zeus mitmo mikel gastesi 2011-02-25 s21sec e-crime analyst //nullcon.net
Post on 21-Dec-2015
217 views
TRANSCRIPT
ZeuS MitMo
Mikel Gastesi 2011-02-25S21sec e-crime analyst
http://null.co.in/ http://nullcon.net/
ZeuS MitMo
• Introduction• Banking protections• Banking trojans
– ZeuS / Zbot• ZeuS MitMo• Conclusion
http://null.co.in/ http://nullcon.net/
Introduction
http://null.co.in/ http://nullcon.net/
Introduction
• Target–Why the user??
http://null.co.in/ http://nullcon.net/
Banking protections
• User / password• User / password + extra password for
transactions• Code card• OTP
– mTAN = mobile Transaction authentication number
http://null.co.in/ http://nullcon.net/
Cat and mouse game
• User / password Form grabbing• User / password + extra password for
transactions Form grabbing• Code card HTML Injection• OTP
– mTAN = mobile Transaction authentication number Zitmo, MITB
– Token?
http://null.co.in/ http://nullcon.net/
Attacking the user
• Phishing• Trojans
– One shot trojans– Modifying host file– Form grabbing– HTML injection
http://null.co.in/ http://nullcon.net/
Banking trojans
• ZeuS / Zbot• SpyEye• Bankpatch• SilentBanker• Sinowal• Gozi• Carberp• …
http://null.co.in/ http://nullcon.net/
Zbot
• You can buy it for less than 600$ !– Easy to install– Easy to configure– Creates an easy-to-manage botnet– Very powerful– Add-ons
• IM / Jabber• Zitmo has been seen for sale!! ¿?¿?
http://null.co.in/ http://nullcon.net/
Zbot
Characteristics:– Creates a botnet– Configuration file update– Binary file update– /etc/hosts modification– Socks proxy– HTML injection– HTML redirection
http://null.co.in/ http://nullcon.net/
Zbot
Characteristics:– Screenshots– Captures virtual keyboards– Captures form data– Steals certificates– KillOS function!– Encrypts configuration file and data
http://null.co.in/ http://nullcon.net/
Zbot
http://null.co.in/ http://nullcon.net/
Executable Config & Data Mutex / Pipe Version
ntos.exe \wsnpoem\video.dll\wsnpoem\audio.dll
_SYSTEM_64AD0625_ 1.0.x.x
oembios.exe \sysproc64\sysproc86.sys\sysproc64\sysproc32.sys
_SYSTEM_64AD0625_ 1.1.x.x
twext.exe \twain\local.ds\twain\user.ds
_SYSTEM_64AD0625_ 1.1.x.x
twex.exe \twain\local.ds\twain\user.ds
_H_64AD0625_ 1.2.x.x
sdra64.exebootlist32.exeuserinit32.exe
\mac32\cbt.lc\mac32\cc.lc
\lowsec\local.ds\lowsec\user.ds
\zad32and\boot.pop\yad32and\codec.dll
_AVIRA_2109__LILO_19099_
1.2.x.x
bootwindows.exe \skype32\win32post.dll\skype32\win64post.dll
_SOSI_19099_ 1.3.x.x
ZbotExecutable Config & Data Version
msxxx32.exe 1.3.x.x
host32.exe \jh87uhnoe3\ewf32.nls\jh87uhnoe3\ewfrvbb.nls
1.3.7.0
svchost32.exe \efee3f32f\brrve.nls\efee3f32f\wrfsf.nls
1.4.1.3
random random 2.x
LicatHydra?
….
http://null.co.in/ http://nullcon.net/
Zbot
• Why does it work so good?– Stealth– User doesn’t see anything wrong
Green lock + https = OK?? #FAIL
http://null.co.in/ http://nullcon.net/
Zbot
http://null.co.in/ http://nullcon.net/
Zbot
http://null.co.in/ http://nullcon.net/
Zbot
http://null.co.in/ http://nullcon.net/
Zbot
• Screen capture
http://null.co.in/ http://nullcon.net/
Zbot
• Redirection
http://null.co.in/ http://nullcon.net/
Zbot
http://null.co.in/ http://nullcon.net/
Jumping to the phone
http://null.co.in/ http://nullcon.net/
ZEUS TROJAN
MITMO
Attacking phones
• Today - Why?– Stealing OTP– Hidding information messages (instead of SMS
flooding)• Avoid detection of MitB
– Blocking incoming calls• Prevent s communicating with bank
– No mail– No SMS– No phone call
http://null.co.in/ http://nullcon.net/
Attacking phones
• Today and Tomorrow – Why?– False Security perception– 2 factors 1 factor– Personal information
• Passwords of a lot of services, social networks, etc.• Password reuse?
http://null.co.in/ http://nullcon.net/
Implementation
• OTP != mTAN– Hardware token– Ownable platform
• How do you configure your phone number?
http://null.co.in/ http://nullcon.net/
Zitmo
http://null.co.in/ http://nullcon.net/
0023424 : OTP
CREDENTIALS
0023424
ZEUS
COMMANDS
MITMO
Zitmo
• Zeus 2.0.8.9 with custom injection
http://null.co.in/ http://nullcon.net/
Zitmo
http://null.co.in/ http://nullcon.net/
• Fake SMS to install the trojan (one-time URL)
Zitmo
• Platforms– Symbian– BlackBerry– Windows Mobile
• Targets– Spanish banks on September (+1 german)– Polish banks this week (+ portugal…)– ZitMo dependes only in the PC ZeuS config
http://null.co.in/ http://nullcon.net/
Zitmo
• How does it work?– Preconfigured admin phone number– Hello message: “App installed OK”– Resend messages– Inspired on “SMS Monitor”
http://null.co.in/ http://nullcon.net/
Zitmo
• Commands:– Set admin– Sender add– Sender rem– Block on– Block off– Set sender
http://null.co.in/ http://nullcon.net/
Zitmo
Mikel, don’t forget the video!!!
http://null.co.in/ http://nullcon.net/
ZitMo reloaded
• ZeuS version 3.1.8 Fake?
http://null.co.in/ http://nullcon.net/
ZitMo reloaded
• New UNINSTALL 45930 command
http://null.co.in/ http://nullcon.net/
ZitMo reloaded
• Set admin App installed ok
http://null.co.in/ http://nullcon.net/
ZitMo reloaded
• Android version??? FAKE?
http://null.co.in/ http://nullcon.net/
Conclusions
• Real threat, actively used• Defeats OTP (mTAN)• To think: 2 factor authentication is becoming
single authentication!• Android > Symbian
– Same scenario?– Installing from the web android market?
http://null.co.in/ http://nullcon.net/
Questions?
http://null.co.in/ http://nullcon.net/
