Your SlideShare is downloading. ×
  • Like
Reversing banking trojan: an in-depth look into Gataka
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Reversing banking trojan: an in-depth look into Gataka

  • 1,410 views
Published

Slides from my workshop @ ZeroNights 2012 in Moscow

Slides from my workshop @ ZeroNights 2012 in Moscow

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,410
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
36
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Reversing banking trojan: an in-depth look into Gataka Jean-Ian Boutin ESET
  • 2. Outline• Background• Architecture • Overview of plugins• Network Protocol• Webinject• Campaigns
  • 3. Background
  • 4. Origins• Aliases: Tatanga, Hermes• First publicly discussed in 2011 by S21Sec• Targets mostly European users
  • 5. What is it?• Banking trojan • Designed to steal all kind of sensitive information through Man- In-The-Browser scheme • Regionalized • Not very wide spread• Developped in C++• Modular architecture similar to SpyEye• Very verbose, a lot of debug information are sent to Command and Control Server.• Frequent update with new plugins and plugin versions.• Several advanced features
  • 6. Geographic distribution of detection
  • 7. Business model• This is not a do-it-yourself kit like SpyEye• It seems that this kit is private or sold only to selected groups• Infection vector • BlackHole • Malicious attachment
  • 8. Basics
  • 9. DEMO1
  • 10. Installation• Infection vector • BlackHole • Malicious attachment• Installation • Injection in all processes• Communications done through IE
  • 11. Persistence
  • 12. Architecture
  • 13. Modular Architecture• HermesCore • Communicate with C&C • Ability to launch downloaded executable
  • 14. DEMO2
  • 15. Interceptor
  • 16. Interceptor• Supported browsers • Firefox • Internet Explorer • Opera • Maxthon• Frequent update to support latest browser versions
  • 17. Communication can now be monitored• NextGenFixer • Install filters on particular URLs• Webinject • Inject html/javascript • Record videos/screenshots• HttpTrafficLogger • Log selected communications to/from specific websites• CoreDb • Stores information received from C&C
  • 18. DEMO3
  • 19. IEXPLORE – certificate patching
  • 20. Network Protocol
  • 21. TopologyCompromised hosts Proxy servers C&C
  • 22. Packet Decomposition TCP/IP HeaderPacket 1 Gataka Header Encrypted Data …Packet n Gataka Header Encrypted Data
  • 23. C++ Reversing• Some basic suff • This pointer usually passed in ecx • In object, vtable is at first offset
  • 24. DEMO4
  • 25. Gataka header 0-7 8-15 16-23 24-31 Magic Number NW Protocol Byte mask• When packets are Use xor key dword1 received from C&C, dword2 dword9 is optional Data size and Bot Id is absent Uncompressed Data Size XOR key dword6 dword7 checksum dword9 Bot Id (64 bytes)
  • 26. Send packet - log
  • 27. Plugins Storage
  • 28. Webinject
  • 29. CoreDb
  • 30. Webinject
  • 31. Self-contained webinjectWebinject contained in DBWebinject downloaded fromexternal server Injected content
  • 32. Webinject – Gataka platform communications
  • 33. DEMO5
  • 34. Campaigns
  • 35. Germany – statistics from one campaign 0,17% 1,51% 0,25% 0,05% Total Hits: 248,468• These statistics were obtained from a C&C • Almost 75% of 25,10% Germany Unresolved/Unknown compromised hosts in United States Germany Israel Sweden Canada 72,92%
  • 36. Germany – Two factor authentication bypass Image sources: wikipedia.org and postbank.de
  • 37. Netherlands
  • 38. Conclusion
  • 39. Thank You!Questions ?