Professional Documents
Culture Documents
Banking Targeted Attack Techniques
Banking Targeted Attack Techniques
Banking Targeted Attack Techniques
Attack Techniques
1
Case I: Limbo 1.5
2
Limbo 1.5
Helper.XML
• Configuration file contains code to inject.
• Defines HTML code injection per institution
• Optional parameters (block, check, quan, content).
3
Limbo 1.5
Helper.DLL
Keylogger Functionality
• Windows Protected Storage (saved passwords).
• Deletes cookies.
• Drops information in a text file.
• Different dump depending on the variant.
4
Limbo 1.5
Helper.DLL
• New variants daily to avoid signature detection by AV engines.
• In a single day it’s normal to see 6 different variants.
• Small changes between the different variants as shown by Win32 API calls.
5
Limbo 1.5
Helper.DLL Variants
• Point-and-click utility to
create variants.
6
Limbo 1.5
Helper.DLL
• Uses this UID to communicate with the Control Server and to receive
commands from it.
7
Limbo 1.5
Remote Control Panel
• Filter by COUNTRY, IP or UID.
• View captured logs, delete logs, execute commands, …
8
Limbo 1.5
Remote Control Panel
• Command execution and monitorization.
• Commands are queued in case client is not connected.
Command executed on 12/3/2007 instructing PCs to download “downloader” which in turn downloads Trj/Spammer.ZO and Adware/Bravesentry.
9
Limbo 1.5
Remote Control Panel
• Infection logs and statistics.
• Approximate 2000 new infected PCs per day.
10
Limbo 1.5
Remote Control Panel
• Trojan “kit” sold customized. We found several servers using this kit.
• Hidden password functionality.
11
Limbo 1.5
Remote Control Panel
• Utility to create and print credit cards.
• Stolen credit card data.
12
Case II: Sinowal
13
Sinowal
Custom-made Runtime Packer
• Not detected by internal tools or competing Avs.
• Unpacking utilities could not unpack it.
• While investigating manually found typical packer OEP.
• Manually unpacking reveals new “control and communication servers”.
• A few days later, brand new & unknown packing algorithm.
14
Sinowal
Remote “JIT” Monitoring Functionality
• Most Trojans include the bank address to monitor and HTML code to
inject within its binary code.
• How it works
1. Upon infection inserts “Shell” into HKLM\...\Run as
%ProgramFilesRoot%\Common Files\Microsoft Shared\Web Folders\ibm00003.exe
2. Drops IBM00002.DLL and IBM00003.DLL into the same directory
which are injected into Explorer.exe process.
3. Infected client sends visited URL encrypted to malicious server.
4. Malicious server only responds to specific “User-Agent” string.
5. Malicious server responds with HTML code to inject.
6. Unsuspecting user sees modified bank login page.
15
Sinowal
Remote “JIT” Monitoring Functionality
16
Sinowal
17
Sinowal
18
Banking Targeted Pedro Bustamante
Sr. Research Advisor
Attack Techniques
Attack Techniques
Thanks !!
Panda Research Blog:
http://research.pandasoftware.com
20