Your SlideShare is downloading. ×
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Smartcard Vulnerabilities In Modern Banking Malwaremalware

793

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
793
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
41
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Smartcard vulnerabilities in modern banking malware Aleksandr Matrosov Eugene Rodionov
  • 2. Agenda Evolution of Carberp distribution scheme  drive by downloads  detection statistics Carberp modifications  the story of BK-LOADER  antiRE tricks Banks attacking algorithms Smartcard attacks
  • 3. Evolution drive by downloads: Carberp case
  • 4. Exploit kits used in distribution scheme Impact since 2010 (probivaites.in) • Java/Exploit.CVE-2010-0840 • Java/Exploit.CVE-2010-0842 • Java/TrojanDownloader.OpenConnection Blackhole since 2011 (lifenews-sport.org) • JS/Exploit.JavaDepKit (CVE-2010-0886) • Java/Exploit.CVE-2011-3544 • Java/Exploit.CVE-2012-0507 • Java/Agent Nuclear Pack since 2012 (nod32-matrosov-pideri.org) • Java/Exploit.CVE-2012-0507
  • 5. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 6. Exploit kit migration reasons • most popular = most detected 1 • frequently leaked exploit kit 2 • most popular exploit kit for research • auto detections by AV-crawlers 3 • non-detection period is less than two hours
  • 7. Blackhole migration to Nuclear Pack
  • 8. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 9. BlackSEO & Nuclear Pack
  • 10. Carberp detection statistics
  • 11. Carberp detection statistics by countryCloud data from Live Grid Russia Ukraine Belarus Kazakhstan Turkey United Kingdom Spain United States Italy Rest of the world
  • 12. Carberp detections over time in Russia Cloud data from Live Grid0.180.160.140.12 0.10.080.060.040.02 0
  • 13. Evolution of Carberp modifications
  • 14. Different groups, different bots, different C&C’s G***o D*****v Origami
  • 15. functionality Gizmo Dudorov OrigamiDedicated dropper   Win32/HodprotJava patcher   Bootkit    based on RovnixRDP backconnect  Win32/RDPdoor Win32/RDPdoorTV backconnect Win32/Sheldor Win32/Sheldor Win32/SheldorHTML injections IE, Firefox, Opera IE, Firefox, Opera, IE, Firefox, Opera, Chrome ChromeAutoloads   Unique plugins minav.plug sbtest.plug sber.plug passw.plug cyberplat.plug ddos.plug killav.plug
  • 16. commands Gizmo Dudorov Origami Descriptionddos    download DDoS plugin and start attackupdatehosts    modify hosts file on infected systemalert    show message box on infected systemupdate    download new version of Carberpupdateconfig    download new version of config filedownload    download and execute PE-fileloaddll    download plugin and load into memorybootkit    download and install bootkitgrabber    grab HTML form data and send to C&Ckillos    modify boot code and delete system fileskilluser    delete user Windows accountkillbot    delete all files and registry keysupdatepatch    download and modify java runtimedeletepatch    delete java runtime modifications
  • 17. The Story of BK-LOADER from Rovnix.A to Carberp
  • 18. Interesting Carberp sample (October 2011)
  • 19. Interesting strings inside Carberp with bootkit
  • 20. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  • 21. Callgraph of bootkit installation routine
  • 22. Rovnix kit hidden file systems comparisonfunctionality Rovnix.A Carberp with bootkit Rovnix.BVBR modification   polymorphic VBR   Malware driver   storageDriver encryption custom custom customalgorithm (ROR + XOR) (ROR + XOR) (ROR + XOR)Hidden file system  FAT16 FAT16 modification modificationFile system  RC6 RC6encryption algorithm modification modification
  • 23. Comparison of Carberp file system with Rovnix.B
  • 24. AntiRE tricks
  • 25. Removing AV hooks before installation
  • 26. Calling WinAPI functions by hash
  • 27. Plugin encryption algorithm
  • 28. Communication protocol encryption algorithm
  • 29. Banks attacking algorithms
  • 30. Bank attacking algorithm Gizmo Dudorov OrigamiHTML injections   autoload 2010  2011 (Sep)dedicated plugins for major banks   intercepting client-banks activity   patching java   webmoney/cyberplat   stealing money from private persons   
  • 31. Smartcard attacks
  • 32. Applications used by smartcards User ApplicationUser interface Access provider Smartcard resource manager Smartcard Subsystem Call reader device driverSpecific reader Specific reader … device driver device driverReader device … Reader device Hardware Support Smartcard … Smartcard
  • 33. Win32/Spy.Ranbyus
  • 34. Win32/RDPdoor v4.x
  • 35. References Exploit Kit plays with smart redirectionhttp://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection Dr. Zeus: the Bot in the Hathttp://blog.eset.com/2010/11/05/dr-zeus-the-bot-in-the-hat Blackhole, CVE-2012-0507 and Carberphttp://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp Evolution of Win32/Carberp: going deeperhttp://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Hodprot: Hot to Bothttp://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf Carberp Gang Evolution: CARO 2012 presentationhttp://blog.eset.com/2012/05/24/carberp-gang-evolution-at-caro-2012
  • 36. Thank you for your attention!Aleksandr Matrosov Eugene Rodionovmatrosov@eset.sk rodionov@eset.sk@matrosov @vxradiusamatrosov.blogspot.com

×