The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking...
Transcript of The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking...
![Page 1: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/1.jpg)
The Threat of Banking Trojans:
Detection, Forensics, and Response
1
(Insights from a Bank CSIRT)
Marc Vilanova, e-la Caixa CSIRT
July 2nd, 2009
![Page 2: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/2.jpg)
Agenda
• Who am I?
• What is a Banking Trojan?
• Sensitive Information Hijacking Attacks
• Incident Response life cycle
2
• Incident Response life cycle
• Torpig: An example of HTML Injection Trojan
• Trojans’ detection parameters
• Conclusions
• Q&A
![Page 3: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/3.jpg)
Who am I?
• My name is Marc Vilanova
• e-Crime Intelligence Analyst for e-la Caixa CSIRT
• Incident Response
– Phishing and its variants
– Banking Trojans
– 419 or Nigerian Scams
3
– 419 or Nigerian Scams
– Trade Mark Abuse
– Mobile Malware …
• Memberships
– FIRST (Forum of Incident Response and Security Teams)
– APWG (Anti-Phishing Working Group)
– Various Security Mailing Lists …
• You can reach me at [email protected]
![Page 4: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/4.jpg)
What is a Banking Trojan?
“A piece of malware that seats waiting for the user to access itsonline bank account in order to steal its sensitive informationsuch as login credentials, debit/credit card numbers or modify itsmoney transactions on-the-fly.”
4
Well-known banking Trojans:
– Anserin / Torpig / Sinowal / Mebroot
– WSNPoem / Zbot / ZeuS
– Bancos / Banker / Infostealer
– SilentBanker
![Page 5: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/5.jpg)
Sensitive Information Hijacking Attacks
Keylogging
“Attack which intercepts the user's keystrokes when
entering a password, credit card number, or other
5
entering a password, credit card number, or other
information that may exploited.”
Not directly implemented on all
banking Trojans
![Page 6: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/6.jpg)
Sensitive Information Hijacking Attacks
HTML Injection
“Attack where the Trojan uses HTMLinjection to add new form fields orentirely Phishing websites in theusers’ browser in order to convince
6
users’ browser in order to convincethem to provide personal information,additional user credentials or financialaccount information.”
Usually, HTML code/templates areheld on another server distinct fromthe C&C
Source: ThreatExpert
![Page 7: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/7.jpg)
Sensitive Information Hijacking Attacks
Man-in-the-Browser
“A MiTM similar approach where the Trojan has the ability to modify pages,transaction content or insert additional transactions on-the-fly, all in a completelycovert fashion invisible to both the user and host application.”
7
• Common facilities provided to enhance Browser capabilities such as Browser helperObjects (IE), Extensions (Firefox), API-Hooking (MiTM between the executable and itslibraries) and UserScripts (Javascript) are used.
• No matter what mechanisms such as SSL/PKI and/or Two or Three FactorAuthentication solutions are in place. None of them can defend the user.
• Attacks are working on the transaction level, not on the authentication level.
![Page 8: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/8.jpg)
Incident Response life cycle
Detection
8
ForensicsResponse
![Page 9: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/9.jpg)
Incident Response life-cycle
Detection
• 24/7 Customer Service
• Web Servers Logs
• Malware LaboratoryBank
9
• Malware Laboratory
• Malware and Forensic Analysis
• Anti-Virus
Third Party Companies
• Financial Institution, CERT/CSIRT, and Malware Research and Analysis Communities
Others
![Page 10: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/10.jpg)
Incident Response life-cycle
Forensics
• Disassembler and analysis of assembly language code, packer detection, interesting strings, etc.
• Safer, but limited compared with dynamic Static
10
• Safer, but limited compared with dynamic analysis
Static
• File system, the registry, other processes, and network monitoring
• C&C domains names and IP addresses
• Trojans’ detection parameters
Dynamic
![Page 11: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/11.jpg)
Incident Response life-cycle
Response
• Timely-alerts based on Trojans’ detection parameters
• Trojan-infected customer detection Bank
11
• Trojan-infected customer detection during session process
Bank
• Domain name [black|sink]holing and IP egress-traffic blocking
• Anti-Virus signatures
Third Party Companies
![Page 12: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/12.jpg)
Torpig: An example of HTML Injection Trojan
User visits the bank website
12
![Page 13: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/13.jpg)
Torpig: An example of HTML Injection Trojan
Trojan contacts the HTML injection server
13
![Page 14: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/14.jpg)
Torpig: An example of HTML Injection Trojan
The Injection server responds with the HTML Phishing content
14
![Page 15: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/15.jpg)
Torpig: An example of HTML Injection Trojan
The Phishing content is injected into the user’s web browser
15
![Page 16: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/16.jpg)
Torpig: An example of HTML Injection Trojan
The stolen information is sent to the C&C server
16
Note: New fields - “bonificpwdXX” and “ourpin” - are added in the POST content request
![Page 17: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/17.jpg)
Trojans’ detection parameters
Trojan Name Detection Parameters
Anserin/Torpig/Sinowal&bonificpwd=
&ourpin=
&login=Login
&t=
&p=
17
ZeuS&p=
&u=
&non=
¬redirect=
SilentBanker &pin=
MiTB (Unknown name) _holder
Others
&fuck=
&npass=
&n_coordenade=
&y=
![Page 18: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/18.jpg)
Conclusions
• Even before 2005 Banking Trojans have been generating fraud to the
financial institutions around the world through different kinds of attacks.
• The continuous evolution and development of techniques and
methodologies used by malware creators leaves the common detection
and protection systems still one step behind.
• As long as gangs are able to operate in Internet hosting their creations, the
18
• As long as gangs are able to operate in Internet hosting their creations, the
“Wack a Mole” game will continue. More efforts on prosecute them
should be done.
• Malware creators use additional parameters that allow financial
institutions to recognize them and to create Trojan-infected customers
timely-alerts.
• Taking advantage of these additional parameters could lead financial
institutions to prevent potential looses generated by these kinds of
threats.
![Page 19: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/19.jpg)
Q & A
19
Q & A
![Page 20: The Threat of Banking Trojans: Detection, Forensics, and ... · PDF fileThe Threat of Banking Trojans: Detection, Forensics, ... – Mobile Malware ... C\362pia de The Threat of Banking](https://reader031.fdocuments.us/reader031/viewer/2022022423/5a9dd95c7f8b9abd0a8df2fb/html5/thumbnails/20.jpg)
Thank you!
20
Thank you!ありがとうございましたありがとうございましたありがとうございましたありがとうございました