Smartcard vulnerabilities in modern banking malware Aleksandr Matrosov Eugene Rodionov
Agenda Evolution of Carberp distribution scheme    drive by downloads    detection statistics Carberp modifications   ...
Evolution drive by downloads: Carberp case
Exploit kits used in distribution scheme Impact since 2010 (probivaites.in)   •   Java/Exploit.CVE-2010-0840   •   Java/E...
Blackhole drive by download schemelegitimate    site                                  TRUE   search       FALSE           ...
Exploit kit migration reasons            • most popular = most detected       1            • frequently leaked exploit kit...
Blackhole migration to Nuclear Pack
Nuclear pack drive by download scheme  legitimate      site  check real    user                                           ...
BlackSEO & Nuclear Pack
Carberp detection statistics
Carberp detection statistics by countryCloud data from Live Grid                               Russia                     ...
Carberp detections over time in Russia       Cloud data from Live Grid0.180.160.140.12 0.10.080.060.040.02  0
Evolution of Carberp modifications
Different groups, different bots, different C&C’s                            G***o                  D*****v               ...
functionality           Gizmo              Dudorov                 OrigamiDedicated dropper                              ...
commands Gizmo Dudorov Origami                Descriptionddos                          download DDoS plugin and start a...
The Story of BK-LOADER    from Rovnix.A to Carberp
Interesting Carberp sample (October 2011)
Interesting strings inside Carberp with bootkit
Carberp bootkit functionality                                Inject user-mode                                     payload ...
Callgraph of bootkit installation routine
Rovnix kit hidden file systems comparisonfunctionality          Rovnix.A      Carberp with bootkit   Rovnix.BVBR modificat...
Comparison of Carberp file system with Rovnix.B
AntiRE tricks
Removing AV hooks before installation
Calling WinAPI functions by hash
Plugin encryption algorithm
Communication protocol encryption algorithm
Banks attacking algorithms
Bank attacking algorithm              Gizmo     Dudorov   OrigamiHTML injections                                        ...
Smartcard attacks
Applications used by smartcards          User ApplicationUser interface             Access provider       Smartcard resour...
Win32/Spy.Ranbyus
Win32/RDPdoor v4.x
References Exploit Kit plays with smart redirectionhttp://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart...
Thank you for your attention!Aleksandr Matrosov         Eugene Rodionovmatrosov@eset.sk           rodionov@eset.sk@matroso...
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Upcoming SlideShare
Loading in …5
×

Smartcard Vulnerabilities In Modern Banking Malwaremalware

892
-1

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
892
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
43
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Smartcard Vulnerabilities In Modern Banking Malwaremalware

  1. 1. Smartcard vulnerabilities in modern banking malware Aleksandr Matrosov Eugene Rodionov
  2. 2. Agenda Evolution of Carberp distribution scheme  drive by downloads  detection statistics Carberp modifications  the story of BK-LOADER  antiRE tricks Banks attacking algorithms Smartcard attacks
  3. 3. Evolution drive by downloads: Carberp case
  4. 4. Exploit kits used in distribution scheme Impact since 2010 (probivaites.in) • Java/Exploit.CVE-2010-0840 • Java/Exploit.CVE-2010-0842 • Java/TrojanDownloader.OpenConnection Blackhole since 2011 (lifenews-sport.org) • JS/Exploit.JavaDepKit (CVE-2010-0886) • Java/Exploit.CVE-2011-3544 • Java/Exploit.CVE-2012-0507 • Java/Agent Nuclear Pack since 2012 (nod32-matrosov-pideri.org) • Java/Exploit.CVE-2012-0507
  5. 5. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  6. 6. Exploit kit migration reasons • most popular = most detected 1 • frequently leaked exploit kit 2 • most popular exploit kit for research • auto detections by AV-crawlers 3 • non-detection period is less than two hours
  7. 7. Blackhole migration to Nuclear Pack
  8. 8. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  9. 9. BlackSEO & Nuclear Pack
  10. 10. Carberp detection statistics
  11. 11. Carberp detection statistics by countryCloud data from Live Grid Russia Ukraine Belarus Kazakhstan Turkey United Kingdom Spain United States Italy Rest of the world
  12. 12. Carberp detections over time in Russia Cloud data from Live Grid0.180.160.140.12 0.10.080.060.040.02 0
  13. 13. Evolution of Carberp modifications
  14. 14. Different groups, different bots, different C&C’s G***o D*****v Origami
  15. 15. functionality Gizmo Dudorov OrigamiDedicated dropper   Win32/HodprotJava patcher   Bootkit    based on RovnixRDP backconnect  Win32/RDPdoor Win32/RDPdoorTV backconnect Win32/Sheldor Win32/Sheldor Win32/SheldorHTML injections IE, Firefox, Opera IE, Firefox, Opera, IE, Firefox, Opera, Chrome ChromeAutoloads   Unique plugins minav.plug sbtest.plug sber.plug passw.plug cyberplat.plug ddos.plug killav.plug
  16. 16. commands Gizmo Dudorov Origami Descriptionddos    download DDoS plugin and start attackupdatehosts    modify hosts file on infected systemalert    show message box on infected systemupdate    download new version of Carberpupdateconfig    download new version of config filedownload    download and execute PE-fileloaddll    download plugin and load into memorybootkit    download and install bootkitgrabber    grab HTML form data and send to C&Ckillos    modify boot code and delete system fileskilluser    delete user Windows accountkillbot    delete all files and registry keysupdatepatch    download and modify java runtimedeletepatch    delete java runtime modifications
  17. 17. The Story of BK-LOADER from Rovnix.A to Carberp
  18. 18. Interesting Carberp sample (October 2011)
  19. 19. Interesting strings inside Carberp with bootkit
  20. 20. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  21. 21. Callgraph of bootkit installation routine
  22. 22. Rovnix kit hidden file systems comparisonfunctionality Rovnix.A Carberp with bootkit Rovnix.BVBR modification   polymorphic VBR   Malware driver   storageDriver encryption custom custom customalgorithm (ROR + XOR) (ROR + XOR) (ROR + XOR)Hidden file system  FAT16 FAT16 modification modificationFile system  RC6 RC6encryption algorithm modification modification
  23. 23. Comparison of Carberp file system with Rovnix.B
  24. 24. AntiRE tricks
  25. 25. Removing AV hooks before installation
  26. 26. Calling WinAPI functions by hash
  27. 27. Plugin encryption algorithm
  28. 28. Communication protocol encryption algorithm
  29. 29. Banks attacking algorithms
  30. 30. Bank attacking algorithm Gizmo Dudorov OrigamiHTML injections   autoload 2010  2011 (Sep)dedicated plugins for major banks   intercepting client-banks activity   patching java   webmoney/cyberplat   stealing money from private persons   
  31. 31. Smartcard attacks
  32. 32. Applications used by smartcards User ApplicationUser interface Access provider Smartcard resource manager Smartcard Subsystem Call reader device driverSpecific reader Specific reader … device driver device driverReader device … Reader device Hardware Support Smartcard … Smartcard
  33. 33. Win32/Spy.Ranbyus
  34. 34. Win32/RDPdoor v4.x
  35. 35. References Exploit Kit plays with smart redirectionhttp://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection Dr. Zeus: the Bot in the Hathttp://blog.eset.com/2010/11/05/dr-zeus-the-bot-in-the-hat Blackhole, CVE-2012-0507 and Carberphttp://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp Evolution of Win32/Carberp: going deeperhttp://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Hodprot: Hot to Bothttp://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf Carberp Gang Evolution: CARO 2012 presentationhttp://blog.eset.com/2012/05/24/carberp-gang-evolution-at-caro-2012
  36. 36. Thank you for your attention!Aleksandr Matrosov Eugene Rodionovmatrosov@eset.sk rodionov@eset.sk@matrosov @vxradiusamatrosov.blogspot.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×