Scribd
Upload
113 views24 pages

The Trojan Money Spinner: Mika Ståhlberg, F-Secure Corporation VB2007 Conference, Vienna

This document summarizes a presentation about analyzing banking trojans. It discusses how banking trojans work, including form grabbing and local session hijacking. It describes how trojans filter banking data by detecting banking URLs, window titles, and strings. The presentation tool Mstrings is introduced, which searches memory for banking strings. Analysis of samples found many target smaller lists of banks, often focused on particular geographic regions like Brazil. Issues with the string search approach are noted if strings are encrypted, downloaded externally, or if servers do filtering.

Uploaded by

rstsyn
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
113 views24 pages

The Trojan Money Spinner: Mika Ståhlberg, F-Secure Corporation VB2007 Conference, Vienna

This document summarizes a presentation about analyzing banking trojans. It discusses how banking trojans work, including form grabbing and local session hijacking. It describes how trojans filter banking data by detecting banking URLs, window titles, and strings. The presentation tool Mstrings is introduced, which searches memory for banking strings. Analysis of samples found many target smaller lists of banks, often focused on particular geographic regions like Brazil. Issues with the string search approach are noted if strings are encrypted, downloaded externally, or if servers do filtering.

Uploaded by

rstsyn
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

The Trojan Money Spinner

Mika Ståhlberg, F-Secure Corporation


VB2007 Conference, Vienna
What is a Banking Trojan?

• Targets bank account transactions and information


(credentials etc.)
• “Phishing Trojans"
• Subcategory of Crimeware

Banker Bzub (aka Metafisher)


Bancos Snatch
Haxdoor (aka A-311 Death) Sters (aka Briz aka VisualBreeze)
Sinowal (aka Torpig aka Anserin) Gozi
Nuklus (aka Apophis)

Friday, 21st September 2007, Page 2


Banking Trojan Problem

• The machine has been infected already


• Exploits
• Social engineering: Spam attachments
• User does not necessarily do anything wrong
• Trojan waits until the user goes to bank
• Can user education help?

Friday, 21st September 2007, Page 3


Attacking the Session

• Spying of Credentials - Attacks Used

• Key logging • Video capture


• Local content injection • Fake website (pharming)
• Form grabbing • Man-in-the-Middle (dns changers)
• Screen capture • Man-in-the-Browser

• Hijacking Sessions
• Man-in-the-Middle (network, injection of data)
• Man-in-the-Browser

Friday, 21st September 2007, Page 4


Form Grabbing

• User submits data to a legitimate banking website using


web forms
• Malware monitoring the web browser can grab that data
• Form grabbing is the method of choice for capturing
banking data
• All credentials typically end
up in a web form
• Keylogging would result in
a lot of useless data

Friday, 21st September 2007, Page 5


Example:
Form Grabbing Using Inline Hooking

• Qhost.JE injects a DLL into Internet Explorer


• The DLL hooks HttpSendRequestA
• The hook grabs POST data and uploads it to an FTP server

Friday, 21st September 2007, Page 6


Local Session Riding

• Browser is a trusted terminal of the online bank


• Not maintained by the bank

• Many banks only check the credentials of the terminal


on entry
• A MitB attack can hijack the authenticated session
• Transactions can be added or modified

“$100 to “$20,000 to
John Doe” D.B. Cooper”
Money
Mule

Friday, 21st September 2007, Page 7


Pharming with Trojans

• Browser can be tricked into accessing a malicious web server


• Hosts file poisoning
• Hooking
• Browser will still display the correct URL
• SSL will not help
• Malware can suppress dialogs
• Import own root certificate
• Hook, patch
• User imitation

Friday, 21st September 2007, Page 8


Filtering Data

• Banking trojans target data related to online banking


• Only a small fraction of web form data or typed data is relevant
• Information glut ensues (S/N)
• Attackers are typically only interested in certain banks
• Familiar, local banks (Brazil)
• Lowest hanging fruit
• Banks with a large customer base

Banking trojans are only interested in


banking data; and only in a small portion of
that data.

Friday, 21st September 2007, Page 9


How do Banking Trojans Filter Data?

• Online banks are accessed using web browsers


• Trojan monitors browsing and activates when browser is
connected to a bank

Window title enumeration using FindWindow()


BHO or Firefox Browser Extension
LSP (Layered Service Provider)
DDE (Dynamic Data Exchange) using WWW_GetWindowInfo topic
OLE (Object Linking and Embedding) using IWebBrowser2
Hooking (e.g. WinInet HttpSendRequest)

Friday, 21st September 2007, Page 10


Example: Detecting the start of a banking
session using DDE

Banker.CJM uses DdeConnect() with topic “WWW_GetWindowInfo” to


query current Browser location from “iexplore”

Topic:

Service:

Friday, 21st September 2007, Page 11


Analyzing Banking Trojans

1. Banking trojans filter out data


2. Trojans detect bank sites by URLs, Windows title string and other
“banking strings”
3. Strings in the binary or downloaded from web
4. Filter list is typically cleartext in memory

 Banking trojans contain banking URLs in one


form or another
 Analysis and categorization of banking trojans
can be improved by looking for banking strings

Friday, 21st September 2007, Page 12


Mstrings

• F-Secure in-house lab tool for analyzing banking trojans


• Searches memory for known banking strings
• Features:
• Scans both user-mode and kernel memory
• Can automatically decrypt basic forms of encryption/obfuscation
• Has an updatable database with white listing

Friday, 21st September 2007, Page 13


Mstrings vs. Haxdoor.KI

Friday, 21st September 2007, Page 14


Mstrings vs. Haxdoor.KI

Friday, 21st September 2007, Page 15


Results from Analysis:
Target?

• Test run had 5,244


samples
• 88 had banking
strings
• Typically only a
limited number of
banks
• Typically targeted
towards certain
geographical areas

Friday, 21st September 2007, Page 16


Results from Analysis:
Geographical Spread
Targeted Countries

Australia Philippines
Austria Poland
Brazil Spain
Canada Sweden
France Turkey
Germany UAE
Greece United Kingdom
Hong Kong United States
India
Ireland
Italy
Luxembourg
Netherlands

Friday, 21st September 2007, Page 18


Brazilian Banking Trojans Target Brazil

Target distribution of Banker family

Friday, 21st September 2007, Page 19


Target Distribution of Haxdoor Samples

Number of Haxdoor detections added per month 11/05-04/07

Friday, 21st September 2007, Page 20


The Brazilian Connection

• Brazilian Banking Trojans are local


• Not really even targeting other South American countries

• Made and distributed by local gangs


• Distribution servers are typically not in Brazil
• There are a lot of Brazilian malware in general – not
just Banking Trojans
• Big population
• A pioneer in online banking
• A lot of new computer users coming online every day

Friday, 21st September 2007, Page 21


Problems with the String Search Approach

• Filter Strings Downloaded from a Control Server


• No filter string included
• Control servers may
already be down

• Strong Encryption
• Multipartite Malware
• Plugin architecture; Configuration needs to be correct
• Server Side Filtering
• Roel’s last minute presentation

Friday, 21st September 2007, Page 22


Summary

• Banking trojan phenomenon can be analyzed by


looking at which banks are being targeted
• The problem is getting worse
• Phishing has peaked already, banking trojans have not
• Multifactor authentication  Local Session Riding
• Man-in-the-Browser attack problem will not be solved
through user education

Friday, 21st September 2007, Page 23


Thank you! Questions?

You might also like