ZeuSMitMo<br />Mikel Gastesi 2011-02-25<br />S21sec e-crimeanalyst<br />http://null.co.in/<br />http://nullcon.net/<br />
ZeuSMitMo<br />Introduction<br />Banking protections<br />Banking trojans<br />ZeuS / Zbot<br />ZeuSMitMo<br />Conclusion<...
Introduction<br />http://null.co.in/<br />http://nullcon.net/<br />
Introduction<br />Target<br />Whytheuser??<br />http://null.co.in/<br />http://nullcon.net/<br />
Bankingprotections<br />User / password<br />User / password + extra passwordfortransactions<br />Codecard<br />OTP<br />m...
Cat and mouse game<br />User / password Formgrabbing<br />User / password + extra passwordfortransactions Formgrabbing<b...
Attackingtheuser<br />Phishing<br />Trojans<br />Oneshottrojans<br />Modifying host file<br />Formgrabbing<br />HTML injec...
Bankingtrojans<br />ZeuS / Zbot<br />SpyEye<br />Bankpatch<br />SilentBanker<br />Sinowal<br />Gozi<br />Carberp<br />…<br...
Zbot<br />You can buyitforlessthan 600$ !<br />Easytoinstall<br />Easyto configure<br />Createsaneasy-to-managebotnet<br /...
Zbot<br />Characteristics:<br />Creates a botnet<br />Configurationfileupdate<br />Binaryfileupdate<br />/etc/hosts modifi...
Zbot<br />Characteristics:<br />Screenshots<br />Captures virtual keyboards<br />Captures form data<br />Stealscertificate...
Zbot<br />http://null.co.in/<br />http://nullcon.net/<br />
Zbot<br />http://null.co.in/<br />http://nullcon.net/<br />
Zbot<br />Whydoesitwork so good?<br />Stealth<br />Userdoesn’tseeanythingwrong<br />              Green lock + https = OK?...
Zbot<br />http://null.co.in/<br />http://nullcon.net/<br />
Zbot<br />http://null.co.in/<br />http://nullcon.net/<br />
Zbot<br />http://null.co.in/<br />http://nullcon.net/<br />
Zbot<br />Screen capture<br />http://null.co.in/<br />http://nullcon.net/<br />
Zbot<br />Redirection<br />http://null.co.in/<br />http://nullcon.net/<br />
Zbot<br />http://null.co.in/<br />http://nullcon.net/<br />
Jumping tothephone<br />http://null.co.in/<br />http://nullcon.net/<br />
Attackingphones<br />Today - Why?<br />Stealing OTP<br />Hiddinginformationmessages (instead of SMS flooding)<br />Avoidde...
Attackingphones<br />Today and Tomorrow – Why?<br />False Security perception<br />2 factors 1 factor<br />Personal infor...
Implementation<br />OTP != mTAN<br />Hardware token<br />Ownableplatform<br />How do you configure yourphonenumber?<br />h...
Zitmo<br />http://null.co.in/<br />http://nullcon.net/<br />CREDENTIALS<br />0023424<br />0023424 : OTP<br />COMMANDS<br />
Zitmo<br />Zeus 2.0.8.9 withcustominjection<br />http://null.co.in/<br />http://nullcon.net/<br />
Zitmo<br />http://null.co.in/<br />http://nullcon.net/<br />Fake SMS toinstallthetrojan (one-time URL)<br />
Zitmo<br />Platforms<br />Symbian<br />BlackBerry<br />Windows Mobile<br />Targets<br />SpanishbanksonSeptember (+1 german...
Zitmo<br />Howdoesitwork?<br />Preconfiguredadminphonenumber<br />Hellomessage: “Appinstalled OK”<br />Resendmessages<br /...
Zitmo<br />Commands:<br />Set admin<br />Senderadd<br />Sender rem<br />Block on<br />Block off<br />Set sender<br />http:...
Zitmo<br />Mikel, don’tforgetthe video!!!<br />http://null.co.in/<br />http://nullcon.net/<br />
ZitMoreloaded<br />ZeuSversion 3.1.8  Fake?<br />http://null.co.in/<br />http://nullcon.net/<br />
ZitMoreloaded<br />New UNINSTALL 45930 command<br />http://null.co.in/<br />http://nullcon.net/<br />
ZitMoreloaded<br />Set admin Appinstalled ok<br />http://null.co.in/<br />http://nullcon.net/<br />
ZitMoreloaded<br />Androidversion???  FAKE?<br />http://null.co.in/<br />http://nullcon.net/<br />
Conclusions<br />Real threat, activelyused<br />Defeats OTP (mTAN)<br />Tothink: 2 factor authenticationisbecoming single ...
Questions?<br />http://null.co.in/<br />http://nullcon.net/<br />
Thankyou!!!<br />Contact:      mgastesi@s21sec.com<br />http://null.co.in/<br />http://nullcon.net/<br />
Upcoming SlideShare
Loading in …5
×

nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones

1,894 views

Published on

ZeuS MitMo – A real case of banking fraud through mobile phones by Mikel Gastesi &Jose Miguel Esparz

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,894
On SlideShare
0
From Embeds
0
Number of Embeds
61
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

nullcon 2011 - ZeuS MitMo – A real case of banking fraud through mobile phones

  1. 1. ZeuSMitMo<br />Mikel Gastesi 2011-02-25<br />S21sec e-crimeanalyst<br />http://null.co.in/<br />http://nullcon.net/<br />
  2. 2. ZeuSMitMo<br />Introduction<br />Banking protections<br />Banking trojans<br />ZeuS / Zbot<br />ZeuSMitMo<br />Conclusion<br />http://null.co.in/<br />http://nullcon.net/<br />
  3. 3. Introduction<br />http://null.co.in/<br />http://nullcon.net/<br />
  4. 4. Introduction<br />Target<br />Whytheuser??<br />http://null.co.in/<br />http://nullcon.net/<br />
  5. 5. Bankingprotections<br />User / password<br />User / password + extra passwordfortransactions<br />Codecard<br />OTP<br />mTAN = mobileTransactionauthenticationnumber<br />http://null.co.in/<br />http://nullcon.net/<br />
  6. 6. Cat and mouse game<br />User / password Formgrabbing<br />User / password + extra passwordfortransactions Formgrabbing<br />Codecard HTML Injection<br />OTP<br />mTAN = mobileTransactionauthenticationnumber Zitmo, MITB<br />Token?<br />http://null.co.in/<br />http://nullcon.net/<br />
  7. 7. Attackingtheuser<br />Phishing<br />Trojans<br />Oneshottrojans<br />Modifying host file<br />Formgrabbing<br />HTML injection<br />http://null.co.in/<br />http://nullcon.net/<br />
  8. 8. Bankingtrojans<br />ZeuS / Zbot<br />SpyEye<br />Bankpatch<br />SilentBanker<br />Sinowal<br />Gozi<br />Carberp<br />…<br />http://null.co.in/<br />http://nullcon.net/<br />
  9. 9. Zbot<br />You can buyitforlessthan 600$ !<br />Easytoinstall<br />Easyto configure<br />Createsaneasy-to-managebotnet<br />Verypowerful<br />Add-ons<br />IM / Jabber<br />Zitmo has beenseenfor sale!! ¿?¿?<br />http://null.co.in/<br />http://nullcon.net/<br />
  10. 10. Zbot<br />Characteristics:<br />Creates a botnet<br />Configurationfileupdate<br />Binaryfileupdate<br />/etc/hosts modification<br />Socks proxy<br />HTML injection<br />HTML redirection<br />http://null.co.in/<br />http://nullcon.net/<br />
  11. 11. Zbot<br />Characteristics:<br />Screenshots<br />Captures virtual keyboards<br />Captures form data<br />Stealscertificates<br />KillOSfunction!<br />Encryptsconfigurationfile and data<br />http://null.co.in/<br />http://nullcon.net/<br />
  12. 12. Zbot<br />http://null.co.in/<br />http://nullcon.net/<br />
  13. 13. Zbot<br />http://null.co.in/<br />http://nullcon.net/<br />
  14. 14. Zbot<br />Whydoesitwork so good?<br />Stealth<br />Userdoesn’tseeanythingwrong<br /> Green lock + https = OK?? #FAIL<br />http://null.co.in/<br />http://nullcon.net/<br />
  15. 15. Zbot<br />http://null.co.in/<br />http://nullcon.net/<br />
  16. 16. Zbot<br />http://null.co.in/<br />http://nullcon.net/<br />
  17. 17. Zbot<br />http://null.co.in/<br />http://nullcon.net/<br />
  18. 18. Zbot<br />Screen capture<br />http://null.co.in/<br />http://nullcon.net/<br />
  19. 19. Zbot<br />Redirection<br />http://null.co.in/<br />http://nullcon.net/<br />
  20. 20. Zbot<br />http://null.co.in/<br />http://nullcon.net/<br />
  21. 21. Jumping tothephone<br />http://null.co.in/<br />http://nullcon.net/<br />
  22. 22. Attackingphones<br />Today - Why?<br />Stealing OTP<br />Hiddinginformationmessages (instead of SMS flooding)<br />Avoiddetection of MitB<br />Blockingincomingcalls<br />Prevent s communicatingwithbank<br />No mail<br />No SMS<br />No phonecall<br />http://null.co.in/<br />http://nullcon.net/<br />
  23. 23. Attackingphones<br />Today and Tomorrow – Why?<br />False Security perception<br />2 factors 1 factor<br />Personal information<br />Passwords of a lot of services, social networks, etc.<br />Passwordreuse?<br />http://null.co.in/<br />http://nullcon.net/<br />
  24. 24. Implementation<br />OTP != mTAN<br />Hardware token<br />Ownableplatform<br />How do you configure yourphonenumber?<br />http://null.co.in/<br />http://nullcon.net/<br />
  25. 25. Zitmo<br />http://null.co.in/<br />http://nullcon.net/<br />CREDENTIALS<br />0023424<br />0023424 : OTP<br />COMMANDS<br />
  26. 26. Zitmo<br />Zeus 2.0.8.9 withcustominjection<br />http://null.co.in/<br />http://nullcon.net/<br />
  27. 27. Zitmo<br />http://null.co.in/<br />http://nullcon.net/<br />Fake SMS toinstallthetrojan (one-time URL)<br />
  28. 28. Zitmo<br />Platforms<br />Symbian<br />BlackBerry<br />Windows Mobile<br />Targets<br />SpanishbanksonSeptember (+1 german)<br />Polishbanksthisweek (+ portugal…)<br />ZitMo dependes only in the PC ZeuSconfig<br />http://null.co.in/<br />http://nullcon.net/<br />
  29. 29. Zitmo<br />Howdoesitwork?<br />Preconfiguredadminphonenumber<br />Hellomessage: “Appinstalled OK”<br />Resendmessages<br />Inspiredon “SMS Monitor”<br />http://null.co.in/<br />http://nullcon.net/<br />
  30. 30. Zitmo<br />Commands:<br />Set admin<br />Senderadd<br />Sender rem<br />Block on<br />Block off<br />Set sender<br />http://null.co.in/<br />http://nullcon.net/<br />
  31. 31. Zitmo<br />Mikel, don’tforgetthe video!!!<br />http://null.co.in/<br />http://nullcon.net/<br />
  32. 32. ZitMoreloaded<br />ZeuSversion 3.1.8  Fake?<br />http://null.co.in/<br />http://nullcon.net/<br />
  33. 33. ZitMoreloaded<br />New UNINSTALL 45930 command<br />http://null.co.in/<br />http://nullcon.net/<br />
  34. 34. ZitMoreloaded<br />Set admin Appinstalled ok<br />http://null.co.in/<br />http://nullcon.net/<br />
  35. 35. ZitMoreloaded<br />Androidversion???  FAKE?<br />http://null.co.in/<br />http://nullcon.net/<br />
  36. 36. Conclusions<br />Real threat, activelyused<br />Defeats OTP (mTAN)<br />Tothink: 2 factor authenticationisbecoming single authentication!<br />Android > Symbian<br />Samescenario?<br />Installingfromthe web androidmarket?<br />http://null.co.in/<br />http://nullcon.net/<br />
  37. 37. Questions?<br />http://null.co.in/<br />http://nullcon.net/<br />
  38. 38. Thankyou!!!<br />Contact: mgastesi@s21sec.com<br />http://null.co.in/<br />http://nullcon.net/<br />

×