoem\audio.dll
_SYSTEM_64AD0625_ 1.0.x.x
oembios.exe \sysproc64\sysproc86.sys\sysproc64\sysproc32.sys
_SYSTEM_64AD0625_ 1.1.x.x
twext.exe \twain\local.ds\twain\user.ds
_SYSTEM_64AD0625_ 1.1.x.x
twex.exe \twain\local.ds\twain\user.ds
_H_64AD0625_ 1.2.x.x
sdra64.exebootlist32.exeuserinit32.exe
\mac32\cbt.lc\mac32\cc.lc
\lowsec\local.ds\lowsec\user.ds
\zad32and\boot.pop\yad32and\codec.dll
_AVIRA_2109__LILO_19099_
1.2.x.x
bootwindows.exe \skype32\win32post.dll\skype32\win64post.dll
_SOSI_19099_ 1.3.x.x
![Page 13: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/13.jpg)
ZbotExecutable Config & Data Version
msxxx32.exe 1.3.x.x
host32.exe \jh87uhnoe3\ewf32.nls\jh87uhnoe3\ewfrvbb.nls
1.3.7.0
svchost32.exe \efee3f32f\brrve.nls\efee3f32f\wrfsf.nls
1.4.1.3
random random 2.x
LicatHydra?
….
http://null.co.in/ http://nullcon.net/
![Page 14: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/14.jpg)
Zbot
• Why does it work so good?– Stealth– User doesn’t see anything wrong
Green lock + https = OK?? #FAIL
http://null.co.in/ http://nullcon.net/
![Page 15: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/15.jpg)
Zbot
http://null.co.in/ http://nullcon.net/
![Page 16: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/16.jpg)
Zbot
http://null.co.in/ http://nullcon.net/
![Page 17: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/17.jpg)
Zbot
http://null.co.in/ http://nullcon.net/
![Page 18: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/18.jpg)
Zbot
• Screen capture
http://null.co.in/ http://nullcon.net/
![Page 19: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/19.jpg)
Zbot
• Redirection
http://null.co.in/ http://nullcon.net/
![Page 20: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/20.jpg)
Zbot
http://null.co.in/ http://nullcon.net/
![Page 21: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/21.jpg)
Jumping to the phone
http://null.co.in/ http://nullcon.net/
ZEUS TROJAN
MITMO
![Page 22: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/22.jpg)
Attacking phones
• Today - Why?– Stealing OTP– Hidding information messages (instead of SMS
flooding)• Avoid detection of MitB
– Blocking incoming calls• Prevent s communicating with bank
– No mail– No SMS– No phone call
http://null.co.in/ http://nullcon.net/
![Page 23: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/23.jpg)
Attacking phones
• Today and Tomorrow – Why?– False Security perception– 2 factors 1 factor– Personal information
• Passwords of a lot of services, social networks, etc.• Password reuse?
http://null.co.in/ http://nullcon.net/
![Page 24: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/24.jpg)
Implementation
• OTP != mTAN– Hardware token– Ownable platform
• How do you configure your phone number?
http://null.co.in/ http://nullcon.net/
![Page 25: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/25.jpg)
Zitmo
http://null.co.in/ http://nullcon.net/
0023424 : OTP
CREDENTIALS
0023424
ZEUS
COMMANDS
MITMO
![Page 26: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/26.jpg)
Zitmo
• Zeus 2.0.8.9 with custom injection
http://null.co.in/ http://nullcon.net/
![Page 27: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/27.jpg)
Zitmo
http://null.co.in/ http://nullcon.net/
• Fake SMS to install the trojan (one-time URL)
![Page 28: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/28.jpg)
Zitmo
• Platforms– Symbian– BlackBerry– Windows Mobile
• Targets– Spanish banks on September (+1 german)– Polish banks this week (+ portugal…)– ZitMo dependes only in the PC ZeuS config
http://null.co.in/ http://nullcon.net/
![Page 29: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/29.jpg)
Zitmo
• How does it work?– Preconfigured admin phone number– Hello message: “App installed OK”– Resend messages– Inspired on “SMS Monitor”
http://null.co.in/ http://nullcon.net/
![Page 30: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/30.jpg)
Zitmo
• Commands:– Set admin– Sender add– Sender rem– Block on– Block off– Set sender
http://null.co.in/ http://nullcon.net/
![Page 31: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/31.jpg)
Zitmo
Mikel, don’t forget the video!!!
http://null.co.in/ http://nullcon.net/
![Page 32: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/32.jpg)
ZitMo reloaded
• ZeuS version 3.1.8 Fake?
http://null.co.in/ http://nullcon.net/
![Page 33: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/33.jpg)
ZitMo reloaded
• New UNINSTALL 45930 command
http://null.co.in/ http://nullcon.net/
![Page 34: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/34.jpg)
ZitMo reloaded
• Set admin App installed ok
http://null.co.in/ http://nullcon.net/
![Page 35: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/35.jpg)
ZitMo reloaded
• Android version??? FAKE?
http://null.co.in/ http://nullcon.net/
![Page 36: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/36.jpg)
Conclusions
• Real threat, actively used• Defeats OTP (mTAN)• To think: 2 factor authentication is becoming
single authentication!• Android > Symbian
– Same scenario?– Installing from the web android market?
http://null.co.in/ http://nullcon.net/
![Page 37: nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones](https://reader033.vdocuments.site/reader033/viewer/2022060110/5559ffd1d8b42aa8098b4dc8/html5/thumbnails/37.jpg)
Questions?
http://null.co.in/ http://nullcon.net/