Transcript of "Modern malware techniques for attacking RBS systems in Russia"
Modern malware techniques for attackingRBS systems in RussiaAleksandr MatrosovEugene Rodionov
Who we are? Malware researchers at ESET - complex threats analysis - development of cleaning tools - tracking new malware techniques - investigation of cybercrime groups http://www.joineset.com/
Agendao Cybercrime trends in RBSo Most prevalent threats and incidents Win32/Shiz Win32/Hodprot Win32/Sheldor Win32/RDPdoor Win32/Carberpo Carberp cybercrime group revenue
Overview2010/11: years of attacks on Russian banks• number of incidents has more than doubled compared to 2010*Over 92%* of incidents involve banking trojansMalware tailored to Russian banks and paymentsystemsHowever!• Can (and IS) used in other countries as well *research report "The Russian cybercrime market in 2010: status and trends” http://www.group-ib.ru/wp-content/uploads/2011/04/Group-IB_Report_Russian-cybercrime-market_2010_eng.pdf
Interesting facts about Russian bank fraud These guys are still free!
Win32/Hodprot: C&C protocol Win32/Hodprot C&C Server Send request (bot ID, integer) Reply with updated Handle modules and image to Request execute Update the bot’s modules, run downloaded Send Status exeutable Information
Win32/RDPdoor installation infected Win32/RDPdoorcomputer C&C run dropper and send system information 1 authentication on C&C and provide Thinsoft BeTwin for installation 2 send status information 3
Stealing authentication data1. Install GINA extension DLL2. Display fake logon screen3. Capture user name & password4. Send to C&C
Win32/Carberp detections over time in RussiaCloud data from Live Grid January 2010 – November 2011
Win32/Carberp detection statistics by countryCloud data from Live Grid
Self-protecting FunctionalityBypassing AV-emulators many calls of rare WinAPI functionsCode injection method ZwQueueApcThread() ZwResumeThread()Unhooking method checking first bytes of API function body and deleting hooksCommand and string encryption custom encryption algorithmBot authentication on C&C file with authentication data stored on infected PCNetwork communication encryption base64( RC2(data) )API function calls obfuscation custom hash algorithmDetection of AV hooks comparison of the first original bytesBypassing static AV signatures appending random junk bytes to dropped filesHiding in the system hooking system functions bootkit infector (September 2011)
Carberp going deeper since September 2011 real mode Load MBR real mode Load VBR real mode/ Load protected mode bootstrap code real mode/ protected mode Load bootmgr Target of Rovnix & Carberp real mode/ Load protected mode winload.exe or winresume.exe Load kernel and boot start drivers
Carberp: Infected Partition Layouto Carberp overwrites bootstrap code of the active partitiono The malicious driver is written either: before active partition, in case there is enough space in the end of the hard drive, otherwise MBR VBR Bootstrap Code File System Data Before Infecting Compressed After Infecting Data Malicious Malicious Bootstrap MBR VBR File System Data Unsigned Code Code Driver NTFS bootstrap code (15 sectors)
Win32/Carberp: money stealing methodsStealing techniques FunctionalityWeb-injects/Autoloads inserting the specified JS-code into HTML(IE, FF, Chrome, Opera) returned by the online banking siteBackconnect backdoor loading on request special binary module(RDP/VNC) (RDPdoor, custom VNC client)Keylogger (based on WinAPI) recording keyboard events into logfileScreenSpy (based on WinAPI) saving screenshots into logfileGrabbers (Form, FTP, Pass) loading on request special binary moduleCustom plugins for RBS binary modules for specified RBS (sber.plug)
References “Cybercrime in Russia: Trends and issues”http://go.eset.com/us/resources/white-papers/CARO_2011.pdf “Evolution of Win32/Carberp: going deeper”http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper “Hodprot: Hot to Bot”http://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf Follow ESET Threat Bloghttp://blog.eset.com