advance of bank trojan nov 2005. 2 – 2002 symantec corporation, all rights reserved current threat...
TRANSCRIPT
![Page 1: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/1.jpg)
Advance of Bank Trojan
Nov 2005
![Page 2: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/2.jpg)
2 – 2002 Symantec Corporation, All Rights Reserved
Current threat from Bank Trojans
Steals online banking information; typically usernames and passwords.
PWSteal.JGinko targets Japanese banks. (Trojan-Spy.Win32.Banker.vt [Kaspersky Lab], PWS-Jginko [McAfee], TSPY_BANCOS.ANM [Trend Micro])
These Trojans work closely and actively with Internet Explorer.
![Page 3: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/3.jpg)
3 – 2002 Symantec Corporation, All Rights Reserved
Submission increase
Symantec gets almost 2 million submissions per year.
The rate of submissions is increasing.
Are Bank Trojan submissions increasing?
![Page 4: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/4.jpg)
4 – 2002 Symantec Corporation, All Rights Reserved
PWSteal.Bancos submissions
Why have submissions decreased?
![Page 5: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/5.jpg)
5 – 2002 Symantec Corporation, All Rights Reserved
Bancos submissions vs Total Symantec submissions.
0
500
1000
1500
2000
2500
3000
![Page 6: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/6.jpg)
6 – 2002 Symantec Corporation, All Rights Reserved
How samples are collected
User submissions
Honey pot
Web site routine patrol(Adware, Spyware)
Brightmail
BBS
![Page 7: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/7.jpg)
7 – 2002 Symantec Corporation, All Rights Reserved
Japanese Banks VS Bank Trojan
PWSteal.Bancos originally targeted Brazilian Banks.
Then, support was added for German and English Banks.
PWSteal.Jginko targets only Japanese Banks.
PWSteal.Jginko monitors 27 domains.
PWSteal.Bancos.T monitors 2746 domains.
![Page 8: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/8.jpg)
8 – 2002 Symantec Corporation, All Rights Reserved
PWSteal.Jginko domains
resonabank.anser.or.jp, btm.co.jp, ebank.co.jp
japannetbank.co.jp, smbc.co.jp, yu-cho.japanpost.jp
ufjbank.co.jp, mizuhobank.co.jp
shinseibank.co.jp, iy-bank.co.jp
shinkinbanking.com, shinkin-webfb-hokkaido.jp
shinkin-webfb.jp
And more, more, more
![Page 9: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/9.jpg)
9 – 2002 Symantec Corporation, All Rights Reserved
Other Bank Trojans also target rural banks
82bank.co.jp, akita-bank.co.jp
all.rokin.or.jp, toyotrustbank.co.jp
hyakugo.co.jp, chibabank.co.jp
fukuibank.co.jp, gunmabank.co.jp
hirogin.co.jp, hokugin.co.jp
joyobank.co.jp, nishigin.co.jp
And more, more, more
![Page 10: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/10.jpg)
10 – 2002 Symantec Corporation, All Rights Reserved
Security measures taken by Japanese Banks recently
Software Keyboard
Strong password requirements
Challenge and response with one-time encryption key
Prevent phishing mail
Login restricted by IP address
SSL
![Page 11: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/11.jpg)
11 – 2002 Symantec Corporation, All Rights Reserved
Advantage of Trojan over KeyLogger
These Trojans are not KeyLogger.Trojans
Stealth techniques can be used
Intercepts transaction information
Silent download
Silent update
![Page 12: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/12.jpg)
12 – 2002 Symantec Corporation, All Rights Reserved
Bank Trojans are not KeyLogger.Trojan
Old KeyLoggers log key strokes and send logged data.
Difficult to know which application the user was using
Logs user error (passeo[Back Space][Back Space]word )
Difficult to know when the user changes to a different input field
![Page 13: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/13.jpg)
13 – 2002 Symantec Corporation, All Rights Reserved
Stealth techniques used by Bank Trojans
Works with Internet Explorer.
Firewall does not stop HTTP transaction of Internet Explorer. (BHO, Inject, layered service provider)
Injects itself into other process
Rootkit may hide files or protect them from security application
Hide packet traffic from system to avoid detection
![Page 14: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/14.jpg)
14 – 2002 Symantec Corporation, All Rights Reserved
Intercept transaction
These Trojans can hook specific procedure calls
These Trojans can inject itself into an application
HTTPS is not secure if the data is intercepted before and after it is encrypted
![Page 15: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/15.jpg)
15 – 2002 Symantec Corporation, All Rights Reserved
Silent download/ Silent update techniques
Trojans may close Alerts from Windows Firewall
Delete Zone.Identifier settings
Add itself to Authorized Applications list, bypassing the firewall
![Page 16: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/16.jpg)
16 – 2002 Symantec Corporation, All Rights Reserved
Technique: Key Logging
![Page 17: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/17.jpg)
17 – 2002 Symantec Corporation, All Rights Reserved
Technique: Key Logging(2)
![Page 18: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/18.jpg)
18 – 2002 Symantec Corporation, All Rights Reserved
Technique: Inject
Taskmanager can enumerate process
DLLs are never enumerated by taskmanager.
If IEXPLORE.EXE calls loadlibrary?
VirtualAllocEx
WriteProcessMemory
GetProcAddress
CreateRemoteThread
![Page 19: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/19.jpg)
19 – 2002 Symantec Corporation, All Rights Reserved
Technique: BHO
A Browser helper object is an additional software component that is loaded when Internet Explorer starts.
When a BHO sends a data, It looks like the data is sent by Internet Explorer.
The BHO can’t be seen with Task manager.
![Page 20: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/20.jpg)
20 – 2002 Symantec Corporation, All Rights Reserved
Loading BHO
How Internet Explorer loads and initializes helper objects.
![Page 21: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/21.jpg)
21 – 2002 Symantec Corporation, All Rights Reserved
Technique: BHO (2)
![Page 22: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/22.jpg)
22 – 2002 Symantec Corporation, All Rights Reserved
Technique: Intercept transaction
![Page 23: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/23.jpg)
23 – 2002 Symantec Corporation, All Rights Reserved
Secure Socket Layer is secure?
Secure
Not SecurePickup data
Encrypt data
![Page 24: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/24.jpg)
24 – 2002 Symantec Corporation, All Rights Reserved
Technique: Intercept transaction (2)
![Page 25: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/25.jpg)
25 – 2002 Symantec Corporation, All Rights Reserved
Technique: Intercept transaction (3)
![Page 26: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/26.jpg)
26 – 2002 Symantec Corporation, All Rights Reserved
Technique: Intercept transaction (4)
![Page 27: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/27.jpg)
27 – 2002 Symantec Corporation, All Rights Reserved
Technique: Intercept transaction (5)
DWebBrowserEvents2, IHTMLDocument2
Onmouseover
User push “A” or “A” filled to field.
Onsubmit
![Page 28: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/28.jpg)
28 – 2002 Symantec Corporation, All Rights Reserved
Technique: Silent download
![Page 29: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/29.jpg)
29 – 2002 Symantec Corporation, All Rights Reserved
Technique: Silent update
![Page 30: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/30.jpg)
30 – 2002 Symantec Corporation, All Rights Reserved
Technique: Silent update (2)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Value: ":*:Enabled:"
![Page 31: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/31.jpg)
31 – 2002 Symantec Corporation, All Rights Reserved
Steal password
![Page 32: Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;](https://reader035.vdocuments.us/reader035/viewer/2022062619/5517f626550346d5568b4d97/html5/thumbnails/32.jpg)
32 – 2002 Symantec Corporation, All Rights Reserved
Challenge and response
Send user name
Send user name
Answer “Challenge”Answer random “Challenge”
Send one-time password
Accepted
Calculate one-time password by “Challenge” and send it
Answer fake error page Transfer money