Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Modern malware techniques for attacking RBS systems in Russia


Published on

Published in: Technology

Modern malware techniques for attacking RBS systems in Russia

  1. 1. Modern malware techniques for attackingRBS systems in RussiaAleksandr MatrosovEugene Rodionov
  2. 2. Who we are? Malware researchers at ESET - complex threats analysis - development of cleaning tools - tracking new malware techniques - investigation of cybercrime groups
  3. 3. Agendao Cybercrime trends in RBSo Most prevalent threats and incidents  Win32/Shiz  Win32/Hodprot  Win32/Sheldor  Win32/RDPdoor  Win32/Carberpo Carberp cybercrime group revenue
  4. 4. Overview2010/11: years of attacks on Russian banks• number of incidents has more than doubled compared to 2010*Over 92%* of incidents involve banking trojansMalware tailored to Russian banks and paymentsystemsHowever!• Can (and IS) used in other countries as well *research report "The Russian cybercrime market in 2010: status and trends”
  5. 5. Interesting facts about Russian bank fraud These guys are still free!
  6. 6. Evolution of RBS trojanso RBS Trojans 2009-2010: o RBS Trojans 2011:  Win32/Shiz (2009)  Multiple updates  Win32/Carberp  Growing incidents numbers  Win32/Hodprot  ….  Win32/Sheldor  Win32/Carberp with Bootkit  Win32/RDPdoor
  7. 7. Cybercrime landscape (2010)
  8. 8. Cybercrime landscape (2011)
  9. 9. Cybercrime landscape (2011)
  10. 10. Win32/Spy.Shiz
  11. 11. Win32/Spy.Shiz detection statistics by monthCloud data from Live Grid August 2009 – November 2011
  12. 12. Win32/Spy.Shiz detection statistics by countryCloud data from Live Grid
  13. 13. Win32/Spy.Shiz: stealing money
  14. 14. Win32/Hodprot
  15. 15. Win32/Hodprot detection statistics by monthCloud data from Live Grid July 2010 – November 2011
  16. 16. Win32/Hodprot detection statistics by countryCloud data from Live Grid
  17. 17. Win32/Hodprot: antiforensics Main module Original sfcfiles.dll Kernel - driver image Loader code C&C URLs
  18. 18. Win32/Hodprot: injecting payload Winlogon Address Browser Address Space Space Setupapi.dll Assemble Payload Inject Payload Update Payload sfcfiles.dll Payload System Registry User-mode Kernel-mode Inject Payload Install & Load Assemble Payload Driver sfc.sys
  19. 19. Win32/Hodprot: C&C protocol Win32/Hodprot C&C Server Send request (bot ID, integer) Reply with updated Handle modules and image to Request execute Update the bot’s modules, run downloaded Send Status exeutable Information
  20. 20. Win32/Sheldor & Win32/RDPdoor
  21. 21. Win32/Sheldor and TeamViewer in action1. Request cloud ID2. Set cloud ID3. Send ID to C&C TeamViewer4. Malicious connection cloud 1 2 infected 4 computer Win32/Sheldor 3 GET C&C /getinfo.php?id=414%20034%20883&pwd =6655&stat=1
  22. 22. Under the hood: DLL hooking TeamViewer.exe TV.dll (proxy DLL) TS.dll (original TS.dll)
  23. 23. Malicious DLL call graph
  24. 24. Malicious DLL decompilation Functions for calling from original TS.dll Load original TS.dll Hook functions C&C URL
  25. 25. Sheldor C&C panel
  26. 26. Win32/RDPdoor installation infected Win32/RDPdoorcomputer C&C run dropper and send system information 1 authentication on C&C and provide Thinsoft BeTwin for installation 2 send status information 3
  27. 27. Stealing authentication data1. Install GINA extension DLL2. Display fake logon screen3. Capture user name & password4. Send to C&C
  28. 28. Win32/Carberp
  29. 29. Win32/Carberp detections over time in RussiaCloud data from Live Grid January 2010 – November 2011
  30. 30. Win32/Carberp detection statistics by countryCloud data from Live Grid
  31. 31. Self-protecting FunctionalityBypassing AV-emulators many calls of rare WinAPI functionsCode injection method ZwQueueApcThread() ZwResumeThread()Unhooking method checking first bytes of API function body and deleting hooksCommand and string encryption custom encryption algorithmBot authentication on C&C file with authentication data stored on infected PCNetwork communication encryption base64( RC2(data) )API function calls obfuscation custom hash algorithmDetection of AV hooks comparison of the first original bytesBypassing static AV signatures appending random junk bytes to dropped filesHiding in the system hooking system functions bootkit infector (September 2011)
  32. 32. Carberp going deeper since September 2011
  33. 33. Carberp going deeper since September 2011 real mode Load MBR real mode Load VBR real mode/ Load protected mode bootstrap code real mode/ protected mode Load bootmgr Target of Rovnix & Carberp real mode/ Load protected mode winload.exe or winresume.exe Load kernel and boot start drivers
  34. 34. Carberp: Infected Partition Layouto Carberp overwrites bootstrap code of the active partitiono The malicious driver is written either:  before active partition, in case there is enough space  in the end of the hard drive, otherwise MBR VBR Bootstrap Code File System Data Before Infecting Compressed After Infecting Data Malicious Malicious Bootstrap MBR VBR File System Data Unsigned Code Code Driver NTFS bootstrap code (15 sectors)
  35. 35. Interesting strings and investigation
  36. 36. Win32/Carberp: money stealing methodsStealing techniques FunctionalityWeb-injects/Autoloads inserting the specified JS-code into HTML(IE, FF, Chrome, Opera) returned by the online banking siteBackconnect backdoor loading on request special binary module(RDP/VNC) (RDPdoor, custom VNC client)Keylogger (based on WinAPI) recording keyboard events into logfileScreenSpy (based on WinAPI) saving screenshots into logfileGrabbers (Form, FTP, Pass) loading on request special binary moduleCustom plugins for RBS binary modules for specified RBS (sber.plug)
  37. 37. Win32/Carberp botnet control panel
  38. 38. C&C with stolen data
  39. 39. Cab-files with stolen data
  40. 40. Stolen data: BS-Client IB system
  41. 41. Stolen data: CyberPlat payment system
  42. 42. Stolen data: iBank IB system
  43. 43. Stolen data: SberBank IB
  44. 44. Stolen data: UkrSibBank IB
  45. 45. References “Cybercrime in Russia: Trends and issues” “Evolution of Win32/Carberp: going deeper” “Hodprot: Hot to Bot” Follow ESET Threat Blog
  46. 46. Questions
  47. 47. Thank you for your attention ;) Aleksandr Matrosov @matrosov Eugene Rodionov @vxradius