Post on 29-Mar-2015
Advance of Bank Trojan
Nov 2005
2 – 2002 Symantec Corporation, All Rights Reserved
Current threat from Bank Trojans
Steals online banking information; typically usernames and passwords.
PWSteal.JGinko targets Japanese banks. (Trojan-Spy.Win32.Banker.vt [Kaspersky Lab], PWS-Jginko [McAfee], TSPY_BANCOS.ANM [Trend Micro])
These Trojans work closely and actively with Internet Explorer.
3 – 2002 Symantec Corporation, All Rights Reserved
Submission increase
Symantec gets almost 2 million submissions per year.
The rate of submissions is increasing.
Are Bank Trojan submissions increasing?
4 – 2002 Symantec Corporation, All Rights Reserved
PWSteal.Bancos submissions
Why have submissions decreased?
5 – 2002 Symantec Corporation, All Rights Reserved
Bancos submissions vs Total Symantec submissions.
0
500
1000
1500
2000
2500
3000
6 – 2002 Symantec Corporation, All Rights Reserved
How samples are collected
User submissions
Honey pot
Web site routine patrol(Adware, Spyware)
Brightmail
BBS
7 – 2002 Symantec Corporation, All Rights Reserved
Japanese Banks VS Bank Trojan
PWSteal.Bancos originally targeted Brazilian Banks.
Then, support was added for German and English Banks.
PWSteal.Jginko targets only Japanese Banks.
PWSteal.Jginko monitors 27 domains.
PWSteal.Bancos.T monitors 2746 domains.
8 – 2002 Symantec Corporation, All Rights Reserved
PWSteal.Jginko domains
resonabank.anser.or.jp, btm.co.jp, ebank.co.jp
japannetbank.co.jp, smbc.co.jp, yu-cho.japanpost.jp
ufjbank.co.jp, mizuhobank.co.jp
shinseibank.co.jp, iy-bank.co.jp
shinkinbanking.com, shinkin-webfb-hokkaido.jp
shinkin-webfb.jp
And more, more, more
9 – 2002 Symantec Corporation, All Rights Reserved
Other Bank Trojans also target rural banks
82bank.co.jp, akita-bank.co.jp
all.rokin.or.jp, toyotrustbank.co.jp
hyakugo.co.jp, chibabank.co.jp
fukuibank.co.jp, gunmabank.co.jp
hirogin.co.jp, hokugin.co.jp
joyobank.co.jp, nishigin.co.jp
And more, more, more
10 – 2002 Symantec Corporation, All Rights Reserved
Security measures taken by Japanese Banks recently
Software Keyboard
Strong password requirements
Challenge and response with one-time encryption key
Prevent phishing mail
Login restricted by IP address
SSL
11 – 2002 Symantec Corporation, All Rights Reserved
Advantage of Trojan over KeyLogger
These Trojans are not KeyLogger.Trojans
Stealth techniques can be used
Intercepts transaction information
Silent download
Silent update
12 – 2002 Symantec Corporation, All Rights Reserved
Bank Trojans are not KeyLogger.Trojan
Old KeyLoggers log key strokes and send logged data.
Difficult to know which application the user was using
Logs user error (passeo[Back Space][Back Space]word )
Difficult to know when the user changes to a different input field
13 – 2002 Symantec Corporation, All Rights Reserved
Stealth techniques used by Bank Trojans
Works with Internet Explorer.
Firewall does not stop HTTP transaction of Internet Explorer. (BHO, Inject, layered service provider)
Injects itself into other process
Rootkit may hide files or protect them from security application
Hide packet traffic from system to avoid detection
14 – 2002 Symantec Corporation, All Rights Reserved
Intercept transaction
These Trojans can hook specific procedure calls
These Trojans can inject itself into an application
HTTPS is not secure if the data is intercepted before and after it is encrypted
15 – 2002 Symantec Corporation, All Rights Reserved
Silent download/ Silent update techniques
Trojans may close Alerts from Windows Firewall
Delete Zone.Identifier settings
Add itself to Authorized Applications list, bypassing the firewall
16 – 2002 Symantec Corporation, All Rights Reserved
Technique: Key Logging
17 – 2002 Symantec Corporation, All Rights Reserved
Technique: Key Logging(2)
18 – 2002 Symantec Corporation, All Rights Reserved
Technique: Inject
Taskmanager can enumerate process
DLLs are never enumerated by taskmanager.
If IEXPLORE.EXE calls loadlibrary?
VirtualAllocEx
WriteProcessMemory
GetProcAddress
CreateRemoteThread
19 – 2002 Symantec Corporation, All Rights Reserved
Technique: BHO
A Browser helper object is an additional software component that is loaded when Internet Explorer starts.
When a BHO sends a data, It looks like the data is sent by Internet Explorer.
The BHO can’t be seen with Task manager.
20 – 2002 Symantec Corporation, All Rights Reserved
Loading BHO
How Internet Explorer loads and initializes helper objects.
21 – 2002 Symantec Corporation, All Rights Reserved
Technique: BHO (2)
22 – 2002 Symantec Corporation, All Rights Reserved
Technique: Intercept transaction
23 – 2002 Symantec Corporation, All Rights Reserved
Secure Socket Layer is secure?
Secure
Not SecurePickup data
Encrypt data
24 – 2002 Symantec Corporation, All Rights Reserved
Technique: Intercept transaction (2)
25 – 2002 Symantec Corporation, All Rights Reserved
Technique: Intercept transaction (3)
26 – 2002 Symantec Corporation, All Rights Reserved
Technique: Intercept transaction (4)
27 – 2002 Symantec Corporation, All Rights Reserved
Technique: Intercept transaction (5)
DWebBrowserEvents2, IHTMLDocument2
Onmouseover
User push “A” or “A” filled to field.
Onsubmit
28 – 2002 Symantec Corporation, All Rights Reserved
Technique: Silent download
29 – 2002 Symantec Corporation, All Rights Reserved
Technique: Silent update
30 – 2002 Symantec Corporation, All Rights Reserved
Technique: Silent update (2)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Value: ":*:Enabled:"
31 – 2002 Symantec Corporation, All Rights Reserved
Steal password
32 – 2002 Symantec Corporation, All Rights Reserved
Challenge and response
Send user name
Send user name
Answer “Challenge”Answer random “Challenge”
Send one-time password
Accepted
Calculate one-time password by “Challenge” and send it
Answer fake error page Transfer money
Thank You!
Hiroshi ShinotsukaHiroshi_Shintosuka@symantec.com