2. Glossary Banker Trojan
C2, CnC, C&C, C2C server
Drop server
Drive-by website
Exploit kit
Configuration file
Web inject
Dropper
Sinkhole
DGA
Money Mule
Rogue DNS
Sandbox
Cryptor
Payload
Hybrid attacks
PPI
Banker Trojans from a forensics perspective
6. Agenda 1.00 What?
2.00 How?
3.00 When?
4.00 Tools (free)
5.00 Case example: Carbanak & Dridex
6.00 CIRK (Commercial tool)
7.00 Real life examples
Banker Trojans from a forensics perspective
7. 1.00
What? – Let’s find the malware, it is most likely persistent
Banker Trojans from a forensics perspective
8. 8
What?
• Service creation
• Binary replacement
• Scheduled task
• Auto-start Registry keys
• Startup folders
• DLL search order hijacking
• Trojaned legitimate system libraries
• More advanced – local group policy, MS office
add-in, or BIOS flashing
Most malware has some kind of persistency
9. 9
What?
• Service creation
• Binary replacement
• Scheduled task
• Auto-start Registry keys
• Startup folders
• DLL search order hijacking
• Trojaned legitimate system libraries
• More advanced – local group policy, MS office
add-in, or BIOS flashing
Most malware has some kind of persistency
Malware: Carbanak
10. 10
What?
• Service creation
• Binary replacement
• Scheduled task
• Auto-start Registry keys
• Startup folders
• DLL search order hijacking
• Trojaned legitimate system libraries
• More advanced – local group policy, MS office
add-in, or BIOS flashing
Most malware has some kind of persistency
Malware: Sality
11. 11
What?
• Service creation
• Binary replacement
• Scheduled task
• Auto-start Registry keys
• Startup folders
• DLL search order hijacking
• Trojaned legitimate system libraries
• More advanced – local group policy, MS office
add-in, or BIOS flashing
Most malware has some kind of persistency
Malware: Rovnix (Gozi2)
12. 12
What?
• Service creation
• Binary replacement
• Scheduled task
• Auto-start Registry keys
• Startup folders
• DLL search order hijacking
• Trojaned legitimate system libraries
• More advanced – local group policy, MS office
add-in, or BIOS flashing
Most malware has some kind of persistency
Malware: Carbanak
13. Title of the presentation
2.00
How? – Let’s see how the malware was installed
Banker Trojans from a forensics perspective
14. 14
How?
Drive-by:
• Temp files (jar, swf, exe, dll, tmp, etc.)
• Browser history
Spear phishing e-mail:
• Known e-mail extensions (msg, eml, etc.)
• Known e-mail attachments (pdf, js, src, zip, etc.)
• Known e-mail file path (Content.Outlook)
Let’s go find that malware dropper
Malware: APT
15. 15
How?
Drive-by:
• Temp files (jar, swf, exe, dll, tmp, etc.)
• Browser history
Spear phishing e-mail:
• Known e-mail extensions (msg, eml, etc.)
• Known e-mail attachments (pdf, js, src, zip, etc.)
• Known e-mail file path (Content.Outlook)
Let’s go find that malware dropper
Malware: CryptoWall 3.0
16. 16
How?
Drive-by:
• Temp files (jar, swf, exe, dll, tmp, etc.)
• Browser history
Spear phishing e-mail:
• Known e-mail extensions (msg, eml, etc.)
• Known e-mail attachments (pdf, js, src, zip, etc.)
• Known e-mail file path (Content.Outlook)
Let’s go find that malware dropper
Malware: Dyreza
17. 17
How?
Drive-by:
• Temp files (jar, swf, exe, dll, tmp, etc.)
• Browser history
Spear phishing e-mail:
• Known e-mail extensions (msg, eml, etc.)
• Known e-mail attachments (pdf, js, src, zip, etc.)
• Known e-mail file path (Content.Outlook)
Let’s go find that malware dropper
Malware: Dridex
18. 18
How?
Drive-by:
• Temp files (jar, swf, exe, dll, tmp, etc.)
• Browser history
Spear phishing e-mail:
• Known e-mail extensions (msg, eml, etc.)
• Known e-mail attachments (pdf, js, src, zip, etc.)
• Known e-mail file path (Content.Outlook)
Let’s go find that malware dropper
Malware: Dridex
19. 3.00
When? – Let’s see when the malware was installed
Banker Trojans from a forensics perspective
20. 20
When?
Create a master timeline:
• Files
• Registry
• Browser history
• Event log
• Scheduled task
• PF files
• Etc.
File timestamps are easily manipulated, but registry entries seldom
Malware: Carbanak
Timestamp Artifact source Data
2015-08-
26T13:05:48
+00:00
FILE Mactime Bodyfile C:/ProgramData/Mozilla/sv
chost.exe (deleted)
21. 21
When?
Create a master timeline:
• Files
• Registry
• Browser history
• Event log
• Scheduled task
• PF files
• Etc.
File timestamps are easily manipulated, but registry entries seldom
Malware: Dridex
Timestamp Artifact source Data
2015-08-25
T14:00:08.39
6076+00:00
Registry hive
[HKEY_CURRENT_USERSoftwareMicros
oftOffice15.0WordReading
LocationsDocument 6]
C:UsersmoragAppData
LocalMicrosoftWindows
Temporary Internet
FilesContent.OutlookZOZ
N2DEXInv_26949_from_I
__SPI_Ltd_7888.doc
30. 30
Tools
• Data collector
• log2timeline
• rip.pl
• regdump.pl
• Maltego
• Virustotal
• Google
• Etc.
Tools (free)
Maltego
// Lots of possibility, it depends on the transforms.
// Example #1: toLocationCountry
31. 31
Tools
• Data collector
• log2timeline
• rip.pl
• regdump.pl
• Maltego
• Virustotal
• Google
• Etc.
Tools (free)
Maltego
// Lots of possibility, it depends on the transforms.
// Example #1: CSISCampaignNameFromIP
32. 32
Tools
• Data collector
• log2timeline
• rip.pl
• regdump.pl
• Maltego
• Virustotal
• Google
• Etc.
Tools (free)
Maltego
// Lots of possibility, it depends on the transforms.
// Example #1: CSISCampaignNameFromPhrase
54. 54
CIRK
Benefits
Find out
• What happened?
• When did it happen?
• How did it happen?
Unique forensic tool
• Works with both: “Malicious employees” - & malware forensic
• Collect & analyze evidence fast and secure
• Comply with legal authorities & regulations
• J-CAT integration
Managed cloud service
• Managed by specialists
• Analysis performed out-of-band
• Remote execution & no installation required
• SaaS: No hardware & software costs
55. 55
Learn more?
CSIS Academy: Fraud Analyst
Module 1: Threat assessment & landscape
• Full Circle Crime Model
• PC Malware
• Mobile Malware
• Introduction to Linux
Module 2: Fraud techniques & attacks
• Gathering intelligence
• “Lie to me”
• Hands-on exercises
Module 3: Fraud detection & prevention
• Spoofing techniques
• Fraud detection
• Forensics analysis
• Hands-on exercises
• Fraud prevention
56. Thank you
For more information, please contact
jka@csis.dk
www.csis.dk
REST ASSURED