smartcard vulnerabilities in modern banking malware
DESCRIPTION
The past few years have seen a rapid growth of threats targeting the Russian system of RBS (Shiz, Carberp, Hodprot, RDPdoor, Sheldor). Attackers can steal huge amounts of money, estimated at tens of millions monthly. The speaker will describe the study of the most common banking malware, as well as the discovery of interesting vulnerabilities by using two-factor authentication and smart cards. The report also discusses techniques and tricks that are used by hackers to conduct anti-forensics.TRANSCRIPT
![Page 1: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/1.jpg)
Smartcard vulnerabilities in
modern banking malware
Aleksandr Matrosov
Eugene Rodionov
![Page 2: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/2.jpg)
Agenda
Evolution of Carberp distribution scheme
drive by downloads
detection statistics
Carberp modifications
the story of BK-LOADER
antiRE tricks
Banks attacking algorithms
Smartcard attacks
![Page 3: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/3.jpg)
Evolution drive by downloads: Carberp case
![Page 4: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/4.jpg)
Exploit kits used in distribution scheme
Impact since 2010 (probivaites.in) • Java/Exploit.CVE-2010-0840
• Java/Exploit.CVE-2010-0842
• Java/TrojanDownloader.OpenConnection
Blackhole since 2011 (lifenews-sport.org) • JS/Exploit.JavaDepKit (CVE-2010-0886)
• Java/Exploit.CVE-2011-3544
• Java/Exploit.CVE-2012-0507
• Java/Agent
Nuclear Pack since 2012 (nod32-matrosov-pideri.org) • Java/Exploit.CVE-2012-0507
![Page 5: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/5.jpg)
Blackhole drive by download scheme
search vuln
legitimate site
exploitation stage /getJavaInfo.jar /content/obe.jar /content/rino.jar
dropper execution /w.php?f=17&e=2
TRUE FALSE
![Page 6: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/6.jpg)
Blackhole drive by download scheme
search vuln
legitimate site
exploitation stage /getJavaInfo.jar /content/obe.jar /content/rino.jar
dropper execution /w.php?f=17&e=2
TRUE FALSE
![Page 7: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/7.jpg)
Blackhole drive by download scheme
search vuln
legitimate site
exploitation stage /getJavaInfo.jar /content/obe.jar /content/rino.jar
dropper execution /w.php?f=17&e=2
TRUE FALSE
![Page 8: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/8.jpg)
Blackhole drive by download scheme
search vuln
legitimate site
exploitation stage /getJavaInfo.jar /content/obe.jar /content/rino.jar
dropper execution /w.php?f=17&e=2
TRUE FALSE
![Page 9: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/9.jpg)
Exploit kit migration reasons
1 • most popular = most detected
2
• frequently leaked exploit kit
• most popular exploit kit for research
3
• auto detections by AV-crawlers
• non-detection period is less than two hours
![Page 10: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/10.jpg)
Blackhole migration to Nuclear Pack
![Page 11: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/11.jpg)
Nuclear pack drive by download scheme
search vuln
legitimate site
exploitation stage //images/274e0118278c38ab7f4ef5f98b71d9dc.jar
dropper execution /server_privileges.php?<gate_id>=<exp_id>
TRUE FALSE
check real user
![Page 12: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/12.jpg)
Nuclear pack drive by download scheme
search vuln
legitimate site
exploitation stage //images/274e0118278c38ab7f4ef5f98b71d9dc.jar
dropper execution /server_privileges.php?<gate_id>=<exp_id>
TRUE FALSE
check real user
![Page 13: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/13.jpg)
Nuclear pack drive by download scheme
search vuln
legitimate site
exploitation stage //images/274e0118278c38ab7f4ef5f98b71d9dc.jar
dropper execution /server_privileges.php?<gate_id>=<exp_id>
TRUE FALSE
check real user
![Page 14: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/14.jpg)
Nuclear pack drive by download scheme
search vuln
legitimate site
exploitation stage //images/274e0118278c38ab7f4ef5f98b71d9dc.jar
dropper execution /server_privileges.php?<gate_id>=<exp_id>
TRUE FALSE
check real user
![Page 15: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/15.jpg)
Nuclear pack drive by download scheme
search vuln
legitimate site
exploitation stage //images/274e0118278c38ab7f4ef5f98b71d9dc.jar
dropper execution /server_privileges.php?<gate_id>=<exp_id>
TRUE FALSE
check real user
![Page 16: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/16.jpg)
Nuclear pack drive by download scheme
search vuln
legitimate site
exploitation stage //images/274e0118278c38ab7f4ef5f98b71d9dc.jar
dropper execution /server_privileges.php?<gate_id>=<exp_id>
TRUE FALSE
check real user
![Page 17: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/17.jpg)
BlackSEO & Nuclear Pack
![Page 18: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/18.jpg)
BlackSEO & Nuclear Pack
![Page 19: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/19.jpg)
Carberp detection statistics
![Page 20: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/20.jpg)
Carberp detection statistics by country Cloud data from Live Grid
Russia
Ukraine
Belarus
Kazakhstan
Turkey
United Kingdom
Spain
United States
Italy
Rest of the world
![Page 21: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/21.jpg)
Carberp detections over time in Russia Cloud data from Live Grid
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
![Page 22: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/22.jpg)
Evolution of Carberp modifications
![Page 23: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/23.jpg)
Different groups, different bots, different C&C’s
Hodprot
D*****v
G***o
![Page 24: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/24.jpg)
functionality G***o D*****v Hodprot Dedicated dropper Win32/Hodprot
Java patcher
Bootkit based on Rovnix
RDP backconnect Win32/RDPdoor Win32/RDPdoor
TV backconnect Win32/Sheldor Win32/Sheldor Win32/Sheldor
HTML injections IE, Firefox, Opera IE, Firefox, Opera, Chrome
IE, Firefox, Opera, Chrome
Autoloads
Unique plugins minav.plug passw.plug killav.plug
sbtest.plug cyberplat.plug
sber.plug ddos.plug
![Page 25: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/25.jpg)
commands G***o D*****v Hodprot Description ddos download DDoS plugin and start attack
updatehosts modify hosts file on infected system
alert show message box on infected system
update download new version of Carberp
updateconfig download new version of config file
download download and execute PE-file
loaddll download plugin and load into memory
bootkit download and install bootkit
grabber grab HTML form data and send to C&C
killos modify boot code and delete system files
killuser delete user Windows account
killbot delete all files and registry keys
updatepatch download and modify java runtime
deletepatch delete java runtime modifications
![Page 26: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/26.jpg)
The Story of BK-LOADER from Rovnix.A to Carberp
![Page 27: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/27.jpg)
![Page 28: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/28.jpg)
![Page 29: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/29.jpg)
![Page 30: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/30.jpg)
![Page 31: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/31.jpg)
Interesting Carberp sample (October 2011)
![Page 32: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/32.jpg)
Interesting Carberp sample (October 2011)
![Page 33: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/33.jpg)
Interesting strings inside Carberp with bootkit
![Page 34: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/34.jpg)
Carberp bootkit functionality
Bootkit bootstrap code
Inject user-mode payload
Load unsigned driver injector
![Page 35: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/35.jpg)
Carberp bootkit functionality
Bootkit bootstrap code
Inject user-mode payload
Load unsigned driver injector
![Page 36: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/36.jpg)
Carberp bootkit functionality
Bootkit bootstrap code
Inject user-mode payload
Load unsigned driver injector
![Page 37: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/37.jpg)
Callgraph of bootkit installation routine
![Page 38: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/38.jpg)
functionality Rovnix.A Carberp with bootkit Rovnix.B
VBR modification
polymorphic VBR
Malware driver storage
Driver encryption algorithm
custom (ROR + XOR)
custom (ROR + XOR)
custom (ROR + XOR)
Hidden file system
FAT16 modification
FAT16 modification
File system encryption algorithm
RC6 modification
RC6 modification
Rovnix kit hidden file systems comparison
![Page 39: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/39.jpg)
Comparison of Carberp file system with Rovnix.B
![Page 40: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/40.jpg)
Comparison of Carberp file system with Rovnix.B
![Page 41: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/41.jpg)
AntiRE tricks
![Page 42: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/42.jpg)
Removing AV hooks before installation
![Page 43: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/43.jpg)
Calling WinAPI functions by hash
![Page 44: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/44.jpg)
Plugin encryption algorithm
![Page 45: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/45.jpg)
Communication protocol encryption algorithm
![Page 46: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/46.jpg)
Banks attacking algorithms
![Page 47: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/47.jpg)
Bank attacking algorithm Gizmo Dudorov Origami HTML injections
autoload 2010 2011 (Sep)
dedicated plugins for major banks
intercepting client-banks activity
patching java
webmoney/cyberplat
stealing money from private persons
![Page 48: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/48.jpg)
![Page 49: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/49.jpg)
![Page 50: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/50.jpg)
![Page 51: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/51.jpg)
![Page 52: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/52.jpg)
![Page 53: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/53.jpg)
Smartcard attacks
![Page 54: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/54.jpg)
Applications used by smartcards
User interface Access provider
Call reader device driver
Specific reader device driver
Specific reader device driver
Reader device Reader device
Smartcard Smartcard
Smartcard resource manager
…
…
…
User Application
Smartcard Subsystem
Hardware Support
![Page 55: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/55.jpg)
Win32/Spy.Ranbyus
![Page 56: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/56.jpg)
Win32/Spy.Ranbyus
![Page 57: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/57.jpg)
Win32/RDPdoor v4.x
![Page 58: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/58.jpg)
Win32/RDPdoor v4.x
![Page 59: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/59.jpg)
Win32/RDPdoor v4.x
![Page 60: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/60.jpg)
Win32/RDPdoor v4.x
![Page 61: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/61.jpg)
![Page 62: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/62.jpg)
References
Exploit Kit plays with smart redirection http://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection
Dr. Zeus: the Bot in the Hat http://blog.eset.com/2010/11/05/dr-zeus-the-bot-in-the-hat
Blackhole, CVE-2012-0507 and Carberp http://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp
Evolution of Win32/Carberp: going deeper http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper
Hodprot: Hot to Bot http://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf
Carberp Gang Evolution: CARO 2012 presentation http://blog.eset.com/2012/05/24/carberp-gang-evolution-at-caro-2012
![Page 63: Smartcard vulnerabilities in modern banking malware](https://reader033.vdocuments.us/reader033/viewer/2022052903/55757908d8b42adb7e8b4a5e/html5/thumbnails/63.jpg)
Thank you for your attention!
Aleksandr Matrosov [email protected] @matrosov amatrosov.blogspot.com
Eugene Rodionov [email protected] @vxradius