[cb16] background story of "operation neutralizing banking malware" and highly developed...
Post on 12-Jan-2017
64 Views
Preview:
TRANSCRIPT
Copyright© 2016 SecureBrain Corporation, All rights reserved. Copyright© 2016 SecureBrain Corporation, All rights reserved.
Behind “Operation Banking Malware Takedown”and the Progression of Malware Sophistication
2016.10.20 - 21CODE BLUE 2016
SecureBrain CorporationKazuki Takada
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Profile
• Kazuki Takada
• SecureBrain Corporation
• Software Engineer My regular work is software development. Sometimes security researcher (sometime this is
main work…)
2
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Background
3
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Question
4
What’s this number?
3073000000
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Answer
5
Amount of fraudulent Internet banking money transfer in Japan for 2015
\3,073,000,000
https://www.npa.go.jp/cyber/pdf/H280303_banking.pdf
$30 million
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Internet Banking Fraud in Japan
6
2013年 2014年 2015年
$29 million$30 million
$14 million
https://www.npa.go.jp/cyber/pdf/H280303_banking.pdf
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
IPA Top Security Threat List
• Top 10 Security Threats for 2016.
7
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Overview of “Operation Banking Malware Takedown”
8
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Operation Banking Malware Takedown
9http://www.keishicho.metro.tokyo.jp/haiteku/haiteku/haiteku504.htm
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Operation Banking Malware Takedown
10
Victim PC
C&C ServerMPD
Distribution
Bank web server Threat Disabled
MPD : Metropolitan Police Department
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
The target is
“VAWTRAK”
11https://www.flickr.com/photos/arenamontanus/2125942630
*Other name Neverquest, Snifula
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
VAWTRAK
12
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s VAWTRAK
• VAWTRAK has been around in Japan since 2014.• Rewrites MITB communication content
– Browser injection process. (IE, Firefox, Chrome)• Executes the following during Internet Banking
– Falsifies banking credential information– Semi-automatic fraudulent money transfer
13
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s MITB ?
MITB
Man In The Browser
Browser
VAWTRAK
Victim PC
Injection Rewrite HTMLDummy Screen…etc.
Web server
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s happened?
15
VAWTRAK
User PC
Registry
infection
Configuration data
C&C server Manipulationserver
BankWeb server
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s happened?
1616
VAWTRAK
User PC
<html><head>
<title>Internet Banking</title>
Request
Injection<script src=“….”>
Original content
C&C server Manipulationserver
BankWeb server
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s happened?
17
VAWTRAK
User PC Request malicious JavaScript
Download and execute malicious JavaScript
<html><head>
<title>Internet Banking</title><script src=“….”>
C&C server Manipulationserver
BankWeb server
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s happened?
1818
VAWTRAK
User PC
Code number
送信
User accountinginformation
*******
C&C server Manipulationserver
BankWeb server
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Operation Banking Malware Takedown
19
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 20
A chance for collaboration
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Semi-automatic remittance fraud
21
ABCダイレクト メインメニュー
Copyright ABC Bank Co.,Ltd All Right Reserved
お客様番号
ワンタイムパスワード
Fraudulent money transfer procedure is executed from victim PC while users are waiting for progress bar to finish.
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Request flow
22
Victim PC
Login
Bank Manipulation server
Login credential info.
Login processLogin screen
Account info screen
Tap balance info Balance info.
Money transfer info & amount of transfer
Money Transfer process
Progress B
ar
Display some input
screen if necessary
http://www.slideshare.net/MasataNishida/avtokyo2014-obsevation-of-vawtrakja
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Tried to send to the same request as malicious JavaScript
23
Beneficiary Information
Amount of Transfer (Upper limit / lower limit)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Collaboration with Metropolitan Police Department (MPD)
• Share beneficiary account information with the Metropolitan Police Department (MPD), which SecureBrain collected by researching the Manipulation server
• MPD prevented illegal money transfer by utilizing beneficiary account information.
24
Metropolitan Police Dept. and SecureBrain made a cooperative agreement
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Collaboration with Metropolitan Police Department (MPD)
• MPD has a domain of C&C server.• The domain name was obtained using regular procedure.• They watched the communication between VAWTRAK and
the C&C server.• They identified 82,000 victim clients worldwide, with 44,000
clients located in Japan.
25
MPD considered distributing a new “Configuration data” for the takedown.
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Technical overview
26
Victim PC
C&C ServerMPD
Distribution
BankWeb server
No longer under threat
Provide neutralization data generation tool.
Get domain and
put under control
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Who is in charge of each technology...
Metropolitan Police Department• Obtain control of the C&C server and construct data
distribution server.• Testing
SecureBrain• Development of “Command” and “Configuration data”
generation tool. It uses a decryption technique for VAWTRAK.
• Investigate the type of data required to neutralize VAWTRAK.
27
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Development of neutralization technique
28
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Feature available for a takedown of VAWTRAK(BOT)
29
C&C Server
Victim PC
Poll the server every minute
When there is an effective communication, it does not
communicate with other C&C servers
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Command
Identify the 20 commands.• Configure data• Download and execute file• Shutdown, reboot• Steal Cookie• Steal CertStore• Start and Stop Socks server• Start and Stop VNC server• Update• Registry operations ...etc...
30
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Configuration data
31
Replace data for communicate manipulation server
Decrypted Configuration data
Target URL
Malicious code for injection
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Component of Configuration data
32
Name Meaning
inject type Type of injection
browser Target browser
pattern match Pattern type to match URL
URL Target URL
string2 Target string
string3 Replace string
string4 Insert string
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
inject type
Identify the 18 commands.• Close connection• Screen capture• Insert before• Insert after• Replace URL• Replace host• Replace string...etc...
33
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
browser / pattern
Browser
Internet Explorer
Firefox
Chrome
34
browser
Type Meaning
strstr strstr function
strcmp strcmp function
regexp Regular expression
pattern
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 35
Try to check the “Configuration data“ again.
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Configuration data
36
Type Meaning
inject type insert before
browser IE, Firefox, chrome
URL Target URL(Regular expression)
string2 Target string
string3 -
string4 JavaScript for Injection
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Configuration data
37
種別 意味inject type replace URL
browser IE, Firefox, chrome
URL Target URL
string2 Target string
string3 URL for replace
string4 -
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
About generation tool
• Execution check environment– Linux OS– Python 2.7.x
• Tool generates the binary data which VAWTRAK can read as input in Command and Configuration
• Because the output data is delivered by the C&C server and read by VAWTRAK, its configuration is renewed.
38
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Generating flow of Configuration data
39
Encryption process (XOR)
Raw configure data (JSON format)
CRC32 from raw configure data
Compression process (aPLib)
Encrypted configure data (Binary)
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Demo
• Control of VAWTRAK
40
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Experiment sandbox environment
41
DummyC&C Server
Mac OSX
VM Ware
Victim PC
Internet
Host machine Mac OSX 10.10
Dummy C&C Ruby 2.0 + Sinatra
Victim PC Various Windows(After XP)
Browser Internet ExplorerChromeFirefox
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
The body of neutralization data
42
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Effect of the takedown operation
43
https://www.npa.go.jp/cyber/pdf/H280303_banking.pdf
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Discussion
• Damage by VAWTRAK increased from mid-2013, but decreased after the operation.
• Because the police carried out the operation, it might have had a psychological effect to technically influence the attacker.
• There are some problems. For example, there is the need to obtain the domain beforehand.
44
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
The Progression of Malware Sophistication
45
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Major malware in 2016
46
ROVNIX
URLZONE
VAWTRAK (New)
URSNIF
Other name Cidox
Other name Shiotob, Beblohbd
Other name Neverquest ,Snifula
Other name Gozi
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 47=Malicious JavaScript
ROVNIX
target 30
Group A Group B=Malicious JavaScript
URLZONEVAWTRAK(New)
target 30
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 48
The attack method of MITB is almost the same.
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 49
What changes ?
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Point
• Prevent rewriting malware communication with C&C server– Private key for “Serpent” is encrypted by public key encryption system
RSA-2048.– RONIX sign contents of communication by RSA-2048.
• Malware is updated frequently– Detection by pattern matching becomes more difficult– It can inject even in the latest browsers.
• Various communication methods– Both HTTP and UDP P2P communications are used to get
Configuration data.
• Sophistication of malicious JavaScript
50
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
不正 JavaScriptの高機能化 (1)
51
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Request flow
52
Victim PC
Login
Bank Manipulation server
Login credential info.
Login process
Login Screen
Remittance process
Request of Settlement info.
Dum
my screen of
security software
Settlement info
Display some input screen an necessary
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Discussion
53
Prevent rewriting communication.Multiplex of communication channel.Concealed information is processed on the server.
Security for attack activity maintenance is strengthened
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Conclusions
54
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Conclusions
• It is very important that the police takes the lead in a takedown operation.
• The reaction of the attacker is very quick. We always have to think about new prevention techniques.
• It is difficult to simply apply the ways of this operation to sophisticated malware.
55
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Effective takedown operation…
56
https://www.flickr.com/photos/hackaday/4658391708
http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 57
It is essential for the government, the police, the judiciary, and
the company to cooperate together.
top related