SlideShare a Scribd company logo

Smartcard Vulnerabilities In Modern Banking Malwaremalware

Download as PPTX, PDF
Positive Hack Days
Positive Hack Days
Technology
1 of 40
Smartcard vulnerabilities in modern banking malware Aleksandr Matrosov Eugene Rodionov
Agenda  Evolution of Carberp distribution scheme  drive by downloads  detection statistics  Carberp modifications  the story of BK-LOADER  antiRE tricks  Banks attacking algorithms  Smartcard attacks
Evolution drive by downloads: Carberp case
Exploit kits used in distribution scheme  Impact since 2010 (probivaites.in) • Java/Exploit.CVE-2010-0840 • Java/Exploit.CVE-2010-0842 • Java/TrojanDownloader.OpenConnection  Blackhole since 2011 (lifenews-sport.org) • JS/Exploit.JavaDepKit (CVE-2010-0886) • Java/Exploit.CVE-2011-3544 • Java/Exploit.CVE-2012-0507 • Java/Agent  Nuclear Pack since 2012 (nod32-matrosov-pideri.org) • Java/Exploit.CVE-2012-0507
Blackhole drive by download scheme legitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
Exploit kit migration reasons • most popular = most detected 1 • frequently leaked exploit kit 2 • most popular exploit kit for research • auto detections by AV-crawlers 3 • non-detection period is less than two hours
Blackhole migration to Nuclear Pack
Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
BlackSEO & Nuclear Pack
Carberp detection statistics
Carberp detection statistics by country Cloud data from Live Grid Russia Ukraine Belarus Kazakhstan Turkey United Kingdom Spain United States Italy Rest of the world
Carberp detections over time in Russia Cloud data from Live Grid 0.18 0.16 0.14 0.12 0.1 0.08 0.06 0.04 0.02 0
Evolution of Carberp modifications
Different groups, different bots, different C&C’s G***o D*****v Origami
functionality Gizmo Dudorov Origami Dedicated dropper   Win32/Hodprot Java patcher    Bootkit    based on Rovnix RDP backconnect  Win32/RDPdoor Win32/RDPdoor TV backconnect Win32/Sheldor Win32/Sheldor Win32/Sheldor HTML injections IE, Firefox, Opera IE, Firefox, Opera, IE, Firefox, Opera, Chrome Chrome Autoloads    Unique plugins minav.plug sbtest.plug sber.plug passw.plug cyberplat.plug ddos.plug killav.plug
commands Gizmo Dudorov Origami Description ddos    download DDoS plugin and start attack updatehosts    modify hosts file on infected system alert    show message box on infected system update    download new version of Carberp updateconfig    download new version of config file download    download and execute PE-file loaddll    download plugin and load into memory bootkit    download and install bootkit grabber    grab HTML form data and send to C&C killos    modify boot code and delete system files killuser    delete user Windows account killbot    delete all files and registry keys updatepatch    download and modify java runtime deletepatch    delete java runtime modifications
The Story of BK-LOADER from Rovnix.A to Carberp
Interesting Carberp sample (October 2011)
Interesting strings inside Carberp with bootkit
Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
Callgraph of bootkit installation routine
Rovnix kit hidden file systems comparison functionality Rovnix.A Carberp with bootkit Rovnix.B VBR modification    polymorphic VBR    Malware driver    storage Driver encryption custom custom custom algorithm (ROR + XOR) (ROR + XOR) (ROR + XOR) Hidden file system  FAT16 FAT16 modification modification File system  RC6 RC6 encryption algorithm modification modification
Comparison of Carberp file system with Rovnix.B
AntiRE tricks
Removing AV hooks before installation
Calling WinAPI functions by hash
Plugin encryption algorithm
Communication protocol encryption algorithm
Banks attacking algorithms
Bank attacking algorithm Gizmo Dudorov Origami HTML injections    autoload 2010  2011 (Sep) dedicated plugins for major banks    intercepting client-banks activity    patching java    webmoney/cyberplat    stealing money from private persons   
Smartcard attacks
Applications used by smartcards User Application User interface Access provider Smartcard resource manager Smartcard Subsystem Call reader device driver Specific reader Specific reader … device driver device driver Reader device … Reader device Hardware Support Smartcard … Smartcard
Win32/Spy.Ranbyus
Win32/RDPdoor v4.x
References  Exploit Kit plays with smart redirection http://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection  Dr. Zeus: the Bot in the Hat http://blog.eset.com/2010/11/05/dr-zeus-the-bot-in-the-hat  Blackhole, CVE-2012-0507 and Carberp http://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp  Evolution of Win32/Carberp: going deeper http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper  Hodprot: Hot to Bot http://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf  Carberp Gang Evolution: CARO 2012 presentation http://blog.eset.com/2012/05/24/carberp-gang-evolution-at-caro-2012
Thank you for your attention! Aleksandr Matrosov Eugene Rodionov matrosov@eset.sk rodionov@eset.sk @matrosov @vxradius amatrosov.blogspot.com

Recommended

RTOS application verified by VeriFast, and future plan
RTOS application verified by VeriFast, and future planRTOS application verified by VeriFast, and future plan
RTOS application verified by VeriFast, and future plan
Kiwamu Okabe
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
CODE BLUE
 
JAVA AND ANDROID OS_PRESENTATION
JAVA AND ANDROID OS_PRESENTATIONJAVA AND ANDROID OS_PRESENTATION
JAVA AND ANDROID OS_PRESENTATION
Benjamin Agboola
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Maksim Shudrak
 
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
Faisal Akber
 
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
DefconRussia
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
FFRI, Inc.
 

Recommended

RTOS application verified by VeriFast, and future plan
RTOS application verified by VeriFast, and future planRTOS application verified by VeriFast, and future plan
RTOS application verified by VeriFast, and future plan
Kiwamu Okabe
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
CODE BLUE
 
JAVA AND ANDROID OS_PRESENTATION
JAVA AND ANDROID OS_PRESENTATIONJAVA AND ANDROID OS_PRESENTATION
JAVA AND ANDROID OS_PRESENTATION
Benjamin Agboola
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Maksim Shudrak
 
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
Faisal Akber
 
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
DefconRussia
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
FFRI, Inc.
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
Android 2.3 Introduction
Android 2.3 IntroductionAndroid 2.3 Introduction
Android 2.3 Introduction
Kan-Ru Chen
 
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
APNIC
 
Why JRuby? - RubyConf 2012
Why JRuby? - RubyConf 2012Why JRuby? - RubyConf 2012
Why JRuby? - RubyConf 2012
Charles Nutter
 
Authen Free Bsd6 2
Authen Free Bsd6 2Authen Free Bsd6 2
Authen Free Bsd6 2
Kwanchai Charoennet
 
Programs V1.8.3(V2.0beta)
Programs V1.8.3(V2.0beta)Programs V1.8.3(V2.0beta)
Programs V1.8.3(V2.0beta)
guestc6ca44
 
Dalvik Vm &amp; Jit
Dalvik Vm &amp; JitDalvik Vm &amp; Jit
Dalvik Vm &amp; Jit
Ankit Somani
 
FreeBSD on Cavium ThunderX System on a Chip
FreeBSD on Cavium ThunderX System on a ChipFreeBSD on Cavium ThunderX System on a Chip
FreeBSD on Cavium ThunderX System on a Chip
Semihalf
 
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchaginstackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
NETWAYS
 
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Toshiharu Harada, Ph.D
 
Introduction to Android by Demian Neidetcher
Introduction to Android by Demian NeidetcherIntroduction to Android by Demian Neidetcher
Introduction to Android by Demian Neidetcher
Matthew McCullough
 
Fusioninventory openworldforum-paris-2011-september
Fusioninventory openworldforum-paris-2011-septemberFusioninventory openworldforum-paris-2011-september
Fusioninventory openworldforum-paris-2011-september
Gonéri Le Bouder
 
Build Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMBuild Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVM
National Cheng Kung University
 
IPv6 Matrix presentation for World IPv6 Launch, June 2012
IPv6 Matrix presentation for World IPv6 Launch, June 2012IPv6 Matrix presentation for World IPv6 Launch, June 2012
IPv6 Matrix presentation for World IPv6 Launch, June 2012
Olivier MJ Crépin-Leblond
 
Asterisk quick start Guide
Asterisk quick start Guide Asterisk quick start Guide
Asterisk quick start Guide
King Astreisk Technologies
 
Amd epyc update_gdep_xilinx_ai_web_seminar_20201028
Amd epyc update_gdep_xilinx_ai_web_seminar_20201028Amd epyc update_gdep_xilinx_ai_web_seminar_20201028
Amd epyc update_gdep_xilinx_ai_web_seminar_20201028
ssuser5b12d1
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroud
UT, San Antonio
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Tom Keetch
 
Introduction to VeriFast @ Kyoto
Introduction to VeriFast @ KyotoIntroduction to VeriFast @ Kyoto
Introduction to VeriFast @ Kyoto
Kiwamu Okabe
 
TOMOYO Linux on Android
TOMOYO Linux on AndroidTOMOYO Linux on Android
TOMOYO Linux on Android
Toshiharu Harada, Ph.D
 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
CODE BLUE
 
Vicente Diaz - Jorge Mieres - Fuel For Pwnage
Vicente Diaz - Jorge Mieres - Fuel For PwnageVicente Diaz - Jorge Mieres - Fuel For Pwnage
Vicente Diaz - Jorge Mieres - Fuel For Pwnage
Source Conference
 

More Related Content

What's hot

Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
Programs V1.8.3(V2.0beta)
Programs V1.8.3(V2.0beta)Programs V1.8.3(V2.0beta)
Programs V1.8.3(V2.0beta)
guestc6ca44
 
Dalvik Vm &amp; Jit
Dalvik Vm &amp; JitDalvik Vm &amp; Jit
Dalvik Vm &amp; Jit
Ankit Somani
 
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Toshiharu Harada, Ph.D
 

What's hot (20)

Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Android 2.3 Introduction
Android 2.3 IntroductionAndroid 2.3 Introduction
Android 2.3 Introduction
 
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
 
Why JRuby? - RubyConf 2012
Why JRuby? - RubyConf 2012Why JRuby? - RubyConf 2012
Why JRuby? - RubyConf 2012
 
Authen Free Bsd6 2
Authen Free Bsd6 2Authen Free Bsd6 2
Authen Free Bsd6 2
 
Programs V1.8.3(V2.0beta)
Programs V1.8.3(V2.0beta)Programs V1.8.3(V2.0beta)
Programs V1.8.3(V2.0beta)
 
Dalvik Vm &amp; Jit
Dalvik Vm &amp; JitDalvik Vm &amp; Jit
Dalvik Vm &amp; Jit
 
FreeBSD on Cavium ThunderX System on a Chip
FreeBSD on Cavium ThunderX System on a ChipFreeBSD on Cavium ThunderX System on a Chip
FreeBSD on Cavium ThunderX System on a Chip
 
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchaginstackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
 
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
 
Introduction to Android by Demian Neidetcher
Introduction to Android by Demian NeidetcherIntroduction to Android by Demian Neidetcher
Introduction to Android by Demian Neidetcher
 
Fusioninventory openworldforum-paris-2011-september
Fusioninventory openworldforum-paris-2011-septemberFusioninventory openworldforum-paris-2011-september
Fusioninventory openworldforum-paris-2011-september
 
Build Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMBuild Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVM
 
IPv6 Matrix presentation for World IPv6 Launch, June 2012
IPv6 Matrix presentation for World IPv6 Launch, June 2012IPv6 Matrix presentation for World IPv6 Launch, June 2012
IPv6 Matrix presentation for World IPv6 Launch, June 2012
 
Asterisk quick start Guide
Asterisk quick start Guide Asterisk quick start Guide
Asterisk quick start Guide
 
Amd epyc update_gdep_xilinx_ai_web_seminar_20201028
Amd epyc update_gdep_xilinx_ai_web_seminar_20201028Amd epyc update_gdep_xilinx_ai_web_seminar_20201028
Amd epyc update_gdep_xilinx_ai_web_seminar_20201028
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroud
 
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android ApplicationsSteelcon 2015 Reverse-Engineering Obfuscated Android Applications
Steelcon 2015 Reverse-Engineering Obfuscated Android Applications
 
Introduction to VeriFast @ Kyoto
Introduction to VeriFast @ KyotoIntroduction to VeriFast @ Kyoto
Introduction to VeriFast @ Kyoto
 
TOMOYO Linux on Android
TOMOYO Linux on AndroidTOMOYO Linux on Android
TOMOYO Linux on Android
 

Viewers also liked

Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
CODE BLUE
 
Vicente Diaz - Jorge Mieres - Fuel For Pwnage
Vicente Diaz - Jorge Mieres - Fuel For PwnageVicente Diaz - Jorge Mieres - Fuel For Pwnage
Vicente Diaz - Jorge Mieres - Fuel For Pwnage
Source Conference
 

Viewers also liked (14)

Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
 
Vicente Diaz - Jorge Mieres - Fuel For Pwnage
Vicente Diaz - Jorge Mieres - Fuel For PwnageVicente Diaz - Jorge Mieres - Fuel For Pwnage
Vicente Diaz - Jorge Mieres - Fuel For Pwnage
 
A tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxA tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in Firefox
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
 
Dcm#8 elastic search
Dcm#8 elastic searchDcm#8 elastic search
Dcm#8 elastic search
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
pwnd.sh
pwnd.shpwnd.sh
pwnd.sh
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
Automated API pentesting using fuzzapi
Automated API pentesting using fuzzapiAutomated API pentesting using fuzzapi
Automated API pentesting using fuzzapi
 
Ceph Performance: Projects Leading Up to Jewel
Ceph Performance: Projects Leading Up to JewelCeph Performance: Projects Leading Up to Jewel
Ceph Performance: Projects Leading Up to Jewel
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 

Similar to Smartcard Vulnerabilities In Modern Banking Malwaremalware

Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
Jaime Blasco
 
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
RootedCON
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov
 

Similar to Smartcard Vulnerabilities In Modern Banking Malwaremalware (20)

Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
Android Development Tools
Android Development ToolsAndroid Development Tools
Android Development Tools
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
 
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Jnode
JnodeJnode
Jnode
 
GitOps & the deployment branching models - DevOps D-day Marseille 2021
GitOps & the deployment branching models - DevOps D-day Marseille 2021GitOps & the deployment branching models - DevOps D-day Marseille 2021
GitOps & the deployment branching models - DevOps D-day Marseille 2021
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
 
Learning AOSP - Building AOSP for Nexus 7
Learning AOSP - Building AOSP for Nexus 7Learning AOSP - Building AOSP for Nexus 7
Learning AOSP - Building AOSP for Nexus 7
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
Android Development Tools
Android Development ToolsAndroid Development Tools
Android Development Tools
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 

More from Positive Hack Days

Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
Positive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
Positive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
Positive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
Positive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Smartcard Vulnerabilities In Modern Banking Malwaremalware

  • 1. Smartcard vulnerabilities in modern banking malware Aleksandr Matrosov Eugene Rodionov
  • 2. Agenda  Evolution of Carberp distribution scheme  drive by downloads  detection statistics  Carberp modifications  the story of BK-LOADER  antiRE tricks  Banks attacking algorithms  Smartcard attacks
  • 3. Evolution drive by downloads: Carberp case
  • 4. Exploit kits used in distribution scheme  Impact since 2010 (probivaites.in) • Java/Exploit.CVE-2010-0840 • Java/Exploit.CVE-2010-0842 • Java/TrojanDownloader.OpenConnection  Blackhole since 2011 (lifenews-sport.org) • JS/Exploit.JavaDepKit (CVE-2010-0886) • Java/Exploit.CVE-2011-3544 • Java/Exploit.CVE-2012-0507 • Java/Agent  Nuclear Pack since 2012 (nod32-matrosov-pideri.org) • Java/Exploit.CVE-2012-0507
  • 5. Blackhole drive by download scheme legitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 6. Exploit kit migration reasons • most popular = most detected 1 • frequently leaked exploit kit 2 • most popular exploit kit for research • auto detections by AV-crawlers 3 • non-detection period is less than two hours
  • 7. Blackhole migration to Nuclear Pack
  • 8. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 11. Carberp detection statistics by country Cloud data from Live Grid Russia Ukraine Belarus Kazakhstan Turkey United Kingdom Spain United States Italy Rest of the world
  • 12. Carberp detections over time in Russia Cloud data from Live Grid 0.18 0.16 0.14 0.12 0.1 0.08 0.06 0.04 0.02 0
  • 13. Evolution of Carberp modifications
  • 14. Different groups, different bots, different C&C’s G***o D*****v Origami
  • 15. functionality Gizmo Dudorov Origami Dedicated dropper   Win32/Hodprot Java patcher    Bootkit    based on Rovnix RDP backconnect  Win32/RDPdoor Win32/RDPdoor TV backconnect Win32/Sheldor Win32/Sheldor Win32/Sheldor HTML injections IE, Firefox, Opera IE, Firefox, Opera, IE, Firefox, Opera, Chrome Chrome Autoloads    Unique plugins minav.plug sbtest.plug sber.plug passw.plug cyberplat.plug ddos.plug killav.plug
  • 16. commands Gizmo Dudorov Origami Description ddos    download DDoS plugin and start attack updatehosts    modify hosts file on infected system alert    show message box on infected system update    download new version of Carberp updateconfig    download new version of config file download    download and execute PE-file loaddll    download plugin and load into memory bootkit    download and install bootkit grabber    grab HTML form data and send to C&C killos    modify boot code and delete system files killuser    delete user Windows account killbot    delete all files and registry keys updatepatch    download and modify java runtime deletepatch    delete java runtime modifications
  • 17. The Story of BK-LOADER from Rovnix.A to Carberp
  • 18.
  • 19. Interesting Carberp sample (October 2011)
  • 20. Interesting strings inside Carberp with bootkit
  • 21. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  • 22. Callgraph of bootkit installation routine
  • 23. Rovnix kit hidden file systems comparison functionality Rovnix.A Carberp with bootkit Rovnix.B VBR modification    polymorphic VBR    Malware driver    storage Driver encryption custom custom custom algorithm (ROR + XOR) (ROR + XOR) (ROR + XOR) Hidden file system  FAT16 FAT16 modification modification File system  RC6 RC6 encryption algorithm modification modification
  • 24. Comparison of Carberp file system with Rovnix.B
  • 26. Removing AV hooks before installation
  • 31. Bank attacking algorithm Gizmo Dudorov Origami HTML injections    autoload 2010  2011 (Sep) dedicated plugins for major banks    intercepting client-banks activity    patching java    webmoney/cyberplat    stealing money from private persons   
  • 32.
  • 33.
  • 35. Applications used by smartcards User Application User interface Access provider Smartcard resource manager Smartcard Subsystem Call reader device driver Specific reader Specific reader … device driver device driver Reader device … Reader device Hardware Support Smartcard … Smartcard
  • 38.
  • 39. References  Exploit Kit plays with smart redirection http://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection  Dr. Zeus: the Bot in the Hat http://blog.eset.com/2010/11/05/dr-zeus-the-bot-in-the-hat  Blackhole, CVE-2012-0507 and Carberp http://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp  Evolution of Win32/Carberp: going deeper http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper  Hodprot: Hot to Bot http://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf  Carberp Gang Evolution: CARO 2012 presentation http://blog.eset.com/2012/05/24/carberp-gang-evolution-at-caro-2012
  • 40. Thank you for your attention! Aleksandr Matrosov Eugene Rodionov matrosov@eset.sk rodionov@eset.sk @matrosov @vxradius amatrosov.blogspot.com