Smartcard vulnerabilities in modern banking malware
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Smartcard vulnerabilities in modern banking malware

on

  • 3,135 views

The past few years have seen a rapid growth of threats targeting the Russian system of RBS (Shiz, Carberp, Hodprot, RDPdoor, Sheldor). Attackers can steal huge amounts of money, estimated at tens of ...

The past few years have seen a rapid growth of threats targeting the Russian system of RBS (Shiz, Carberp, Hodprot, RDPdoor, Sheldor). Attackers can steal huge amounts of money, estimated at tens of millions monthly. The speaker will describe the study of the most common banking malware, as well as the discovery of interesting vulnerabilities by using two-factor authentication and smart cards. The report also discusses techniques and tricks that are used by hackers to conduct anti-forensics.

Statistics

Views

Total Views
3,135
Views on SlideShare
1,882
Embed Views
1,253

Actions

Likes
0
Downloads
31
Comments
0

23 Embeds 1,253

http://amatrosov.blogspot.com 670
http://www.securitylab.ru 403
http://amatrosov.blogspot.ru 84
http://amatrosov.blogspot.de 33
http://www.rehints.ru 19
http://amatrosov.blogspot.fr 8
http://amatrosov.blogspot.co.uk 5
http://amatrosov.blogspot.ro 5
http://amatrosov.blogspot.nl 4
http://amatrosov.blogspot.sk 3
http://amatrosov.blogspot.com.es 3
http://amatrosov.blogspot.ch 2
http://amatrosov.blogspot.in 2
https://si0.twimg.com 2
http://amatrosov.blogspot.jp 2
http://amatrosov.blogspot.co.il 1
https://abs.twimg.com 1
http://amatrosov.blogspot.it 1
http://amatrosov.blogspot.gr 1
http://amatrosov.blogspot.co.at 1
http://amatrosov.blogspot.dk 1
http://amatrosov.blogspot.be 1
https://twitter.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Smartcard vulnerabilities in modern banking malware Presentation Transcript

  • 1. Smartcard vulnerabilities in modern banking malware Aleksandr Matrosov Eugene Rodionov
  • 2. Agenda Evolution of Carberp distribution scheme  drive by downloads  detection statistics Carberp modifications  the story of BK-LOADER  antiRE tricks Banks attacking algorithms Smartcard attacks
  • 3. Evolution drive by downloads: Carberp case
  • 4. Exploit kits used in distribution scheme Impact since 2010 (probivaites.in) • Java/Exploit.CVE-2010-0840 • Java/Exploit.CVE-2010-0842 • Java/TrojanDownloader.OpenConnection Blackhole since 2011 (lifenews-sport.org) • JS/Exploit.JavaDepKit (CVE-2010-0886) • Java/Exploit.CVE-2011-3544 • Java/Exploit.CVE-2012-0507 • Java/Agent Nuclear Pack since 2012 (nod32-matrosov-pideri.org) • Java/Exploit.CVE-2012-0507
  • 5. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 6. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 7. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 8. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 9. Exploit kit migration reasons • most popular = most detected 1 • frequently leaked exploit kit 2 • most popular exploit kit for research • auto detections by AV-crawlers 3 • non-detection period is less than two hours
  • 10. Blackhole migration to Nuclear Pack
  • 11. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 12. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 13. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 14. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 15. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 16. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 17. BlackSEO & Nuclear Pack
  • 18. BlackSEO & Nuclear Pack
  • 19. Carberp detection statistics
  • 20. Carberp detection statistics by countryCloud data from Live Grid Russia Ukraine Belarus Kazakhstan Turkey United Kingdom Spain United States Italy Rest of the world
  • 21. Carberp detections over time in Russia Cloud data from Live Grid0.180.160.140.12 0.10.080.060.040.02 0
  • 22. Evolution of Carberp modifications
  • 23. Different groups, different bots, different C&C’s G***o D*****v Hodprot
  • 24. functionality G***o D*****v HodprotDedicated dropper   Win32/HodprotJava patcher   Bootkit    based on RovnixRDP backconnect  Win32/RDPdoor Win32/RDPdoorTV backconnect Win32/Sheldor Win32/Sheldor Win32/SheldorHTML injections IE, Firefox, Opera IE, Firefox, Opera, IE, Firefox, Opera, Chrome ChromeAutoloads   Unique plugins minav.plug sbtest.plug sber.plug passw.plug cyberplat.plug ddos.plug killav.plug
  • 25. commands G***o D*****v Hodprot Descriptionddos    download DDoS plugin and start attackupdatehosts    modify hosts file on infected systemalert    show message box on infected systemupdate    download new version of Carberpupdateconfig    download new version of config filedownload    download and execute PE-fileloaddll    download plugin and load into memorybootkit    download and install bootkitgrabber    grab HTML form data and send to C&Ckillos    modify boot code and delete system fileskilluser    delete user Windows accountkillbot    delete all files and registry keysupdatepatch    download and modify java runtimedeletepatch    delete java runtime modifications
  • 26. The Story of BK-LOADER from Rovnix.A to Carberp
  • 27. Interesting Carberp sample (October 2011)
  • 28. Interesting Carberp sample (October 2011)
  • 29. Interesting strings inside Carberp with bootkit
  • 30. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  • 31. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  • 32. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  • 33. Callgraph of bootkit installation routine
  • 34. Rovnix kit hidden file systems comparisonfunctionality Rovnix.A Carberp with bootkit Rovnix.BVBR modification   polymorphic VBR   Malware driver   storageDriver encryption custom custom customalgorithm (ROR + XOR) (ROR + XOR) (ROR + XOR)Hidden file system  FAT16 FAT16 modification modificationFile system  RC6 RC6encryption algorithm modification modification
  • 35. Comparison of Carberp file system with Rovnix.B
  • 36. Comparison of Carberp file system with Rovnix.B
  • 37. AntiRE tricks
  • 38. Removing AV hooks before installation
  • 39. Calling WinAPI functions by hash
  • 40. Plugin encryption algorithm
  • 41. Communication protocol encryption algorithm
  • 42. Banks attacking algorithms
  • 43. Bank attacking algorithm Gizmo Dudorov OrigamiHTML injections   autoload 2010  2011 (Sep)dedicated plugins for major banks   intercepting client-banks activity   patching java   webmoney/cyberplat   stealing money from private persons   
  • 44. Smartcard attacks
  • 45. Applications used by smartcards User ApplicationUser interface Access provider Smartcard resource manager Smartcard Subsystem Call reader device driverSpecific reader Specific reader … device driver device driverReader device … Reader device Hardware Support Smartcard … Smartcard
  • 46. Win32/Spy.Ranbyus
  • 47. Win32/Spy.Ranbyus
  • 48. Win32/RDPdoor v4.x
  • 49. Win32/RDPdoor v4.x
  • 50. Win32/RDPdoor v4.x
  • 51. Win32/RDPdoor v4.x
  • 52. References Exploit Kit plays with smart redirectionhttp://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection Dr. Zeus: the Bot in the Hathttp://blog.eset.com/2010/11/05/dr-zeus-the-bot-in-the-hat Blackhole, CVE-2012-0507 and Carberphttp://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp Evolution of Win32/Carberp: going deeperhttp://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Hodprot: Hot to Bothttp://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf Carberp Gang Evolution: CARO 2012 presentationhttp://blog.eset.com/2012/05/24/carberp-gang-evolution-at-caro-2012
  • 53. Thank you for your attention!Aleksandr Matrosov Eugene Rodionovmatrosov@eset.sk rodionov@eset.sk@matrosov @vxradiusamatrosov.blogspot.com