Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Online fraud report_0611[1]


Published on

Em Maio, a Kaspersky Lab detectou o primeiro rootkit bancário criado para infectar sistemas de 64-bit. Foi detectado após um ataque feito por cibercriminosos Brasileiros. Confira o relatório da RSA sobre o assunto

Published in: Technology
  • Hi there! Get Your Professional Job-Winning Resume Here - Check our website!
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Online fraud report_0611[1]

  1. 1. SOPHISTICATED LOCAL PHARMINGTROJAN TARGETS BRAZILIAN BANKSJune 2011 RSA recently analyzed one local pharming Trojan which we found to be a highly A typical local pharming Trojan sophisticated piece of malware that goes as far as installing a driver to achieve its consists of standard malware intended goal of stealing information. This is the first local pharming Trojan observed strains that modify a victim’s by RSA to even have a driver. hosts file or intercept a In fact, the Trojan has been widely reported to be the first rootkit ever designed to machine’s IP-resolution specifically infect 64-bit operating systems. However, the Trojan does not in fact install a process. By changing the hosts rootkit; rather it installs a plainly visible malicious driver. Since rootkits by definition hide file of a computer, specifically their very existence from the user, this driver cannot be classified as such. Any victim infected with this Trojan, dubbed Rootkit.Win32.Banker.dy (on 32-bit systems) or Rootkit. the IP address associated Win64.Banker.a (on 64-bit systems) will be able to see it in plain view on the currently- with a website, the victim is loaded driver list. redirected to a phishing website This particular Trojan was targeted at online banking consumers in Brazil as it changes set up to capture specific the hosts file settings for a handful of Brazilian Banks. Following is an overview of the information, such as online Trojan’s main functionalities based on analysis by RSA: banking credentials, which are then sent to the criminal. Modifies User Account Control In order to gain administrator privileges, this local pharming Trojan tricks the User Account Control (UAC) mechanism (UAC is used in both 64-bit and 32-bit systems, including Windows Vista and Windows 7) which enables the Trojan to silently install its driver at a later stage of its execution. In effect, when running an account with admin- level privileges on a system that features UAC, every attempt to modify the computer’s settings results in a warning dialog box requesting the user’s permission to perform changes. By disabling the UAC, the Trojan removes this warning prompt.FRAUD REPORT
  2. 2. When running an account with user-level privileges, every attempt to modify the computer’ssettings results in a dialog box requesting the user to authenticate as a user withadministrative privileges. Disabling the UAC in this case will not change this behavior.To disable the UAC mechanism, the infected computer must be rebooted. After thesystem reboots, the Trojan registers a batch file named aaa.bat. This batch file installsthe malicious drivers and registers them to load on every system boot, all withoutintervention from the UAC mechanism.Registers Fake Certification AuthoritySince a certificate authority (CA) functions as a trusted mediator between a machineand a website, a fake CA functions as a deceptive mediator that may claim a site istrustworthy, when it actually is not. In this Trojan’s case, the fake CA mediates betweenthe phishing pages (which have a fake HTTPS certificate) and the victim’s infectedmachine. This enables the CA to issue a ‘secure’ result allowing the phishing websiteto display the padlock icon normally associated with trusted HTTPS connections.Needless to say, under normal circumstances, the icon is reserved for sites wherelegitimate HTTPS certificates were issued from a genuine CA. Evidently, the Trojan’sauthors went the length of creating a Trojan that registers a fake CA in the WindowsRegistry to lend credibility to the phishing pages presented by the malware.Installs 32-bit or 64-bit DriverAs mentioned above, an interesting aspect of this Trojan, which we have yet to see inother advanced Trojans such as Zeus and SpyEye, is its ability to install a new driverspecifically tailored to run on 64-bit systems. Depending on the infected system, theTrojan either installs a driver compatible with 32-bit or 64-bit operating systems. Thedriver’s main objectives are to alter the hosts file and register a fake certificate authorityto the infected computer.Changes Hosts FileIn some operating systems, hosts files are given priority over resolution by DNS systems.In such systems, if a given host is located in the hosts file, no DNS query is performed toresolve its IP address, but rather the IP specified in the hosts file is used. (DNS iscomparable to a phone directory, where website names are associated with certain IPaddresses; a hosts file has the same use, but it resides on the machine itself rather thana third party server.) Consequently, by changing the IP address associated with the hostname of targeted banks, the malware redirects victims to phishing sites instead of theuser’s intended destination.Disables Security Plug-InsConsumers of Brazilian banks are required to install security applications, such as GASTechnology, as one means of protecting online banking transactions. The Trojan’s driverhas been found to disable files that make up a mandatory security plug-in used byBrazilian banks; in one case, a DLL-based plug-in that functions as a browser help object.While protecting login is critical, fraudsters have developed technology capable ofmanipulating transactions after login has occurred. Transaction protection refersto an organization’s ability to monitor and identify suspicious post-login activities –a capability most often provided by a risk-based fraud monitoring solution.Transactions typically require more scrutiny and pose more risk than just the act oflogging in to an account. For example, an unauthorized user might secure login accessto an account, but the most risk is posed once a transaction is attempted, such astransferring money out of the account. A transaction protection solution will alert fraudinvestigation teams or challenge the users appropriately in these instances. page 2
  3. 3. 25000 23097 20000 18079Phishing Attacks per Month 17935 17586 17376 Source: RSA Anti-Fraud Command Center 16756 17579 16541 16247 16047 17579 16355May 2011 marked a surprising 33 percentincrease in the number of global phishing 15000 13855attacks identified by RSA – and a recordfor the most unique attacks identified 10000in a single month. About four out of fivephishing attacks in May were launchedusing hijacked websites. 5000 0 May 10 Jun 10 Jul 10 Aug 10 Sept 10 Oct 10 Nov 10 Dec 10 Jan 11 Feb 11 Mar 11 Apr 11 May 11 400 376Number of Brands Attacked 342 350The increase in phishing attacks numbers 301was not the only substantial change 300 Source: RSA Anti-Fraud Command Center 268 257observed in May. RSA witnessed a 25 236 250 223 217 216 216percent increase in the number of attacked 200brands suggesting criminals went after 200 178 181a wider variety of brands rather than 150consistently attacking the same brands.When compared year-over-year (May 1002010), there was a 69 percent increase 50in the number of attacked brands. 0 May 10 Jun 10 Jul 10 Aug 10 Sept 10 Oct 10 Nov 10 Dec 10 Jan 11 Feb 11 Mar 11 Apr 11 May 11 100 6% 6% 6% 3% 6% 10% 10% 8% 11% 9% 11% 15% 12% 80 29% 30% 32% 32% 30% 25% 19% 18% 15% 15% 18% 22% 12%Segmentation of Financial Institutions Source: RSA Anti-Fraud Command CenterAttacked Within the U.S.Nationwide banks in the U.S. accounted 60for 3 out of 4 phishing attacks in May. Theportion of phishing attacks targeting U.S. 40credit unions dropped three percent as didthe portion of attacks against regional U.S.banks, decreasing from 22 percent in April 20to just 12 percent in May. 65% 68% 64% 65% 64% 65% 71% 74% 74% 76% 71% 63% 76% 0 May 10 Jun 10 Jul 10 Aug 10 Sept 10 Oct 10 Nov 10 Dec 10 Jan 11 Feb 11 Mar 11 Apr 11 May 11 page 3
  4. 4. South Korea 2% USA Australia South Korea Italy 2% Canada China Colombia 2% Germany UK France NetheTop Ten Hosting Countries Russia 2.5%Since January 2010, the U.S. has been the France 4%top hosting country for phishing attacks,hosting 66 percent of all phishing attacks Australia 4%in May. In the last year, the countries thathave consistently hosted the highest Germany 5%portion of phishing attacks have beenthe U.S., UK, Canada, Germany, France, United Kingdom 6%Russia, and South Korea. U.S. 66% Canada 6.5% Australia 1.5% UK US S Africa Netherlands 2.5% Italy Colombia 1% China Canada Netherlands India Brasil Italy 2.5% Canada 3%Top Ten Countries by Attack Volume Spain 3%The US, UK, South Africa and India South Africa 3.5%remained the top four countries targetedwith the most volume of phishing attacks India 4.5%in May. Malaysia, which appeared on thechart in April, was replaced by Colombia inMay. In the last year, the U.S., UK, SouthAfrica, Canada, the Netherlands, and Italyare the top countries that have U.S. 50%consistently endured the highest United Kingdom 28%volume of phishing attacks. France 3.5% USA Australia South Korea Canada China Columbia 3% Germany UK France Nethe Brazil 4% United Arab Emirates 4%Top Ten Countries by Attacked Brands Italy 4.5%The main change in May was Ireland beingreplaced by Brazil in terms of the top ten Australia 5.5%countries whose brands were most targetedby phishing. Brands in the U.S., UK, India,and Australia continue to endure the majority Canada 6%of targeted phishing attacks. U.S. 47.5% India 7.5% United Kingdom 14.5% page 4
  5. 5. CONTACT USTo learn more about how RSAproducts, services, and solutions helpsolve your business and IT challengescontact your local representative orauthorized reseller – or visit us ©2011 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their holders. JUNE RPT 0611