OWASP Anti-Malware - Knowledge Base
- 1 Introduction
- 2 Protecting Banking Resources
- 3 Appendix A: Security Considerations about Authentication Solutions and Malware
- 4 Appendix B: Banking Malware Families (Active in 2012)
- 5 Appendix C: Server Side Security Solutions
- 6 Appendix D: Client Side Security Solutions
- 7 References
A Technical Knowledge Base for Banking Malware Threats
Protecting Banking Resources
Are your resources protected?
Enumerate the interesting targets
Define the path to the targets (Transition graphs)
Apply trust boundaries (security measures)
Define the weaknesses of the security measures adopted
Appendix A: Security Considerations about Authentication Solutions and Malware
Actually Banking Malware families can bypass the vast majority of the world most secure authentication. How? The answer is simple: by tailoring an appropriate attack on the specific authentication schema with a bit of social engineering. Malware Authors know that the weakest link most of the times is the user himself.
For more information:
TextField Static Password
Vulnerable to vast majority of all Banking Malware families in their default configuration
A password is a secret word or string of characters that is used for authentication, and is the world most used and simplest way of authenticating a user to a computer. “Static” means that Password does not change over time, unless manually updated. Textbox input field is the HTML element were password is inserted and this element is compatible with HID (Human Input Devices) such as hardware keyboards and Virtual Keyboards.
How gets defeated
Almost All banking malware can automatically log passwords using two components: Keylogging and Form Grabbing. A software Keylogger component can use a number of very different techniques, because operative systems offer many different ways to know which key is pressing a user. Even if this component seems very powerful, it has the disadvantage of not logging the Clipboard. Users may copy and paste passwords for simplicity or security reasons: many password wallets suggest to use this approach (e.g. KeePassX ). For this reason Banking Malware Authors prefer to log web based credentials using form grabbing components instead of keyloggers: from Wikipedia “this method intercepts the on submit API in browsers and collects web form data before it passes over the internet.”. Since FormGrabbing is actually used by any major Banking Malware Family (e.g. Zeus, Spyeye, IceIX etc.) “text field” static password does not represent a secure way of authentication. In addition Malware families can automatically log any password field without using any particular configuration.
Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.
How gets defeated
Behavior Based Authentication
TAN (Gridcard, Scratch Card)
OTP (Time Based, Click Based)
Risk Evaluation: Basic OTPs are vulnerable to HTML Injection and to other more sophisticated techniques, but give to the bank the following important improvements in terms of security:
- Tokens are valid for a very short period of time. Attackers need to engage human assistance to successfully abuse the compromised tokens in the valid time-window . This involves using Instant Messaging and user monitoring that leverages additional costs at their side.
- This authentication measure may need UI redressing or automation to be bypassed, introducing important anomalies that can be detected.
A one-time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. OTPs are difficult for human beings to memorize. Therefore they require additional technology in order to work and this technology may be implemented in software tools or by using external hardware devices (Hardware tokens). Basic OTPs are based on cryptographic One-Way Algorithms and initialized with a different key per each user to avoid impersonation attacks. In addition each token usage is blacklisted and cannot be used a second time to avoid replay attacks. Since basic OTP standards do not have a direct communication with the remote server, they need indirect standards for assuring synchronization with the remote infrastructure. Synchronization can be achieved on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time) or computing the number of previously generated passwords and set a range of valid passwords (if the user press to often the button the device will go out of sync).
How gets defeated
Even if this technology seems very resilient against malware attacks, it doesn't! Basic Otps can be defeated very easily with User Interface redressing. This attack is accomplished using the infamous features called WebInjects that permit to inject arbitrary HTML into the original Bank Login pages. As we previously said, the Token is valid for a single transaction and is blacklisted after the first usage. Malware attackers will never let the token to arrive at the bank, so the bank can not blacklist that information. To defeat time restriction window, they also may make use of Instant Messaging plugins to have a real time communication of the token to the attacker.
CAP (Random Nonce, Challenge Response)
MSISDN (Caller-ID Authentication)
Appendix B: Banking Malware Families (Active in 2012)
Taken as inspiration from Marco Morana's Presentation and from other sources (e.g. slides 26-30 The Bank in the Browser Presentation - G. Fedon ), here is a quick summary of Banking Malware features updated as of 2012.
Schema summarizes every banking trojan by giving the following informations:
- Attack Capabilities
Attack Capabilites describes the features of the involved trojan, and immediately below the technique used to implement the given feature.
- HTTP Injection
- Browse Redirect
- Form Grabbing
- Stored Password Theft
- Keystroke Logging
- Bypass MFA
- ScreenCapture / VideoCapture
- Certificate Theft
- Install Backdoor
- Instant Message
Type field describes what kind how the malware operates:
SpyEye is considered the successor of ZeuS and globally considered as the most advanced Banking Malware kit actually used.
This kit was conceived as botnet easy to manage via a web based control panel.
SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish its task, it provides a custom Encrypted Configuration File where there are:
- Web Injection Code
- Collectors List- where stolen data is sent
SpyEye is capable of HTML code injection in the following browsers:
- Internet Explorer
List of commonly used Plugins:
- ccgrabber - used to collect Credit Card numbers by analyzing POST requests.
- ffcertgrabber - used to steal Firefox stored Certificates.
- ftpbc - used to reverse ftp connections to the bot.
- socks5 - allows reverse connections via a proxy server.
- billinghammer - charges Credit Cards by using stolen card data.
- ddos - plugin used to ddos a specified target.
- bugreport - send crash reports to the bot master.
- SpySpread - capability to spread via USB, IM Messages
- rdp - Remote Desktop capability
SpyEye kit, actually reached version 1.3.48
In the second half of 2011 appeared a mobile edition of SpyEye, called SpitMo specifically designed to steal mTAN (mobile TAN) authentication systems. SpitMo
Recently (Jenuary 2012) appeared a SpyEye Campaign able to Hide its Fraud Footprint also called Post-Transaction Attack
- A Guide to SpyEye C&C Messages
- New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3
- DDOS plugin for SpyEye
- SpyEye steals your data. Even in a limited account
- The SpyEye Interface, Part 1: CN 1
- The SpyEye Interface Part 2: SYN 1
- SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 1)
- SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)
- SpyEye being kicked to the curb by its customers?
ZeuS is a Banking Trojan identified for the first time in 2007, designed as HTTP Based Botnet specifically crafted to steal Online Banking Credentials.
Despite the fact that ZeuS Kit is no longer developed, infection statistics that can be checked here ZeuS Statistics clearly demonstrates that this Trojan has a remarkable diffusion.
The ZeuS Kit functionality is based on MiTB attacks, an encrypted configuration file contains URL Triggers and HTML Code to be Injected.
In the past year appeared also a ZeuS for mobile called ZitMo, developed to bypass mTAN authentication system, more information can be reached here:
- The ZitMo Trojan Bypasses Online Banking Security
- Zitmo Trojan for Android defeats two-factor authentication
2011 was also the year of ZeuS Source Code leak, this essentially lead to a number of new ZeuS Variants, here the most significant:
- ICE IX
- ZeuS P2P Edition
The most interesting variant is the P2P one, where ZeuS gained P2P Botnet and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able to interact with other victims (nodes) and get Updated Binaries and Configurations.
Citadel is a variant appeared in January 2012 that supports grabbing on Google Chrome Browser.
GameOver variant starts a DDoS Attack against the target bank at the same time it commits fraud operation to distract bank's attention.
ZeuS P2P References:
- ZeuS Gets More Sophisticated Using P2P Techniques
- ZeuS – P2P+DGA variant – mapping out and understanding the threat
- ZeuS Tracker
- Ice IX – Or Just ZeuS?
- JaZeus: when Zeus meets Java
- Zeus Malware Analysis by SophosLabs
- ZeuS Banking Trojan Report
- Abstract Memory Analysis: Zeus Encryption Keys
- Zeus: King of the bots
- Web Injections Zeus/Spyeye
ZeuS Mitmo (Man in the Mobile) is smartphone version of Zeus. Zeus Mitmo combines SMS and the Web attack vector to attack online banks via smartphone. Many banks are using SMS as second authentication. ZeuS Mitmo is designed to steal mTANs, and computers infected with a ZeuS Mitmo trojan will inject a "security notification" into the Web banking process, attempting to lure the user into providing their phone number. If a phone number is provided, the user will receive an SMS link pointing to the mobile component, ZeusMitmo.
- Financial malware attacks on smartphones, European Network and information security agency
- S21Sec report on Zeus Mitmo
- zitmo: two factor authentication defeated
After ZeuS and SpyEye the third advanced Malware Banking Trojan is Carberp, that during its evolution reached a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser Code Injection online Banking Credentials.
Synthesis of Carberp Functionalities :
- Ability to run as non-administrator
- Ability to infect Windows XP , Windows Vista and Windows 7
- Will not make any changes to the registry (only in memory modifications)
- Browser Hooking
- Stolen data is transmitted in real-time to C&C server
- Kill AntiVirus Software
- Screenshot Ability
- Form Grabber
Carberp makes use of encrypted Configuration Files that contains plugins and web injection code
- miniav.psd - Kill Competitors Botnets (SpyEye. ZeuS)
- vnc.psd - Remote VNC Session Capability
- passw.psd - password grabber for FTP, VNC, E-Mail Clients, Stored Browser Passwords
- Carberp + BlackHole growing fraud incidents
- Bootkit Evolution of Win32Carberp: going deeper
- Decrypting Carberp C&C communication
- Facebook New Trends in Carberp Activity
Clampi (also known as Ligats, Ilomo or Rscan) is a Trojan designed to steal credentials from infected systems. Its main purpose is to steal online banking credentials to conduct the unauthorized transfer of funds from hacked accounts to groups likely in Eastern Europe or Russia.
It has seven modules:
- SOCKS—A socks proxy.
- PROT—Steals PSTORE credentials, which typically contains credentials saved when using a Web browser.
- LOGGER—Steals online credentials.
- LOGGEREXT—Aids in stealing online credentials for Web sites with enhanced security.
- SPREAD—Spreads Clampi to machines in the network with open network shares.
- ACCOUNTS—Steals locally saved credentials for a variety of applications such as Instant Messaging and FTP clients.
- INFO—Gathers and sends general system information.
Tatanga appeared in the first half of 2011 as MiTB based trojan designed to steal Online Banking Credentials and spoof (Post Transaction Attack) the real balance of the victim.
Like previously seen trojans, also Tatanga makes use of Encrypted Configuration Files (3-DES) to store plugins and web injection code.
Additionally Tatanga is able to:
- Grab E-Mail addresses
- Remove Competitors Botnets
- File Infector to increase malware spread
- Kill Antivirus Software
Urlzone is a Banking Trojan appeared in 2009, its main feature is the ability to hide the evidence of the fraud by changing on fly the balance showed to the Victim.
To accomplish money stealing Urlzone uses a classical MiTB Approach, it works on the following browsers
- Internet Explorer 6,7,8
- Finjan CyberIntel Report September 2009
- Banking Trojan steals money from under your nose
- The case of the fake money-mules: Inside the URLZone Trojan network
- RSA banking Trojan research underscores problem tracking cybercriminals
Banking trojan Gozi appeared for the first time in 2007 and was characterized by a Low Detection Rate and ability to Steal from SSL Encrypted Sessions.
- Steals SSL Data
- Steals Static Information from Banking Website
- Steals Dynamic Password Schemes like Two Factor Authentication and OTP
- KeyLogging Capabilities
- SSL Encrypted Communication with the C&C Server
- AntiVirus Bypassing Capabilities
SSL Stealing Technique is described here Gozi Trojan Steals SSL Encrypted Data for Fun and Profit
Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside explorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.
- Gathering system information on compromised system and sends it to dropzone
- Downloading configuration that will be used from defined domain
- Injects malicious code into browser's code
- Hides using rootkit functionality
- Intercepts network traffic and attempts to add malicious code to network trafic
Sunspot appeared for the first time in late 2011 as MiTB based trojan designed to steal Online Banking Credentials.
- Browser Code Injection
- KeyStroke Logger
- Screenshotting Capabilities
- Steals Sensitive Personal Information necessary to carry out User Impersonation Attacks
- Good AntiVirus Bypassing Capabilities
Sunspot works on 32bit and 64bit Systems from Windows XP to Windows 7.
Oddjob Financial Trojan has been publicly reported for the first time 22 February 2011, the peculiar characteristic of Oddjob is the ability to keep open Victim's Session even after they Logout, this implies that Criminals will be able to steal money by Impersonating the Victim by tapping the Session ID.
Oddjob works by injecting malicious code into Internet Explorer and Firefox browsers, the code is contained in custom configuration files.
Will follow a quick summary of the Trojan Functionalities:
- Intercepts GET and POST requests
- HTML Code Injection via MiTB Approach
- Session Hijacking
Session hijacking is performed by changing Logout functionality via malicious html/js injected code, victim will inadvertently keep session open and fraudsters will commit the money transaction.
Ramnit is a prolific malware that show a wide range of morphings during its arc of existence, between these variations there is also the Financial Stealing one.
Ramnit is essentially a Backdoor Trojan with the ability to perform also MiTB Attacks.
List of Features:
- MiTB Capabilities
- Backdoor Capabilities
- File Infector Office Files, Windows Executables
- SSL Secured C&C Communication
- AntiVirus bypassing Capabilities
- Cookie Grabber
Trojan Cridex became a well spreaded threat for Home Banking activities in the first period of 2012. The malware is usually delivered via malicious e-mails that contains shortened links to BlackHole Exploit Kit websites.
Here a quick summary of Cridex's features
- Download and Execute Files
- Upload and Search Files
- Steal local Certificates
- Configuration driven MiTB Capabilities that targets Banking Users
Man in The Browser performed by Cridex targets the following browsers:
- Internet Explorer
The malware communicates with C&C Servers via SSL in order to upload stolen credentials and receive commands or configuration updates. Cridex also has a modular structure, this mean that C&C Server could upload additional functionalities to the running bots.
One of the most interesting components is the Spamming/Propagation module, that's able to create new email accounts that will be used to spread Cridex itself.
Creating new e-mail accounts now implies also the necessity to solve CAPTCHAs, and one of the most interesting features of Cridex is the ability to integrate itself with a CAPTCHA Breaking Server.
- Trojan caught on camera shows CAPTCHA is still a security issue
- The Cridex Trojan Targets 137 Financial Organizations in One Go
- Cridex Analysis using Volatility
Tinba stands for TinyBanker, definition derives from the reduced dimensions, approximately 20KB, of the binary. Tinba relies upon the MiTB (Man in The Browser) attack and has important level of invisibility to AntiVirus technology.
The malware injects itself in the following system processes:
After the injection, Tinba looks for the execution of processes related to most widely used browser, such as InternetExplorer and Firefox. The infrastructure Tinba is typical of a classical HTTP botnet. The binary has a list of four malicious servers used to upload stolen credentials, communication is encrypted with RC4 algorithm.
The configuration management system relies upin two files:
The syntax of the configuration is identical to the ZeuS one. It 's also interesting to note that Tinba can modify the HTTP response header X-FrameOptions in order to introduce elements dangerous such as external links Supported by HTTPS.
- Say hello to Tinba: World’s smallest trojan-banker
- Tiny New Tinba Banker Trojan Found Stealing Financial Data
- Small banking Trojan poses major risk
Gataka is a banking trojan with an architecture similar to SpyEye emerged in the first part of July 2012. The binary file is equipped with an encrypted configuration file which contains the HTML/JS code to be injected in the target bank, additionally the configuration contains a modular plugin-based system that implements a wide range of malicious features.
The trojan injects itself into the system process Explorer.exe and then activates the persistence on the system by inserting adding a registry key entry.
From an architectural point of view, like SpyEye, plugins are downloaded from the C&C server and are inivocally identified by an ID. Follows a summary of identified plugin (information is taken from ESET article - check references for additional details):
- HermesCore: This plugin is automatically included in all versions of Gataka and has a fundamental function, it's responsible of communication activities. The addresses of the servers are encoded in Base64. HermesCore can finally run arbitrary executables sent by the botmaster.
- Interceptor: As the name suggests, this plugin takes care of the interception of traffic network by hooking API connect() getpeername() closesocket(). The plugin acts essentially as proxy that monitors inbound/outbound traffic, and in case of encrypted communications (HTTPS) Interceptor is able to use a fake certificates to perform a MiTM attack. It's also important to highlight the fact that
Interceptor is able to change at run-time the certificate control functions of several browser in such a way to make the entire process even more invisible to the victim.
- NextGenFixer: This plugin acts as a URL filter able to perform certain functions when a specific address is typed by the user.
- WebInject: This plugin takes care of injecting malicious HTML/JS code into the target page, as well able to make a video of the browsing session. WebInject uses NextGenFixer to determine the URL typed by the victim.
- HttpTrafficLogger: Make a log of browsing the victim.
- SocksTunnel: Implements a SOCKS server such a way to exploit the infected machine for anonymous browsing activities.
- TrafficGrabber: Network traffic sniffer, with functionality of packet dumper.
- CoreDb: Contains the configuration encrypted with 3DES algorithm.