banking malware zeu s zombies are using in online banking theft

Nahidul Kibria

Co-Leader, OWASP Bangladesh Chapter,Principal Software Engineer, Orbitax Bangladesh Ltd.

Writing code for fun and food. Security enthusiastic.

Twitter:@nahidupa

About OWASPOWASP’s mission is “to make application security visible, so

that people and organizations can make informed decisions about true application”

Attacker not use black art to exploit your application

www.owasp.org

|4

Bangladesh Chapter

Financial Malware: ZeuS zombies are using in online banking theft.

Process of login your banking account getting more and more complicated.

6

Extra pin code

7

8

10

11

Show picture in login window

12

13

All of this is to save you …

14

15

16

ZeuS and Spy Eye

18

Zeus modify Bank financial statement

ZombiesIn computer science, a zombie is

a computer connected to the Internet that has been compromised.

Zombies are part of botnet

What Is a Botnet?

21

What Does a Botnet Do?

22

First Generation

Internet Relay Chat (IRC) Protocol

Second Generation

Peer-to-Peer (P2P) Protocol

Third Generation

Hyper Text Transfer Protocol (HTTP)

Hybrid

Mix of characteristics of different generations

of botnets

Botnet evolution

24

25

26

So how ZeuS bypass your in

placed security mechanism?

27

Classical defense does not

work

How financial malware bypass anti virus ?

Lets look at how most of anti virus work.

31

32

Match the signature

33

Zeus variant

34

It’s take time to analyze new binary

35

Two-factor authentication

36

37

38

We move to pin code generator device

39

40

41

Bypasses two-factor authentication

42

Evil VS Good

Bot Spreading Mechanisms

• Browser Exploit Packs

• Drive-by-Download frameworks

• Spreaders

• USB Spreading

• Install-by-Install

43

Top 10 Web Threats

Prevalence Chart Q3 2012

Propagations tactics

Facebook update scam leading to Zeus Trojan

Bogus SEO result for ‘MailMarshal

Exploiting Web Hosting

Several websites are hosted on a single server sharing IP address

– DNS names are mapped virtually to the same IP

45

Exploitation

46

47

Exploiting Browsers/HTTP

– Man in the Browser

– Form grabbing

– Web Injects

48

Exploit Kit(s)

Lifecycle of a vulnerability

Symantec's chart shows a distribution of zero-day exploits based on how long they persist

before being discovered. The average is close to 10 months.

Persistence and hiding activity

Files and Directories

Processes

Registry Keys

Services

TCP/UPD ports

Communication hiding (• Covert Channels)

Technical name is rootkit

53

File hiding

55

56

Hiding the network traffic

Cryptography - Make message unreadable

Stegonography - Hide the message in another message

Metaferography - Hide the message in the carrier

Easy to design, hard to detect

Covert Channels

• Clever measure of network protocols

• Nearly undetectable

“They’ll never see me coming!”

60

So malware can become FUD (Fully undetected )

62

Now you may think!!!

63

64

65

Mule Recruiting• “Work From Home” scam

• Person is told they are working in a customer service

or billing position

• Person uses their personal checking account to

receive funds

• And after they do the wire transfer and are burned…

• …their identity is sold on the black market and they

get burned a second time

68

69

I’m Copying images from Google search

thanks all.

71

Subscribe mailing listhttps://www.owasp.org/index.php/Bangladeshhttps://www.facebook.com/OWASP.Bangladesh

Keep up to date!Twitter:@nahidupa

Twitter:@owaspbangladesh