smartcard vulnerabilities in modern banking malwaremalware
TRANSCRIPT
![Page 1: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/1.jpg)
Smartcard vulnerabilities in modern banking malware
Aleksandr MatrosovEugene Rodionov
![Page 2: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/2.jpg)
Agenda
Evolution of Carberp distribution scheme drive by downloads detection statistics
Carberp modifications the story of BK-LOADER antiRE tricks
Banks attacking algorithms Smartcard attacks
![Page 3: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/3.jpg)
Evolution drive by downloads: Carberp case
![Page 4: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/4.jpg)
Exploit kits used in distribution scheme
Impact since 2010 (probivaites.in)• Java/Exploit.CVE-2010-0840• Java/Exploit.CVE-2010-0842• Java/TrojanDownloader.OpenConnection
Blackhole since 2011 (lifenews-sport.org)• JS/Exploit.JavaDepKit (CVE-2010-0886)• Java/Exploit.CVE-2011-3544• Java/Exploit.CVE-2012-0507• Java/Agent
Nuclear Pack since 2012 (nod32-matrosov-pideri.org)• Java/Exploit.CVE-2012-0507
![Page 5: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/5.jpg)
Blackhole drive by download scheme
searchvuln
legitimate site
exploitation stage/getJavaInfo.jar/content/obe.jar/content/rino.jar
dropper execution/w.php?f=17&e=2
TRUE FALSE
![Page 6: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/6.jpg)
Exploit kit migration reasons
1• most popular = most detected
2• frequently leaked exploit kit• most popular exploit kit for research
3• auto detections by AV-crawlers• non-detection period is less than two hours
![Page 7: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/7.jpg)
Blackhole migration to Nuclear Pack
![Page 8: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/8.jpg)
Nuclear pack drive by download scheme
searchvuln
legitimate site
exploitation stage//images/274e0118278c38ab7f4ef5f98b71d9dc.jar
dropper execution/server_privileges.php?<gate_id>=<exp_id>
TRUE FALSE
check real user
![Page 9: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/9.jpg)
BlackSEO & Nuclear Pack
![Page 10: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/10.jpg)
Carberp detection statistics
![Page 11: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/11.jpg)
Carberp detection statistics by countryCloud data from Live Grid
RussiaUkraineBelarusKazakhstanTurkeyUnited KingdomSpainUnited StatesItalyRest of the world
![Page 12: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/12.jpg)
Carberp detections over time in RussiaCloud data from Live Grid
Jan-10
Feb-10
Mar-1
0
Apr-10
May-10
Jun-10
Jul-1
0
Aug-10
Sep-10
Oct-10
Nov-10
Dec-10
Jan-11
Feb-11
Mar-1
1
Apr-11
May-11
Jun-11
Jul-1
1
Aug-11
Sep-11
Oct-11
Nov-11
Dec-11
Jan-12
Feb-12
Mar-1
2
Apr-12
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
![Page 13: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/13.jpg)
Evolution of Carberp modifications
![Page 14: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/14.jpg)
Different groups, different bots, different C&C’s
Origami
D*****v
G***o
![Page 15: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/15.jpg)
functionality Gizmo Dudorov OrigamiDedicated dropper Win32/HodprotJava patcher Bootkit based on RovnixRDP backconnect Win32/RDPdoor Win32/RDPdoorTV backconnect Win32/Sheldor Win32/Sheldor Win32/SheldorHTML injections IE, Firefox, Opera IE, Firefox, Opera,
ChromeIE, Firefox, Opera,
ChromeAutoloads Unique plugins minav.plug
passw.plugkillav.plug
sbtest.plugcyberplat.plug
sber.plugddos.plug
![Page 16: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/16.jpg)
commands Gizmo Dudorov Origami Descriptionddos download DDoS plugin and start attack
updatehosts modify hosts file on infected system
alert show message box on infected system
update download new version of Carberp
updateconfig download new version of config file
download download and execute PE-file
loaddll download plugin and load into memory
bootkit download and install bootkit
grabber grab HTML form data and send to C&C
killos modify boot code and delete system files
killuser delete user Windows account
killbot delete all files and registry keys
updatepatch download and modify java runtime
deletepatch delete java runtime modifications
![Page 17: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/17.jpg)
The Story of BK-LOADERfrom Rovnix.A to Carberp
![Page 18: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/18.jpg)
![Page 19: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/19.jpg)
Interesting Carberp sample (October 2011)
≈3000 tested bots
![Page 20: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/20.jpg)
Interesting strings inside Carberp with bootkit
![Page 21: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/21.jpg)
Carberp bootkit functionality
Bootkitbootstrap code
Inject user-mode payload
Load unsigned driver injector
![Page 22: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/22.jpg)
Callgraph of bootkit installation routine
![Page 23: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/23.jpg)
functionality Rovnix.A Carberp with bootkit Rovnix.BVBR modification polymorphic VBR Malware driver storage
Driver encryption algorithm
custom(ROR + XOR)
custom(ROR + XOR)
custom(ROR + XOR)
Hidden file system FAT16 modification
FAT16 modification
File system encryption algorithm RC6
modificationRC6
modification
Rovnix kit hidden file systems comparison
![Page 24: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/24.jpg)
Comparison of Carberp file system with Rovnix.B
![Page 25: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/25.jpg)
AntiRE tricks
![Page 26: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/26.jpg)
Removing AV hooks before installation
![Page 27: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/27.jpg)
Calling WinAPI functions by hash
![Page 28: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/28.jpg)
Plugin encryption algorithm
![Page 29: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/29.jpg)
Communication protocol encryption algorithm
![Page 30: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/30.jpg)
Banks attacking algorithms
![Page 31: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/31.jpg)
Bank attacking algorithm Gizmo Dudorov OrigamiHTML injections autoload 2010 2011 (Sep)dedicated plugins for major banks
intercepting client-banks activity patching java webmoney/cyberplat
stealing money from private persons
![Page 32: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/32.jpg)
![Page 33: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/33.jpg)
![Page 34: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/34.jpg)
Smartcard attacks
![Page 35: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/35.jpg)
Applications used by smartcards
User interface Access provider
Call reader device driver
Specific reader device driver
Specific reader device driver
Reader device Reader device
Smartcard Smartcard
Smartcard resource manager
…
…
…
User Application
Smartcard Subsystem
Hardware Support
![Page 36: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/36.jpg)
Win32/Spy.Ranbyus
![Page 37: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/37.jpg)
Win32/RDPdoor v4.x
<VendorId>:<ProductId>:<Revision>:
<InfoRetreivedFromDevice>:<DeviceNameOrDescription>
FabulaTech USB for Remote Desktop Server
![Page 38: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/38.jpg)
http://crackme.esetnod32.ru
![Page 39: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/39.jpg)
References
Exploit Kit plays with smart redirection http://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection
Dr. Zeus: the Bot in the Hathttp://blog.eset.com/2010/11/05/dr-zeus-the-bot-in-the-hat
Blackhole, CVE-2012-0507 and Carberphttp://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp
Evolution of Win32/Carberp: going deeperhttp://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper
Hodprot: Hot to Bothttp://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf
Carberp Gang Evolution: CARO 2012 presentationhttp://blog.eset.com/2012/05/24/carberp-gang-evolution-at-caro-2012
![Page 40: Smartcard Vulnerabilities In Modern Banking Malwaremalware](https://reader034.vdocuments.us/reader034/viewer/2022052322/5575badcd8b42a312a8b45ac/html5/thumbnails/40.jpg)
Thank you for your attention!
Aleksandr [email protected]@matrosovamatrosov.blogspot.com
Eugene [email protected]@vxradius