Difference between revisions of "OWASP Anti-Malware Project - Awareness Program"

From OWASP
Jump to: navigation, search
(Banking Malware Attack Process)
(Infection of User clients and pcs)
Line 11: Line 11:
 
This is a chain of required steps. Attackers need to perform successfully each of these for turning the attack into a monetary gain. For this reason the process can be reasonably stopped at any level. As in other cases a defense in depth approach is suggested to be effective against the weakest link of each part of the attack.
 
This is a chain of required steps. Attackers need to perform successfully each of these for turning the attack into a monetary gain. For this reason the process can be reasonably stopped at any level. As in other cases a defense in depth approach is suggested to be effective against the weakest link of each part of the attack.
  
==== Infection of User clients and pcs ====
+
==== Infection of clients and pcs ====
 
* Exploitation of client side vulnerabilities (during internet browsing)
 
* Exploitation of client side vulnerabilities (during internet browsing)
 
* Spam (Infection delivered via Email)
 
* Spam (Infection delivered via Email)
  
Hiding The Infection and creating the Permanent threat
+
==== Hiding The Infection and creating the Permanent threat ====
Packers
+
* Packers
Modded Builds
+
* Modded Builds
Rootkit (and Bootkit)
+
* Rootkit (and Bootkit)
  
Stealing of Auth credentials
+
==== Stealing of Auth credentials ====
KeyLogging and Form Grabbing
+
* KeyLogging and Form Grabbing
Video Grabbing
+
* Video Grabbing
WebInjects
+
* WebInjects
  
Storing of Auth credentials
+
==== Storing of Auth credentials ====
Standard Dropzone
+
* Standard Dropzone
Fast Flux Based Server
+
* Fast Flux Based
Instant Messaging and P2P network
+
* Instant Messaging and P2P network
  
Hiding The Operations
+
==== Hiding The Operations ====
Data Tunnelling
+
* Data Tunnelling
Modification of Contact Details
+
* Modification of Contact Details
User Interface Restoring
+
* User Interface Restoring
  
Cashing Out
+
==== Cashing Out ====
Money Transfer
+
* Money Transfer
Mobile Phone Charge
+
* Mobile Phone Charge
Pump and Dump
+
* Pump and Dump
  
 
== Countermeasures ==
 
== Countermeasures ==

Revision as of 11:40, 3 January 2012

Contents

Introduction

What is Banking Malware

How Banking malware deals with Web Application Security

Banking Malware Attack Process

The process involving Malware attack require the subsequent verification of each of the following steps to be successful. We consider an attack to be successful if the attacker obtain a financial gain from the initial client attack. The very steps (e.g. Infection of clients) usually do not involve the Banking infrastrucure, while others are tightly connected to it. Attackers absolutely need the functionalities offered by the hacked online bank accounts to do cash outs.

From user infection to cash out

(Image is missing)

This is a chain of required steps. Attackers need to perform successfully each of these for turning the attack into a monetary gain. For this reason the process can be reasonably stopped at any level. As in other cases a defense in depth approach is suggested to be effective against the weakest link of each part of the attack.

Infection of clients and pcs

  • Exploitation of client side vulnerabilities (during internet browsing)
  • Spam (Infection delivered via Email)

Hiding The Infection and creating the Permanent threat

  • Packers
  • Modded Builds
  • Rootkit (and Bootkit)

Stealing of Auth credentials

  • KeyLogging and Form Grabbing
  • Video Grabbing
  • WebInjects

Storing of Auth credentials

  • Standard Dropzone
  • Fast Flux Based
  • Instant Messaging and P2P network

Hiding The Operations

  • Data Tunnelling
  • Modification of Contact Details
  • User Interface Restoring

Cashing Out

  • Money Transfer
  • Mobile Phone Charge
  • Pump and Dump

Countermeasures

General strategy

Narrowing the attack surface Identification Blocking Recovering

Actions to take for mitigating the Malware Attack Process

Containing the number of infected customers Awareness (e.g. Remember to the users about Antivirus programs) Check for software updates and potentially exposed customers Monitoring for Anomalies

Unhide the Infection Tell to your customers about the infections Use systems for detecting compromised clients Have in place a security response process to assist customers

Counterfeat the Stealing of Auth credentials Resilient Authentication Inform the user about their own operations Multi factor and Multi channel

Against the Remote Storaging of Auth Credentials Identification and Alerting about Dropzones Dropzone security response Browser Sand boxing

Against Cashing Out Mule accounts monitoring Monitor money transfer sources Monitor and correlate sources for any disposal operation

Evaluate your organization