Home /
Users' blogs / Tag: Trojan
Read more »
Rating:
+1
In this review we will consider recent trends in the attacks implementation on Internet banking users. We will revise the most popular forms of attacks and analyze the Trojan Banker which attacks iToken client. Trojan-Banker.Win32.Delf.bz suggests that the attackers apply social engineering techniques to steal confidential data and can gain an access to user’s bank account.necessarily offered to update iToken software at the same time it is required to enter customers authentication data, what is oddly enough, and moreover, one-time passwords from iToken at the end. Man-in-the-Browser (MitB ) attack ), but enjoy users’ confidence and complexity of two-factor authentication.Man-in-the-Middle (MitM) atack and involves infection of the browser or the whole system at a client side, where it is possible to modify the page, the content of bank transactions or add unauthorized user transaction. Thus, an attacker using a Trojan program can change the account number of the recipient and redirect the funds at attacker’s discretion. Furthermore, this transaction will be carried out under the user authentication in the same session and from the same computer, making it difficult to track this kind of bank transactions.verification of bank transactions is used by sending the user notification withdrawn from the account funds. However, using a browser that is running the Trojan does not guarantee the authenticity of such verification, as malware can change the displayed data. One of the methods is the verification of out-of-band (OOB ) , when a notice is sent via an alternative channel without using a browser or infected system as a whole. One way to verify the OOB is using SMS-banking and a mobile phone to receive notifications on transactions within the account. In this case, the probability of compromising both channels simultaneously is almost equal to zero.«Defense technology of online banking» . We recall only that iToken stick generates OTPs on a specific algorithm that is determined by the bank. To protect against theft or loss of token, many models generate next password only after PIN entering.Quote: For your safety iToken Itau is to be updated to version 2.5
"Design and Test Lab, Ltd." 2010
Rating:
0
This large analytical article narrates about rootkits and anti-rootkits. A number of existing tools that combat this class of Trojan programs is compared. 1.Anti-rootkits Below you can see comparative testing of advanced rootkits detection by some anti-rootkits. The automatic products of the following antivirus software vendors were tested. AVG Antirootkit Description: This program is designed for hidden files revelation and removal. Hidden files are revealed using high-level and low-level API output comparison. The program can analyze the structure of the registry and also has a driver-monitor that can reveal hidden processes. The tool runs automatically; the user needs to click on the button "Search for rootkits". The installation did not cause any difficulties. Avira Antirootkit Description: Program's functional is the same as in the previous, but one of the Avira products and run-time libraries of Microsoft Visual Studio 2008 are needed for running. It runs automatically when you click "Start Scan". Sophos Antirookit Description: Functions of the program are the same as in previous ones. It requires no additional installed components and runs automatically. Rootkit Unhooker Description: 2. Rootkits Rootkits that use advanced methods to hide their bodies on the hard disk and in the system are tested. Each rootkit uses unique technology of hiding that can be a basis for creating a class of such malicious programs. Also all selected rootkits were not detected by most antivirus software and for their detection and removal the individual solutions are required. Brief description of all rootkits is given below: Backdoor.Win32.TDSS.akv The rootkit creates its executable file under the following name: %System%\drivers\TDSSserv.sys The rootkit hides the files starting with the "TDSS". The IRP dispatch hooking is used to hide the files. Following handlers are hooked: IopfCallDriver This method allows filtering of IRP packets that enter to any loaded drivers in the system for any MajorFunction request processing. This method is very efficient in user mode and kernel mode, and provides a hide level up to the file system driver. Functional levels coverage: The rootkit masks its system registry key by means of NtEnumerateKey splicing. Rootkit.Win32.Agent.hki This rootkit is installed to the system by malware dropper. The executable file is located in the %Windows%\Drivers under a random name consisting of uppercase letters of the Latin alphabet and has ".sys" extension. The main functional of the rootkit is to hide its body and the related system objects, such as the registry keys, kernel modules and malicious code injecting in the user-mode processes. When this rootkit is installed it infects a system driver file. The rootkit uses a Native API functions interception to hide itself; it modifies the Native API function numbers in ntdll.dll system library, to incorrect ones and that renders an out of range error. The rootkit hooks "service call beyond the KiServiceLimit range" exception by changing the address part in the first call instruction in KiBBTUnexpectedRange function's body: Thus, the rootkit is able to hook any Native API functions in the system. In addition, the rootkit replaces the pointer to the KiServiceTable for each thread in the system by changing the ServiceTable value in the KTHREAD structure - descriptor of the thread object. The new pointer points to the table specially crafted by rootkit. The table sets any service call to a special handler within the rootkit that crashes the system when it is called, thus complicating the active infection cure. This method has low efficiency because it is unable to hook Native API calls directly in kernel mode and provides a hiding level partially at the Native API level and not at the level of requests to the drivers. It should be noted this sample is a modification of the Rootkit.Win32.Rustock family. Trojan.Win32.DNSChanger.imv This rootkit is installed in the system using dropper. The executable is located in the % System%\Drivers directory under the name msliksurserv.sys . The rootkit is designed to hidden files under the names starting with "msliksur" . This rootkit use legitimate hook technology to hide its files - it installs own filter-device on the top of the filesystem device stack: This method leaves no traces in the system providing full control over all file operations. The method involves hooking and filtering the IRP packets that come to the file systems drivers. This method is effective in user and kernel mode and provides a good level of hiding. Functional levels coverage as follows: The rootkit masks its system registry key by means of NtEnumerateKey interception realized by splicing. Rootkit's functional is the same as Backdoor.Win32.TDSS.akv. Backdoor.Win32.Sinowal.c Today it is the most interesting and one of the most advanced rootkits. These rootkits are called bootkit because of its loading. The rootkit has no files in the file system and saves its body in the physical sectors of hard disk outside the the accessible disk space. To launch its body this rootkit writers into the MBR (Master Boot Record) a special loader that is launched at an early stage of operating system boot up. This loader reads the 4 sectors contents at the end of the disk containing the rootkit boot code and transfers control to them. The second level loader reads and places in memory the main body of the rootkit with early boot files and transfers control to them. The rootkit installs hook before jump to the OS loading and makes the necessary changes for running the rootkit basic code at the later stages of loadingatapi.sys driver: Thus, the rootkit filters IRP packets that are sent to the most low-level hard disk driver. Below there is only direct work with the input/output ports of ATA controller and the level of electrical signals. Testing AVG Antirootkit It can detect the following rootkits in the system: • Rootkit.Win32.Agent.hki • Trojan.Win32.DNSChanger.imv It did not detect Backdoor.Win32.Sinowal.c because it has no means to find the hooks of MajorFunction handlers in the drivers' system structure-descriptors and does not have a sufficiently independent low-level driver to gain access to the hard disk that it could use for reading the physical sectors and the MBR data in particular. Avira Antirootkit It can detect the following rootkits in the system: • Rootkit.Win32.Agent.hki • Trojan.Win32.DNSChanger.imv This program also could detect most rootkits. But Backdoor.Win32.Sinowal.c was unable to detect for the same reasons as the previous one. Sophos Antirookit It was unable to detect none of the rootkits were tested. The following rootkits Trojan.Win32.DNSChanger.imv destroyed the program: The virtues of this program are ease installation and using, and the deficiencies are inability to combat the modern rootkit technologies. Rootkit Unhooker • Trojan.Win32.DNSChanger.imv It detected the splice hooks of Native API functions installed by the rootkit: But the file system analysis and hidden files search cause the program error: The tool detects the driver of malicious program and makes it possible to remove it. Conclusion: an experienced user can reveal and remove the rootkit using this tool. It could not detect modification of the kernel code of the rootkit, but the file system analysis allowed identification and removing the hidden file: Conclusion: an experienced user can reveal and remove the rootkit using this tool. It detected the splice hooks of Native API functions and replacement of IRP dispatch handlers: The program could not reveal a hidden file, but if you use the feature "Unhook selected" for IofCallDriver and IofCompleteRequest the file of malicious program will be revealed and it can be removed by common tools or antivirus. The only tool that allows detection of the rootkit presence. It could reveal the hidden threads in kernel mode in which the rootkit runs its self-restoring and malicious code downloading via the Internet: This tool can not remove this rootkit from the system, but if you see such suspicious changes you can conclude that the computer is infected. If you suspect signs of infection you must unmount the HDD from PC and check for viruses or analyze the system on another PC. Conclusions The results of test are the following: AVG Antirootkit is the most effective automatic program is designed for hidden files revelation and removal. It is recommended for most users. The Rootkit Unhooker tool is intended for experienced users and engineers engaged in antivirus research. It has a rich functional of system low-level analysis and enables to do a kernel memory dumps. Vitaly Kiktenko (Kick10), Alexander Adamov"Design and Test Lab" , Ltd. 2009www.av-school.com
Rating:
+2
The largest banks have millions of online banking customers. The number of such customers is constantly growing. Now it runs up to several hundreds million people (see article "Defense technology of online banking"). This service has become very popular because it helps to save the time and efforts. Online banking systems are widely used in economically developed countries. The Trojan-Banker and Trojan-Spy are the malicious programs that designed to steal the data from online banking customers. Analyzing the statistics of malicious programs' entry of this type in the "sandbox" I noticed that most Trojans are from Brazil. I decided to find out how difficult to steal confidential customers' data of the Brazil's bank. So I have analyzed the Trojan designed to steal the data from online banking customers of the largest banks in Brazil. This Trojan is detected by Kaspersky Anti-Virus as Trojan-Banker.Win32.Banker.etk. Installation Once launched, the Trojan copies its executable file to the Windows system directory under the name: %System%\avg.exe In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan registers its executable file in the system registry: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "(default)" ="%System%\avg.exe" Payload The Trojan also extracts a driver from its body and places it in the Windows system directory under the name: %System%\TS45.SYS This file is 7,168 bytes in size. It is detected by Kaspersky Anti-Virus as Rootkit.Win32.Banker.b. Then it creates a service under the same name "TS45" and launches the malicious driver for execution. The Trojan hooks the check of user accounts (UAC) and drops the following parameter in the system registry: [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system] "EnableLUA"="dword:00000000" The Trojan also creates the following keys in the system registry: [HKU\S-1-5-21-1060284298-1425521274-839522115-1004\avg] [HKLM\System\CurrentControlSet\Services\TS45] "Type"="dword:00000001" "Start"="dword:00000001" "ErrorControl"="dword:00000001" "ImagePath"="%System%\TS45.sys" "DisplayName"="Driver" [HKLM\System\CurrentControlSet\Services\TS45\Security] "Security"="hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02, 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00, 00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00, 05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00, 20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00, 00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01, 00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00" [HKLM\System\CurrentControlSet\Services\TS45\Enum] "0"="Root\\LEGACY_TS45\\0000" "Count"="dword:00000001" "NextInstance"="dword:00000001" The Trojan creates a file in the Windows directory under the name: %WinDir%\Future and saves the following strings in it: --------------------------------------------------- .::.FUTURO.::.BANKS.::.2009.::. --------------------------------------------------- Computador......: < computer_ name> MAC.............: <MAC_adress> --------------------------------------------------- Data.............: <date_ launch> Hora.............: <t³me_ launch> --------------------------------------------------- This Trojan-Spy is designed to steal confidential data from online banking customers. Lots of customers at Brazil’s biggest banks and some payment systems fall victim to this type of Trojan. The target of this malicious program is the customers of the following banks and payment systems: Unibanco Serasa Paypal Banrisul Banco do Brasil Bradesco Itau Santander CAIXA Banco Real Credicard Itau Personnalite The Trojan also steals accounts of users who are registered in the Internet community "ORKUT". It tracks the windows which have the headings and strings in the address string: http://www.bradesco.com.br https://www.paypal.com/br orkut - login - Microsoft Internet Explorer Serasa http://www.unibanco.com.br/vste/_exc/_hom/index.asp Portal Internet Banrisul http://www.banrisul.com.br/ http://www.credicard.com.br/BRGCB/JSO/signon/DisplayUsernameSignon.do https://inst.itaucard.com.br/portals/itaucard/home/home.htm https://inst.itaucard.com.br/portals/itaucard/cadastrese/login.jsp https://internetbanking.caixa.gov.br/SIIBC/index.processa Portal BANCO REAL Itau Personnalite https://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim Banco Santander - Home Para Voce Banco Itau - Feito Para Voce http://www.itau.com.br/ and displays its own fake page where user can enter his/her account details. The Trojan saves stolen information in the file under the name: %System%\<computer_ name>.txt The Trojan then sends the harvested information in the POST request to the remote malicious users' servers: http://67.222.96.12/~enviador/enviador.php http://www.notreve.com.br/envia.php The request shown below: praquem=<hacker’s email>&titulo=<computer_ name>+.::T+G+S::.&texto=========== +<bank’s title>+============== <confidential data> ==========+<banks_data>+============== It is possible to suppose that the scripts send the information by email to the remote malicious user: tgs202@gmail.com 202tgs@gmail.com On some bank's website the Trojan displays an authorization fake form over form of the bank. During the registration a user enters confidential data into the Trojan's form and Trojan shows the fraud messages. It is possible to explore the example of stealing confidential information from customers of "Banrisul". It is the largest bank of southern Brazil. Opening the home page of the bank's website: At first sight everything is normal. In fact the Trojan is running and we can see its form if simply to modify the window's size. Now we can see the two forms of authorization: When the user enters him/her confidential data for authorization we can see the following message box (it seems from the technical staff of the bank). There is even data input from the virtual keyboard. Evidently all text on the page is drawn. Enter another digital secret password. Then we can see following form. The confidential letter chain should be entered into the next form. So, let us do it. Now all our confidential data is entered. The Trojan closes all its windows and removes the fake forms. And now we can see the original website's page but our confidential information has been sent to the remote malicious user. Look at another example when the Trojan replaced not only some forms on website but the whole page of the large bank "CAIXA". The program is used fake authorize the user. All the Trojan forms are displayed look like the original. You can see that a social engineering attacks are used for this bank. After the user enters his/her account details into a fake form they will be sent by e-mail to the cybercriminals. Many banks suggest that their online banking customers install the special software. It is one of the most effective and easy-to-use ways to counter such attacks. The application can be integrated into the browser as a BHO object and protects users. For additional security the application also installs the driver in the user's system. It protects the application and its modules as an operating system kernel driver. The GAS Tecnologia exploits a G-Buster Browser Defense utility. This security measure used by Banco do Brasil, Caixa Economica Federal, Banco Real ABN AMRO and other brazil's biggest banks to protect their customers. The security module loading from the bank's website shown below: This family of Trojans statistics (http://www.kaspersky.ru/viruswatchlite) shows that the peak of creating the Trojans had already passed. The situation is tense because cybercriminals are very interested in the creating such malicious programs. The Kaspersky Lab detects about a thousand Trojans this family monthly .Why the users enter their confidential data? Firstly the customers trust their bank and believe in the PC security that is why they automatically become the victims of social engineering. The second factor is inattention. In fact you can see that the page context is drawn. It is enough to select the text or make a try to open the links. You can also resize the browser window. The last factor is may be simple lack of knowledge. The users may do not know about such problems. The presence of virtual keyboards and code tables that allegedly ought to protect users from malicious keyloggers and other spyware lulls user's vigilance. Some of them shown below: Therefore as the saying goes: "Trust, but verify." If you visit the bank’s website and see that your account is lost, blocked or deleted and the logon procedure different than it used to be - better insure and make a request to the bank's technical support operators for explanation. Artem Shcherbina, Alexander Adamov "Design and Test Lab", Ltd. 2009 /specially for www.av-school.ru/
Rating:
+3
1
Total number of registered users:
4809
Online:
11
Newbe: sheashpek
Guests online:
11
Maximum online (10 May 2011 )
80
) 
