rise of the banking trojans - it-secx – it-security … · 2014-11-10 · rise of the banking...
TRANSCRIPT
RISE OF THE
BANKING TROJANS
Subtitle Redacted
Z...
Whatever
Alternative Talk Title
ZEUS
IS NOT
DEAD
YET
Actual Talk Title
\m/-.-\m/
http://www.sodahead.com/
Marion Marschalek
@pinkflawd
http://hqwallbase.com/28103-lego-stormtroopers-wallpaper-2560x1600
What is ZEUS?
Old.
Banking Trojan.
Data Stealer.
Open Source :)
2007
2010
2011
Source: http://securityblog.s21sec.com
ZEUS old but gold
Zeus
Citadel
SpyEye
ZitMo
ZeusVM/KINS
Zberp
http://forum.fr.grepolis.com/
ZEUS mode of operation
1. Drop executable in users %APP% folder
2. Create and execute a batch file to delete dropper
3. Maintain registry key for persistence
4. Inject payload to system processes
5. Download customized configuration
Registry Key
Infector
Decrypt & load DLL
Inject DLL
ZEUS mode of operation
Hell is infected with some
dark bastard of zeus hail
satan!!
E(DDIE)VASIONTECHNIQUES
E(DDIE)VASION techniques
Weapons of match destruction!
E(DDIE)VASION techniques
Weapons of MATCHdestruction!
ZEUS
E(DDIE)
VASION
%APP%\Uwirpa 10.12.2013 23:50
%APP%\Woyxhi 10.12.2013 23:50
%APP%\Hibyo 19.12.2013 00:10
%APP%\Nezah 19.12.2013 00:10
%APP%\Afqag 19.12.2013 23:29
%APP%\Zasi 19.12.2013 23:29
%APP%\Eqzauf 20.12.2013 22:23
%APP%\Ubapo 20.12.2013 22:23
%APP%\Ydgowa 20.12.2013 22:23
%APP%\Olosu 20.12.2013 23:03
%APP%\Taal 20.12.2013 23:03
%APP%\Taosep 20.12.2013 23:03
%APP%\Wokyco 16.01.2014 13:22
%APP%\Semi 17.01.2014 16:34
%APP%\Uheh 17.01.2014 16:34
E(DDIE)VASIONon the system level
OpenProcess
Check AccessToken
WriteProcessMemory
CreateRemoteThread
Boom.
Domain
Generation
Algorithms
http://blog.malwaremustdie.org/
E(DDIE)VASIONon the perimeter
E(DDIE)VASIONon the binary level
E(DDIE)VASIONon the binary level
Eddie In
The Browser
USER BANK.COMBROWSER
inject web
content
grabuserinput
+
• Update URL & Config Backup URL
• Upload URL
• Injection Information
• URL Masks:• For identifying websites to log
• For identifying websites to screenshot
• URL Mappings for Redirection
• IP/URL Mappings to insert to host file to override DNS lookups
CONFIGURATION
SUMMING IT UP
DROPPERkilf.exe
C&C SERVER
control communication and updates
DELETE SCRIPTKUQ9491.bat
ZBOTvogiap.exeCONFIGURATION
ehri.ofu
drop Zbotfiles
delete dropper
PROCESSexplorer.exe
inject code
ZitMo Zeus in the Mobile
Zeus Infection
Installation of ZitMo
Social Engineering
Spying of Online-Banking credentials
Capture mTAN
Do Transaction
ZeusVM / KINS
Born December 2011
Sold as a kit since 2013
Heavily based on Zeus source code
http://blog.fox-it.com/2013/07/25/analysis-of-the-kins-malware/
Zeus VIRTUAL MACHINE
1. Grab next opcode
2. Call opcode handler
INVISIBLE PERSISTENCE
thread for managing autorun key
...
CONFIGURATIONhiding in plain sight
CONFIGURATIONhiding in plain sight
http://blog.malwarebytes.org
https://blog.malwarebytes.org
CONFIGURATIONhiding in plain sight
Carberp
There is no honour among thieves:
“Leaking the source code was not like the leaking of a weapon, but more like the leaking of a tank factory”
1.9GB Sourceshttp://krebsonsecurity.com/
ZBERP
+ =2
ZBERP?
ZBERP?
ZBERP?
ZBERP ..?Infection Routine
Anti-Disassembly
Invisible Persistence
Graphical Configuration
Virtual Machine Execution
Encrypted C&C communication
Suspend-Thread Code Injection
Hooking Technique
ZEUSKINS
CARBERP
BRAVE
NEW
WORLD
NOW WHAT ABOUT
DETECTIONS?
HUNTING ZEUS
1. Drive-by infections
2. Anomalies in network traffic
3. Threat intelligence feeds to follow C&Cs
4. File system & registry key changes
5. Watch your data
malware Kill chain
Awareness | Behavior | Correlation | Intelligence | Encryption
LURE
EXPLOIT
INFECTCALL
HOMESTEAL
DATA
RESOURCES
• Eddie Sources:• http://www.guitarworld.com/photo-gallery-many-faces-iron-maidens-eddie
• http://maiden-world.com/articles/history-of-eddie.html
• http://ultimateclassicrock.com/iron-maiden-eddie-album-covers-retrospective/
• http://www.cyactive.com/zberp-baby-super-trojan/
• https://blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/
• http://www.fortiguard.com/legacy/analysis/zeusanalysis.html
• http://www.symantec.com/connect/blogs/brief-look-zeuszbot-20
• http://www.reuters.com/article/2007/07/17/us-internet-attack-idUSN1638118020070717
