Smartcard vulnerabilities in modern banking malware Aleksandr Matrosov Eugene Rodionov
Agenda Evolution of Carberp distribution scheme    drive by downloads    detection statistics Carberp modifications   ...
Evolution drive by downloads: Carberp case
Exploit kits used in distribution scheme Impact since 2010 (probivaites.in)   •   Java/Exploit.CVE-2010-0840   •   Java/E...
Blackhole drive by download schemelegitimate    site                                  TRUE   search       FALSE           ...
Blackhole drive by download schemelegitimate    site                                  TRUE   search       FALSE           ...
Blackhole drive by download schemelegitimate    site                                  TRUE   search       FALSE           ...
Blackhole drive by download schemelegitimate    site                                  TRUE   search       FALSE           ...
Exploit kit migration reasons            • most popular = most detected       1            • frequently leaked exploit kit...
Blackhole migration to Nuclear Pack
Nuclear pack drive by download scheme  legitimate      site  check real    user                                           ...
Nuclear pack drive by download scheme  legitimate      site  check real    user                                           ...
Nuclear pack drive by download scheme  legitimate      site  check real    user                                           ...
Nuclear pack drive by download scheme  legitimate      site  check real    user                                           ...
Nuclear pack drive by download scheme  legitimate      site  check real    user                                           ...
Nuclear pack drive by download scheme  legitimate      site  check real    user                                           ...
BlackSEO & Nuclear Pack
BlackSEO & Nuclear Pack
Carberp detection statistics
Carberp detection statistics by countryCloud data from Live Grid                               Russia                     ...
Carberp detections over time in Russia       Cloud data from Live Grid0.180.160.140.12 0.10.080.060.040.02  0
Evolution of Carberp modifications
Different groups, different bots, different C&C’s                            G***o                  D*****v               ...
functionality           G***o              D*****v                HodprotDedicated dropper                               ...
commands G***o D*****v Hodprot                Descriptionddos                          download DDoS plugin and start a...
The Story of BK-LOADER    from Rovnix.A to Carberp
Interesting Carberp sample (October 2011)
Interesting Carberp sample (October 2011)
Interesting strings inside Carberp with bootkit
Carberp bootkit functionality                                Inject user-mode                                     payload ...
Carberp bootkit functionality                                Inject user-mode                                     payload ...
Carberp bootkit functionality                                Inject user-mode                                     payload ...
Callgraph of bootkit installation routine
Rovnix kit hidden file systems comparisonfunctionality          Rovnix.A      Carberp with bootkit   Rovnix.BVBR modificat...
Comparison of Carberp file system with Rovnix.B
Comparison of Carberp file system with Rovnix.B
AntiRE tricks
Removing AV hooks before installation
Calling WinAPI functions by hash
Plugin encryption algorithm
Communication protocol encryption algorithm
Banks attacking algorithms
Bank attacking algorithm              Gizmo     Dudorov   OrigamiHTML injections                                        ...
Smartcard attacks
Applications used by smartcards          User ApplicationUser interface             Access provider       Smartcard resour...
Win32/Spy.Ranbyus
Win32/Spy.Ranbyus
Win32/RDPdoor v4.x
Win32/RDPdoor v4.x
Win32/RDPdoor v4.x
Win32/RDPdoor v4.x
References Exploit Kit plays with smart redirectionhttp://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart...
Thank you for your attention!Aleksandr Matrosov         Eugene Rodionovmatrosov@eset.sk           rodionov@eset.sk@matroso...
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
Upcoming SlideShare
Loading in …5
×

Smartcard vulnerabilities in modern banking malware

3,340 views
3,208 views

Published on

The past few years have seen a rapid growth of threats targeting the Russian system of RBS (Shiz, Carberp, Hodprot, RDPdoor, Sheldor). Attackers can steal huge amounts of money, estimated at tens of millions monthly. The speaker will describe the study of the most common banking malware, as well as the discovery of interesting vulnerabilities by using two-factor authentication and smart cards. The report also discusses techniques and tricks that are used by hackers to conduct anti-forensics.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,340
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Smartcard vulnerabilities in modern banking malware

  1. 1. Smartcard vulnerabilities in modern banking malware Aleksandr Matrosov Eugene Rodionov
  2. 2. Agenda Evolution of Carberp distribution scheme  drive by downloads  detection statistics Carberp modifications  the story of BK-LOADER  antiRE tricks Banks attacking algorithms Smartcard attacks
  3. 3. Evolution drive by downloads: Carberp case
  4. 4. Exploit kits used in distribution scheme Impact since 2010 (probivaites.in) • Java/Exploit.CVE-2010-0840 • Java/Exploit.CVE-2010-0842 • Java/TrojanDownloader.OpenConnection Blackhole since 2011 (lifenews-sport.org) • JS/Exploit.JavaDepKit (CVE-2010-0886) • Java/Exploit.CVE-2011-3544 • Java/Exploit.CVE-2012-0507 • Java/Agent Nuclear Pack since 2012 (nod32-matrosov-pideri.org) • Java/Exploit.CVE-2012-0507
  5. 5. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  6. 6. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  7. 7. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  8. 8. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  9. 9. Exploit kit migration reasons • most popular = most detected 1 • frequently leaked exploit kit 2 • most popular exploit kit for research • auto detections by AV-crawlers 3 • non-detection period is less than two hours
  10. 10. Blackhole migration to Nuclear Pack
  11. 11. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  12. 12. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  13. 13. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  14. 14. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  15. 15. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  16. 16. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  17. 17. BlackSEO & Nuclear Pack
  18. 18. BlackSEO & Nuclear Pack
  19. 19. Carberp detection statistics
  20. 20. Carberp detection statistics by countryCloud data from Live Grid Russia Ukraine Belarus Kazakhstan Turkey United Kingdom Spain United States Italy Rest of the world
  21. 21. Carberp detections over time in Russia Cloud data from Live Grid0.180.160.140.12 0.10.080.060.040.02 0
  22. 22. Evolution of Carberp modifications
  23. 23. Different groups, different bots, different C&C’s G***o D*****v Hodprot
  24. 24. functionality G***o D*****v HodprotDedicated dropper   Win32/HodprotJava patcher   Bootkit    based on RovnixRDP backconnect  Win32/RDPdoor Win32/RDPdoorTV backconnect Win32/Sheldor Win32/Sheldor Win32/SheldorHTML injections IE, Firefox, Opera IE, Firefox, Opera, IE, Firefox, Opera, Chrome ChromeAutoloads   Unique plugins minav.plug sbtest.plug sber.plug passw.plug cyberplat.plug ddos.plug killav.plug
  25. 25. commands G***o D*****v Hodprot Descriptionddos    download DDoS plugin and start attackupdatehosts    modify hosts file on infected systemalert    show message box on infected systemupdate    download new version of Carberpupdateconfig    download new version of config filedownload    download and execute PE-fileloaddll    download plugin and load into memorybootkit    download and install bootkitgrabber    grab HTML form data and send to C&Ckillos    modify boot code and delete system fileskilluser    delete user Windows accountkillbot    delete all files and registry keysupdatepatch    download and modify java runtimedeletepatch    delete java runtime modifications
  26. 26. The Story of BK-LOADER from Rovnix.A to Carberp
  27. 27. Interesting Carberp sample (October 2011)
  28. 28. Interesting Carberp sample (October 2011)
  29. 29. Interesting strings inside Carberp with bootkit
  30. 30. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  31. 31. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  32. 32. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  33. 33. Callgraph of bootkit installation routine
  34. 34. Rovnix kit hidden file systems comparisonfunctionality Rovnix.A Carberp with bootkit Rovnix.BVBR modification   polymorphic VBR   Malware driver   storageDriver encryption custom custom customalgorithm (ROR + XOR) (ROR + XOR) (ROR + XOR)Hidden file system  FAT16 FAT16 modification modificationFile system  RC6 RC6encryption algorithm modification modification
  35. 35. Comparison of Carberp file system with Rovnix.B
  36. 36. Comparison of Carberp file system with Rovnix.B
  37. 37. AntiRE tricks
  38. 38. Removing AV hooks before installation
  39. 39. Calling WinAPI functions by hash
  40. 40. Plugin encryption algorithm
  41. 41. Communication protocol encryption algorithm
  42. 42. Banks attacking algorithms
  43. 43. Bank attacking algorithm Gizmo Dudorov OrigamiHTML injections   autoload 2010  2011 (Sep)dedicated plugins for major banks   intercepting client-banks activity   patching java   webmoney/cyberplat   stealing money from private persons   
  44. 44. Smartcard attacks
  45. 45. Applications used by smartcards User ApplicationUser interface Access provider Smartcard resource manager Smartcard Subsystem Call reader device driverSpecific reader Specific reader … device driver device driverReader device … Reader device Hardware Support Smartcard … Smartcard
  46. 46. Win32/Spy.Ranbyus
  47. 47. Win32/Spy.Ranbyus
  48. 48. Win32/RDPdoor v4.x
  49. 49. Win32/RDPdoor v4.x
  50. 50. Win32/RDPdoor v4.x
  51. 51. Win32/RDPdoor v4.x
  52. 52. References Exploit Kit plays with smart redirectionhttp://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection Dr. Zeus: the Bot in the Hathttp://blog.eset.com/2010/11/05/dr-zeus-the-bot-in-the-hat Blackhole, CVE-2012-0507 and Carberphttp://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp Evolution of Win32/Carberp: going deeperhttp://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Hodprot: Hot to Bothttp://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf Carberp Gang Evolution: CARO 2012 presentationhttp://blog.eset.com/2012/05/24/carberp-gang-evolution-at-caro-2012
  53. 53. Thank you for your attention!Aleksandr Matrosov Eugene Rodionovmatrosov@eset.sk rodionov@eset.sk@matrosov @vxradiusamatrosov.blogspot.com

×