Spy Eye and Carberp the new banker trojans offensive



Similar documents
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Top Ten Cyber Threats

Countermeasures against Bots

Host-based Intrusion Prevention System (HIPS)

How Spyware and Anti-Spyware Work

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

When you listen to the news, you hear about many different forms of computer infection(s). The most common are:

Cybercrime: evoluzione del malware e degli attacchi. Cesare Radaelli Regional Sales Manager, Italy cradaelli@paloaltonetworks.com

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Online Payments Threats

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

The Value of Physical Memory for Incident Response

Transaction Anomaly Protection Stopping Malware At The Door. White Paper

Anti-exploit tools: The next wave of enterprise security

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Latest Business Compromise Malware Found: Olympic Vision

Threat Events: Software Attacks (cont.)

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

The Citadel Banking Malware: Capabilities, Development History and Use in Cyber Crime

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Computer Viruses: How to Avoid Infection

IBM Protocol Analysis Module

One Minute in Cyber Security

The Hillstone and Trend Micro Joint Solution

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Keyloggers ETHICAL HACKING EEL-4789 GROUP 2: WILLIAM LOPEZ HUMBERTO GUERRA ENIO PENA ERICK BARRERA JUAN SAYOL

Protect Your Business and Customers from Online Fraud

This report is a detailed analysis of the dropper and the payload of the HIMAN malware.

GlobalSign Malware Monitoring

Networks and Security Lab. Network Forensics

MONTHLY WEBSITE MAINTENANCE PACKAGES

Stopping zombies, botnets and other - and web-borne threats

What Do You Mean My Cloud Data Isn t Secure?

Securing Secure Browsers

INTERNET & COMPUTER SECURITY March 20, Scoville Library. ccayne@biblio.org

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

5 Steps to Advanced Threat Protection

CRYPTUS DIPLOMA IN IT SECURITY

Top tips for improved network security

Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08

Windows Malware Annual Report 2014 And prognosis 2015

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

MALWARE TOOLS FOR SALE ON THE OPEN WEB

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

Protecting Android Mobile Devices from Known Threats

Windows Operating Systems. Basic Security

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

The Police Trojan AN IN-DEPTH ANALYSIS

The Top Web Application Attacks: Are you vulnerable?

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Security Engineering Part III Network Security. Intruders, Malware, Firewalls, and IDSs

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

ESET CYBER SECURITY PRO for Mac Quick Start Guide. Click here to download the most recent version of this document

Common Cyber Threats. Common cyber threats include:

From Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians?

WHY DOES MY SPEED MONITORING GRAPH SHOW -1 IN THE TOOLTIP? 2 HOW CAN I CHANGE MY PREFERENCES FOR UPTIME AND SPEED MONITORING 2

Innovations in Network Security

CS 356 Lecture 9 Malicious Code. Spring 2013

CITADEL TROJAN OUTGROWING ITS ZEUS ORIGINS

24/7 Visibility into Advanced Malware on Networks and Endpoints

Security A to Z the most important terms

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms

Hacking Database for Owning your Data

Cloud Services Prevent Zero-day and Targeted Attacks

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them

Cyber Attack Trend and Botnet

MALWARE THREATS AND TRENDS. Chris Blow, Director Dustin Hutchison, Director

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Fighting Advanced Threats

Information Security Threat Trends

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

ZNetLive Malware Monitoring

Zeus: King of the Bots

The current case DNSChanger what computer users can do now

The Key to Secure Online Financial Transactions

WHITE PAPER. Understanding How File Size Affects Malware Detection

Protecting Your POS System from PoSeidon and Other Malware Attacks

Keystroke Encryption Technology Explained

Factoring Malware and Organized Crime in to Web Application Security

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Course Content: Session 1. Ethics & Hacking

Advanced Endpoint Protection Overview

Penetration Testing Report. Client: xxxxxx Date: 19 th April 2014

Transcription:

Spy Eye and Carberp the new banker trojans offensive The common way for a wanna-be hacker to fulfill his sick aspirations is to achieve a known trojan there is a plenty on the Internet, sometimes they are called RATs(Remote Administration Tools) and use a crypter for the trojan executable file in an attempt to deceive the antiviruses scanning engines based on files signatures. In the same idea, of using the simpliest approach that does not require too much programming work, the vast majority of crypters are coded in Visual Basic 6, the most accesible programming language ever. Still very dangerous by the features they have as : injects code into legitimate processes, bypass firewalls by using reverse connections, decrypt and steal browser saved passwords, elevation of privileges, these are only the minor league on a trojan viruses scale. In the major league there are rootkits and banker(banking) trojans, the most known being Zeus(as aliases Zbot, Wsnpoem, Gorhax) and the newest Spy Eye and Carberp, used by hackers to steal hundreds of millions of dollars from the victims. According to the statistics, most of banker trojans are created in the russian space but are used by hackers from around the world without difference. Taking note about the astonishing complexity of a such trojan, we can guess they are not the creation of a single person, instead a group of developers are involved in its creation aspiring to the high financial returns. This is my opinion however and I must mention here a story about an auto-claimed russian author of Spy Eye bot trojan, Gribodemon. He said in an interview that he develop this trojan because he needs 50,000,000 $. Hmmm, childish, nobody knows for sure if he s the real author of Spy Eye trojan or a spokesman of a group of developers. In comparison with the old common trojans which uses a two executable files system client and server, the banking trojans use a more sophisticated system using configuration files and php files able to handle a mysql database for storing stolen information on the server or for other nefarious tasks. While first versions of Zeus trojan targeted email or social network accounts credentials, its creators quickly specializes it in stealing banking account informations and banks from around the globe was targeted immediately. Though it still wreak havoc, Zeus is a well known banking trojan and a case study for the security solutions vendors, all of its versions and even the Command and Control servers are tracked by the governamental agencies but the things are far from finishing, two new banking trojans proving at least the same complexity as Zeus come into the scene: Spy Eye and Carberp. It seems even these trojans are rivals, since there is an option in Spy Eye builder panel to eliminate Zeus trojan from the victim s computer. There is a rumour these days about a mixture between Zeus and Spy Eye resulting a super-trojan and a few screenshots with the Builder Control Panel of this super-trojan appear on a few websites. Well, I don t believe this rumour, it s rather about a version of Spy Eye trying to imitate the Zeus interface. If I m worried about something, that s the Carberp trojan, it seems to exceeds in complexity the other two trojans. The most common method used to infect a computer with these trojans is using an exploit kits installed on malicious websites but can be aswell a hacked legit website. The links to these websites are offered to an innocent user via instant messaging platforms, via emails as spam or simply are posted to dubious websites. For example a lot of Live-Cam porn websites are providing links targeting these malicious domains, once an unaware user reach a such website, the exploit kit system will decide automatically what exploit can be applied depending upon the computer system configuration. A successful exploit can attain for the hacker a back door into the infected machine,

granting unlimited capabilities for him to install what malware he wishes. Very quickly the infected machine will become a zombie or drone, a computer found totally at hacker disposition and very often used for other nefarious activities like sending spams or attack other computers, bear in mind please, all these without user knowledge. Another method of infection is using malicious javascripts or iframes. And things can be much more complicated when the hackers are using Pay-Per-Install(PPI) affiliates. We will study the Spy Eye trojan particular case, the most important features of this trojan are : -Using rootkit methods it can hides its files and registry entries(ring 3 rootkit); -It can runs without Administrator privileges, from a Limited account and still do its job; -It can hook the web browser process and can inject code into it. The supported browsers are Internet Explorer, Firefox and Maxthon; -It can hook the wininet.dll and nspr4.dll API calls, therefore intercepting and controlling the traffic discretionary; -It can steal sensitive data even from a HTTP Secured connection session in real-time; -Using webinjects, it can inject forms in legitimate banks web pages urging the user to fill them(example card PIN number) and stealing these data aswell, this way are bypassed other additional security mechanisms the banks may implement for online clients; -Keylogger activity it steals sensitive data introduced by the victim in the bank web page fields(forms), that s why the name of a feature FormGrabber; -Encrypted connections with the Command & Control(C&C) server; -Encrypted configuration file; -It can automatically fill the payment credit card fields via the Admin Control Panel for various hacker needs, he will indicate only what credit card info to be used and the amount that must be charged. This task is performed via another infected computer from the BotNet, running Internet Explorer in invisible mode; -It runs on all Windows versions including Windows 7; -It automatically send another set of logs(back-up logs) to an email account; I ve tested Spy Eye version 1.1.39 and 1.2.60 builders, they are not the newest but that s what comes in my hands, here are the builder Control Panels :

spy_eye_builder For an unknown reason, I was not able to build an working trojan server with this version, 1.2.60, so I ve used v1.1.39 for tests.

These trojans come as a kit, exists also a server-side containing an Admin Control Panel whole system with capabilities to use a MySQL database, configuration files and a lot of other PHP files needed to create and administrate the botnet. This the main logo of the Admin Panel : As you can see, there is an option Kill Zeus, if this is checked, Spy Eye trojan will delete the Zeus banker trojan executable file in the infected computer. After building the trojan with the version 1.1.39 of the builder, resulted an executable file named build.exe and a config.bin file with the following encrypted content (just an excerpt viewed in Notepad, I insert it as an image because this code corrupts the RSS feed) :

config_bin The actions performed on the system by the new built trojan, build.exe were logged by the Sandboxie add-on, BSA: [ General information ] * File name: g:\newegg\spyeye\spyeye\spyeye v1.1.39\build.exe * File length: 115712 bytes * File signature: Borland Delphi 3.0 (???) * * MD5 hash: b2ba487148172aa7763b9bad4673c023 * SHA1 hash: e62caab1bd8a67bbc7bc64adda38d7545b3ff2f0 * SHA256 hash: cb8365c56f03e4a8e5c1707dbdf37d158cf2d5e85b5db5c4d7aea011d69801cd [ Changes to filesystem ] * Creates file C:\cleansweep.exe\cleansweep.exe * Creates file C:\cleansweep.exe\config.bin * Creates file C:\Documents and Settings\Administrator\Local Settings\Temp\a443_appcompat.txt [ Changes to registry ] * Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E7E6F031-17CE-4C07-BC86-EABFE59 4F69C}

* Creates value cleansweep.exe=c:\cleansweep.exe\cleansweep.exe in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RUN * Injects code into process. * Creates process C:\cleansweep.exe\cleansweep.exe,(null),(null)) [g:\newegg\spyeye\spyeye\spyeye v1.1.39. * Creates a mutex SPYNET. Here is the virustotal.com report for the build.exe file, as you can see(35/ 43 (81.4%) detection rate) even if these Spy Eye versions are rather old, still exists antivirus software that fails to detect it. However, a common antivirus software can not assure a 100% effective protection against this type of sophisticated trojans. A solution for a safe browsing and therefore a solution to prevent Spy Eye, Zeus or Carberp infection with the zero-day versions can be a sandboxed browser(using Sandboxie for example), in this case an exploit kit has no effect against the computer operating system. Another solution can be Prevx SafeOnline, but as a complement to an up-to-date antivirus. Keep safe! [EDIT] Here is another analysis of a Spy Eye banker trojan caught in the wild cyberzone. These analysis is much more descriptive than the previous one, it seems I ve used a faulty Builder to build and test the trojan. However, the following analysis is for a working and in the wild Spy Eye trojan. [ General information ] * File name: c:\documents and settings\administrator\desktop\name\build who.exe * File length: 241664 bytes * File signature: UPX [com] * * MD5 hash: d7578e550c0a4d4aca0cfd01ae19a331 * SHA1 hash: c084e64c5cc19cb72b947ba205463051697aee9b * SHA256 hash: 3d509341107a9577899918ef3b2b63ceda0fcbcd09976e79e94610a3cf674b8a [ Changes to filesystem ] * Creates file C:\mydnswatch\config.bin * Creates file C:\mydnswatch\mydnswatch.exe * Deletes file C:\Documents and Settings\Administrator\Desktop\name\build who.exe [ Changes to registry ] * Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E7E6F031-17CE-4C07-BC86-EABFE59 4F69C} * Empties value EnabledV8 in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\PhishingFilter old value EnabledV8=00000001 * Empties value ShownServiceDownBalloon in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\PhishingFilter old value ShownServiceDownBalloon=00000001 * Empties value WarnOnPost in key

Settings old value WarnOnPost=01000000 * Modifies value SavedLegacySettings=46000000D0120000010000000000000000000000000000000000 000000000000C0C2EB740 031CB0101000000C0A80165000000000000000000000000 in key Settings\Connections old value SavedLegacySettings=46000000CB12000001000000000000000000000000000000000 0000000000000C0C2EB740 031CB0101000000C0A80165000000000000000000000000 Settings\Lockdown_Zones\1 old value 1406=00000001 Settings\Lockdown_Zones\3 Settings\Lockdown_Zones\4 Settings\Zones\0 Settings\Zones\0 Settings\Zones\1 Settings\Zones\1 Settings\Zones\1 old value 1406=00000001 Settings\Zones\2 Settings\Zones\2

Settings\Zones\2 Settings\Zones\3 Settings\Zones\3 Settings\Zones\3 Settings\Zones\4 Settings\Zones\4 Settings\Zones\4 * Creates value mydnswatch.exe=c:\mydnswatch\mydnswatch.exe in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RUN * Deletes Registry key HKEY_CURRENT_USER\software\classes\*\shell\sandbox [ Network services ] * Looks for an Internet connection. * Backdoor functionality on port 0. * Connects to 127.0.0.1 on port 1527. * Connects to 213.246.38.29 on port 7010. * Connects to 91.200.240.7 on port 80. [ Process/window information ] * Creates a mutex gf4ggd4gdh5gdhg. * Enumerates running processes. * Creates process C:\mydnswatch\mydnswatch.exe,(null),(null). * Injects code into process c:\documents and settings\administrator\desktop\name\build who.exe. * Creates a mutex Local\_!MSFTHISTORY!_. * Creates a mutex Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!. * Creates a mutex Local\c:!documents and settings!administrator!cookies!. * Creates a mutex Local\c:!documents and settings!administrator!local settings!history!history.ie5!. * Creates a mutex RasPbFile. * Lists all entry names in a remote access phone book. * Opens a service named RASMAN. * Opens a service named Sens.

* Creates a mutex Local\ZonesCounterMutex. * Creates a mutex Local\!IETld!Mutex. * Creates a mutex Local\c:!documents and settings!administrator!ietldcache!. * Creates a mutex Local\ZoneAttributeCacheCounterMutex. * Creates a mutex Local\ZonesCacheCounterMutex. * Creates a mutex Local\ZonesLockedCacheCounterMutex. * Opens a service named RemoteAccess. * Opens a service named Router. * Creates a mutex L6L6L6L6L6L6L6L6L6L6L6L6L6L6LLL. The virustotal.com report, does not look so good, only 19 /43 (44.2%) detection rate, that s poor, even big names as Kaspersky fail to detect it. 91.200.240.7 is the malware server IP (C&C) in this case. Share this: Share

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information