1 / 38

ZeuS MitMo

ZeuS MitMo. Mikel Gastesi 2011-02-25 S21sec e- crime analyst. ZeuS MitMo. Introduction Banking protections Banking trojans ZeuS / Zbot ZeuS MitMo Conclusion. Introduction. Introduction. Target Why the user ??. Banking protections. User / password

vidor
Download Presentation

ZeuS MitMo

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ZeuSMitMo Mikel Gastesi 2011-02-25 S21sec e-crimeanalyst http://nullcon.net/

  2. ZeuSMitMo http://nullcon.net/ • Introduction • Banking protections • Banking trojans • ZeuS / Zbot • ZeuSMitMo • Conclusion

  3. Introduction http://nullcon.net/

  4. Introduction http://nullcon.net/ • Target • Whytheuser??

  5. Bankingprotections http://nullcon.net/ • User / password • User / password + extra passwordfortransactions • Codecard • OTP • mTAN = mobileTransactionauthenticationnumber

  6. Cat and mouse game http://nullcon.net/ • User / password Formgrabbing • User / password + extra passwordfortransactions Formgrabbing • Codecard HTML Injection • OTP • mTAN = mobileTransactionauthenticationnumber Zitmo, MITB • Token?

  7. Attackingtheuser http://nullcon.net/ • Phishing • Trojans • Oneshottrojans • Modifying host file • Formgrabbing • HTML injection

  8. Bankingtrojans http://nullcon.net/ ZeuS / Zbot SpyEye Bankpatch SilentBanker Sinowal Gozi Carberp …

  9. Zbot http://nullcon.net/ • You can buyitforlessthan 600$ ! • Easytoinstall • Easyto configure • Createsaneasy-to-managebotnet • Verypowerful • Add-ons • IM / Jabber • Zitmo has beenseenfor sale!! ¿?¿?

  10. Zbot http://nullcon.net/ Characteristics: • Creates a botnet • Configurationfileupdate • Binaryfileupdate • /etc/hosts modification • Socks proxy • HTML injection • HTML redirection

  11. Zbot http://nullcon.net/ Characteristics: • Screenshots • Captures virtual keyboards • Captures form data • Stealscertificates • KillOSfunction! • Encryptsconfigurationfile and data

  12. Zbot http://nullcon.net/

  13. Zbot http://nullcon.net/

  14. Zbot http://nullcon.net/ • Whydoesitwork so good? • Stealth • Userdoesn’tseeanythingwrong Green lock + https = OK?? #FAIL

  15. Zbot http://nullcon.net/

  16. Zbot http://nullcon.net/

  17. Zbot http://nullcon.net/

  18. Zbot http://nullcon.net/ Screen capture

  19. Zbot http://nullcon.net/ Redirection

  20. Zbot http://nullcon.net/

  21. Jumping tothephone http://nullcon.net/

  22. Attackingphones http://nullcon.net/ • Today - Why? • Stealing OTP • Hiddinginformationmessages (instead of SMS flooding) • Avoiddetection of MitB • Blockingincomingcalls • Prevent s communicatingwithbank • No mail • No SMS • No phonecall

  23. Attackingphones http://nullcon.net/ • Today and Tomorrow – Why? • False Security perception • 2 factors 1 factor • Personal information • Passwords of a lot of services, social networks, etc. • Passwordreuse?

  24. Implementation http://nullcon.net/ • OTP != mTAN • Hardware token • Ownableplatform • How do you configure yourphonenumber?

  25. Zitmo CREDENTIALS 0023424 • 0023424 : OTP COMMANDS http://nullcon.net/

  26. Zitmo http://nullcon.net/ Zeus 2.0.8.9 withcustominjection

  27. Zitmo http://nullcon.net/ Fake SMS toinstallthetrojan (one-time URL)

  28. Zitmo http://nullcon.net/ • Platforms • Symbian • BlackBerry • Windows Mobile • Targets • SpanishbanksonSeptember (+1 german) • Polishbanksthisweek (+ portugal…) • ZitMo dependes only in the PC ZeuSconfig

  29. Zitmo http://nullcon.net/ • Howdoesitwork? • Preconfiguredadminphonenumber • Hellomessage: “Appinstalled OK” • Resendmessages • Inspiredon “SMS Monitor”

  30. Zitmo http://nullcon.net/ • Commands: • Set admin • Senderadd • Sender rem • Block on • Block off • Set sender

  31. Zitmo http://nullcon.net/ Mikel, don’tforgetthe video!!!

  32. ZitMoreloaded http://nullcon.net/ ZeuSversion 3.1.8  Fake?

  33. ZitMoreloaded http://nullcon.net/ New UNINSTALL 45930 command

  34. ZitMoreloaded http://nullcon.net/ Set admin Appinstalled ok

  35. ZitMoreloaded http://nullcon.net/ Androidversion???  FAKE?

  36. Conclusions http://nullcon.net/ • Real threat, activelyused • Defeats OTP (mTAN) • Tothink: 2 factor authenticationisbecoming single authentication! • Android > Symbian • Samescenario? • Installingfromthe web androidmarket?

  37. Questions? http://nullcon.net/

  38. http://nullcon.net/ Thankyou!!! Contact: mgastesi@s21sec.com

More Related