1 / 33

Advance of Bank Trojan

Advance of Bank Trojan. Nov 2005. Current threat from Bank Trojans. Steals online banking information; typically usernames and passwords. PWSteal.JGinko targets Japanese banks. (Trojan-Spy.Win32.Banker.vt [Kaspersky Lab], PWS-Jginko [McAfee], TSPY_BANCOS.ANM [Trend Micro])

sirvat
Download Presentation

Advance of Bank Trojan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Advance of Bank Trojan Nov 2005

  2. Current threat from Bank Trojans • Steals online banking information; typically usernames and passwords. • PWSteal.JGinko targets Japanese banks. (Trojan-Spy.Win32.Banker.vt [Kaspersky Lab], PWS-Jginko [McAfee], TSPY_BANCOS.ANM [Trend Micro]) • These Trojans work closely and actively with Internet Explorer.

  3. Submission increase • Symantec gets almost 2 million submissions per year. • The rate of submissions is increasing. • Are Bank Trojan submissions increasing?

  4. PWSteal.Bancos submissions • Why have submissions decreased?

  5. Bancos submissions vs Total Symantec submissions.

  6. How samples are collected • User submissions • Honey pot • Web site routine patrol(Adware, Spyware) • Brightmail • BBS

  7. Japanese Banks VS Bank Trojan • PWSteal.Bancos originally targeted Brazilian Banks. • Then, support was added for German and English Banks. • PWSteal.Jginko targets only Japanese Banks. • PWSteal.Jginko monitors 27 domains. • PWSteal.Bancos.T monitors 2746 domains.

  8. PWSteal.Jginko domains • resonabank.anser.or.jp, btm.co.jp, ebank.co.jp • japannetbank.co.jp, smbc.co.jp, yu-cho.japanpost.jp • ufjbank.co.jp, mizuhobank.co.jp • shinseibank.co.jp, iy-bank.co.jp • shinkinbanking.com, shinkin-webfb-hokkaido.jp • shinkin-webfb.jp • And more, more, more

  9. Other Bank Trojans also target rural banks • 82bank.co.jp, akita-bank.co.jp • all.rokin.or.jp, toyotrustbank.co.jp • hyakugo.co.jp, chibabank.co.jp • fukuibank.co.jp, gunmabank.co.jp • hirogin.co.jp, hokugin.co.jp • joyobank.co.jp, nishigin.co.jp • And more, more, more

  10. Security measures taken by Japanese Banks recently • Software Keyboard • Strong password requirements • Challenge and response with one-time encryption key • Prevent phishing mail • Login restricted by IP address • SSL

  11. Advantage of Trojan over KeyLogger • These Trojans are not KeyLogger.Trojans • Stealth techniques can be used • Intercepts transaction information • Silent download • Silent update

  12. Bank Trojans are not KeyLogger.Trojan • Old KeyLoggers log key strokes and send logged data. • Difficult to know which application the user was using • Logs user error (passeo[Back Space][Back Space]word ) • Difficult to know when the user changes to a different input field

  13. Stealth techniques used by Bank Trojans • Works with Internet Explorer. • Firewall does not stop HTTP transaction of Internet Explorer. (BHO, Inject, layered service provider) • Injects itself into other process • Rootkit may hide files or protect them from security application • Hide packet traffic from system to avoid detection

  14. Intercept transaction • These Trojans can hook specific procedure calls • These Trojans can inject itself into an application • HTTPS is not secure if the data is intercepted before and after it is encrypted

  15. Silent download/ Silent update techniques • Trojans may close Alerts from Windows Firewall • Delete Zone.Identifier settings • Add itself to Authorized Applications list, bypassing the firewall

  16. Technique: Key Logging

  17. Technique: Key Logging(2)

  18. Technique: Inject • Taskmanager can enumerate process • DLLs are never enumerated by taskmanager. • If IEXPLORE.EXE calls loadlibrary? • VirtualAllocEx • WriteProcessMemory • GetProcAddress • CreateRemoteThread

  19. Technique: BHO • A Browser helper object is an additional software component that is loaded when Internet Explorer starts. • When a BHO sends a data, It looks like the data is sent by Internet Explorer. • The BHO can’t be seen with Task manager.

  20. Loading BHO • How Internet Explorer loads and initializes helper objects.

  21. Technique: BHO (2)

  22. Technique: Intercept transaction

  23. Secure Socket Layer is secure? Secure Not Secure Pickup data Encrypt data

  24. Technique: Intercept transaction (2)

  25. Technique: Intercept transaction (3)

  26. Technique: Intercept transaction (4)

  27. Technique: Intercept transaction (5) • DWebBrowserEvents2, IHTMLDocument2 • Onmouseover • User push “A” or “A” filled to field. • Onsubmit

  28. Technique: Silent download

  29. Technique: Silent update

  30. Technique: Silent update (2) • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List • Value: ":*:Enabled:"

  31. Steal password

  32. Challenge and response Send user name Send user name Answer random “Challenge” Answer “Challenge” Calculate one-time password by “Challenge” and send it Send one-time password Accepted Answer fake error page Transfer money

  33. Thank You! Hiroshi Shinotsuka Hiroshi_Shintosuka@symantec.com

More Related