malware's most wanted-zberp-the_financial_trojan
DESCRIPTION
Zbot + Carberp = Zberp, an online banking trojan that is reported to have impacted 450 financial institutions around the world in the first month since discovery. In addition to its malicious capabilities, the Zberp Trojan uses a combination of evasion techniques that it inherited from both the Zeus, also known as Zbot, and Carberp. Add in the ‘invisible persistence’ feature and you have one nasty piece of malware.TRANSCRIPT
ZBERPInside a Financial Trojan
Your speakers today
Marion MarschalekSecurity Research Expert
Shelendra SharmaProduct Marketing Director
Agenda
o What is ZBERPo Dissecting the malwareo Wrap-up and Q&A
Cyph
ort L
abs
T-sh
irt
Threat Monitoring & Research team
________
24X7 monitoring for malware events
________
Assist customers with their Forensics and Incident Response
We enhance malware detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the security ecosystem
________
Contribute to and learn from malware KB
________
Best of 3rd Party threat data
Banking Trojans
How Malware Became Greedy
ZeusCitadelSpyEyeZitMoZeusVM/KINSCarberp... Zberp!
Source: https://www.mobigyaan.com
ZeusCitadelSpyEyeZitMoZeusVM/KINSCarberp... Zberp!
Source: https://www.mobigyaan.com
Source: https://zeustracker.abuse.ch/
ZeusVM / KINS
o Born December 2011o Sold as a kit since 2013o Heavily based on Zeus code
http://blog.fox-it.com/2013/07/25/analysis-of-the-kins-malware/
There Is No Honor Among Thieves
KINS + Carberp = Zberp?
Code injection
Hooking technique
Infection routine
VM code
Steganografic configuration
ZBERP
How Zeus and Kins and Carberp Merged
What Makes ZBERP
o Steganography o Invisible persistenceo SSL CnC Communication o VMProtect Featureo New Hooking implementation
System Infiltration
1. Drop executable in users %APP% folder
2. Create and execute a batch file to delete dropper
3. Maintain registry key for persistence
4. Inject payload to system processes
5. Download customized configuration
System Infiltration
1. Drop executable in users %APP% folder
2. Create and execute a batch file to delete dropper
3. Maintain registry key for persistence
4. Inject payload to system processes
5. Download customized configuration
ZEUS
1. Grab next opcode
2. Call opcode handler
Virtual Machine Code Execution
1. Grab next opcode2. Call opcode handler
Virtual Machine Code Execution
KINS
Steganographic Configuration
Steganographic Configuration
Steganographic Configuration
KINS
Invisible Persistence
Thread for managing autorun key
...
Invisible Persistence
Thread for managing autorun key
...KINS
Code Injection Technique
Suspend – Inject – ResumeExecutable injection
Code Injection Technique
Suspend – Inject – ResumeExecutable injection
CARBERP
„Man-in-the-browser“
ZBERP
„Man-in-the-browser“
Key Take-awaysHow to Stay Safe
Critical Questions
Zeus first appeared in 2007 – why are its derivates still so successful?
What is compromised on an infected machine?
How can mitigation be achieved?
Zeus‘ Success
Modularity.
Flexibility.
Persistence.
Potential Data Loss
Digital Identities
Critical Browser Data
Media
Sensitive Documents
Anything the botnet operator desires!
Conclusions
o Don’t underestimate Zeus and its descendants.
o Check for presence of unfamiliar network callbacks.
o Use a professional grade APT solution to detect these Trojans.
Q and A
o Information sharing and advanced threats resources
o Blogs on latest threats and findings
o Tools for identifying malware
Thank You!
