Reversing banking trojan: an in-depth look              into Gataka               Jean-Ian Boutin                   ESET
Outline• Background• Architecture  • Overview of plugins• Network Protocol• Webinject• Campaigns
Background
Origins• Aliases: Tatanga, Hermes• First publicly discussed in 2011 by S21Sec• Targets mostly European users
What is it?• Banking trojan   • Designed to steal all kind of sensitive information through Man-     In-The-Browser scheme...
Geographic distribution of detection
Business model• This is not a do-it-yourself kit like   SpyEye• It seems that this kit is private or sold   only to select...
Basics
DEMO1
Installation• Infection vector    • BlackHole    • Malicious attachment• Installation    • Injection in all processes• Com...
Persistence
Architecture
Modular Architecture• HermesCore    • Communicate with C&C    • Ability to launch downloaded      executable
DEMO2
Interceptor
Interceptor• Supported browsers    • Firefox    • Internet Explorer    • Opera    • Maxthon• Frequent update to  support l...
Communication can now be monitored• NextGenFixer    • Install filters on particular      URLs• Webinject    • Inject html/...
DEMO3
IEXPLORE – certificate patching
Network Protocol
TopologyCompromised hosts   Proxy servers   C&C
Packet Decomposition                 TCP/IP HeaderPacket 1                 Gataka Header                 Encrypted Data   ...
C++ Reversing• Some basic suff   • This pointer usually passed in ecx   • In object, vtable is at first offset
DEMO4
Gataka header                             0-7            8-15          16-23            24-31                             ...
Send packet - log
Plugins Storage
Webinject
CoreDb
Webinject
Self-contained webinjectWebinject contained in DBWebinject downloaded fromexternal server                                 ...
Webinject – Gataka platform communications
DEMO5
Campaigns
Germany – statistics from one campaign                                                        0,17%                       ...
Germany – Two factor authentication bypass                                         Image sources: wikipedia.org and postba...
Netherlands
Conclusion
Thank You!Questions ?
Upcoming SlideShare
Loading in...5
×

Reversing banking trojan: an in-depth look into Gataka

1,515

Published on

Slides from my workshop @ ZeroNights 2012 in Moscow

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,515
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
37
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Reversing banking trojan: an in-depth look into Gataka

  1. 1. Reversing banking trojan: an in-depth look into Gataka Jean-Ian Boutin ESET
  2. 2. Outline• Background• Architecture • Overview of plugins• Network Protocol• Webinject• Campaigns
  3. 3. Background
  4. 4. Origins• Aliases: Tatanga, Hermes• First publicly discussed in 2011 by S21Sec• Targets mostly European users
  5. 5. What is it?• Banking trojan • Designed to steal all kind of sensitive information through Man- In-The-Browser scheme • Regionalized • Not very wide spread• Developped in C++• Modular architecture similar to SpyEye• Very verbose, a lot of debug information are sent to Command and Control Server.• Frequent update with new plugins and plugin versions.• Several advanced features
  6. 6. Geographic distribution of detection
  7. 7. Business model• This is not a do-it-yourself kit like SpyEye• It seems that this kit is private or sold only to selected groups• Infection vector • BlackHole • Malicious attachment
  8. 8. Basics
  9. 9. DEMO1
  10. 10. Installation• Infection vector • BlackHole • Malicious attachment• Installation • Injection in all processes• Communications done through IE
  11. 11. Persistence
  12. 12. Architecture
  13. 13. Modular Architecture• HermesCore • Communicate with C&C • Ability to launch downloaded executable
  14. 14. DEMO2
  15. 15. Interceptor
  16. 16. Interceptor• Supported browsers • Firefox • Internet Explorer • Opera • Maxthon• Frequent update to support latest browser versions
  17. 17. Communication can now be monitored• NextGenFixer • Install filters on particular URLs• Webinject • Inject html/javascript • Record videos/screenshots• HttpTrafficLogger • Log selected communications to/from specific websites• CoreDb • Stores information received from C&C
  18. 18. DEMO3
  19. 19. IEXPLORE – certificate patching
  20. 20. Network Protocol
  21. 21. TopologyCompromised hosts Proxy servers C&C
  22. 22. Packet Decomposition TCP/IP HeaderPacket 1 Gataka Header Encrypted Data …Packet n Gataka Header Encrypted Data
  23. 23. C++ Reversing• Some basic suff • This pointer usually passed in ecx • In object, vtable is at first offset
  24. 24. DEMO4
  25. 25. Gataka header 0-7 8-15 16-23 24-31 Magic Number NW Protocol Byte mask• When packets are Use xor key dword1 received from C&C, dword2 dword9 is optional Data size and Bot Id is absent Uncompressed Data Size XOR key dword6 dword7 checksum dword9 Bot Id (64 bytes)
  26. 26. Send packet - log
  27. 27. Plugins Storage
  28. 28. Webinject
  29. 29. CoreDb
  30. 30. Webinject
  31. 31. Self-contained webinjectWebinject contained in DBWebinject downloaded fromexternal server Injected content
  32. 32. Webinject – Gataka platform communications
  33. 33. DEMO5
  34. 34. Campaigns
  35. 35. Germany – statistics from one campaign 0,17% 1,51% 0,25% 0,05% Total Hits: 248,468• These statistics were obtained from a C&C • Almost 75% of 25,10% Germany Unresolved/Unknown compromised hosts in United States Germany Israel Sweden Canada 72,92%
  36. 36. Germany – Two factor authentication bypass Image sources: wikipedia.org and postbank.de
  37. 37. Netherlands
  38. 38. Conclusion
  39. 39. Thank You!Questions ?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×