The main idea behind this talk is to introduce the listeners of Sthack conference to the current landscape in the botnet threats. We'll begin talking about the main types of malware botnets: Trojan Bankers, Point of Sales and Credential Stealers, but we will focus on how some of these botnets operate in a technical level, specially, how the bots of Dyre, JackPoS and Pony are working nowadays in order to steal credit cards and banking credentials.
6. root [~]# wall Cybercrime
Distribution - Infection Vectors & Cyber Kill Chain
• Pre-attack
– The attacker looks for possible targets
and obtains any information he needs:
– He also:
• Weaponizes an application or common
software
• Weaponizes a website application
• Nowadays you can acquire a great
variety of bundles or kits:
– Free kits like SET
– Paying kits like Rock Phish kit, and
others...
7. root [~]# wall Cybercrime
Distribution - Infection Vectors & Cyber Kill Chain
• Attackers working together to industrialize cybercrime:
– Use of forums and marketplaces to rent or sell services
– Service bundles
• Creation of different deployment and weaponization kits:
– Spam kits
– Phishing kits
8. root [~]# wall Cybercrime
Distribution - Infection Vectors & Cyber Kill Chain
• Attack
– The attacker launches a campaign to
infect the victims
• Via mail
• Contracting the services of other
attackers
• Using deployment kits
9. root [~]# wall Cybercrime
Distribution - Infection Vectors & Cyber Kill Chain
• Commonly, the users are infected via a mailing campaign:
10. root [~]# wall Cybercrime
Distribution - Infection Vectors & Cyber Kill Chain
• Once the user is infected, the attacker uses a weaponized
web application, or file to infect the user:
11. root [~]# wall Cybercrime
Distribution - Infection Vectors & Cyber Kill Chain
• This web application or file, might be the result of a
popular exploit kit.
• Nuclear Pack
– Updated with the last Flash vulnerability
• Black Hole, Armitage, CrimePack, Eleonore,
Firepack…
12. root [~]# wall Cybercrime
Distribution - Infection Vectors & Cyber Kill Chain
• Post-attack
– The malware communicates with the
C&C to download the config file
– Begins the exfiltration of data to an
exfiltration server.
14. root [~]# wall Botnet Overview
POS – I want to steal your credit cards
• Most Active POS:
– Dexter
– Jackpos
– Soraya
– Backoff
– BrutPos
– ChewBacca
– Decebal
– RawPOS
• Common Features:
– Very targeted to POS systems
(searching for installed software and
applications)
– Process Memmory Scrapping
• Credit card Tracks 1 and 2
detection
• Regex Card Detection
– Luhn Validation
– Keylogger
– Exfiltration via FTP and HTTP
15. root [~]# wall Botnet Overview
POS– A glance at JackPos
• JackPOS:
Infection Installs at %APPDATA%
Set autostart reg. keyDrop watchdog
The watchdog checks if
Jackpos is running on
the system. If it isn´t,
it spawns a new jackpos
process.
Spawn jackposs process Begin memory scrapping
Search CCExfiiltrate data
Using the
Createtoolhelp32Snaphot
method, jackposs scraps
memory from the
different processes.
Jackpos searches for CC
using pattern maching
methods, grabbing CC
only from specific issuers.
Jackposs spawns with
names used by java
processes: jusched.exe,
javaw.exe..
16. root [~]# wall Botnet Overview
POS– A glance at JackPos
• JackPOS Data Extraction:
mac MAC Address Unique Identifier
&t1 base64 encoded Track 1 data
&t2 base64 encoded Track 2 data
17. root [~]# wall Botnet Overview
POS– steal your credit cards
• The C&C:
18. root [~]# wall Botnet Overview
Trojan Bankers – I want to steal your money
• Common Features
– Steal Cookies, Certs and Passwords
• Keylogger
• Form HTTP/S grabbing
• Screenshots
– Search for local files
– Inject into system process
– Man In The Browser
• HTTP / Socks Proxy
• WebInjects
• Automatic Transfer Systems (ATS)
– DGA
• Most Active Bankers:
– Zeus
– Citadel
– Shylock
– Gozi
– Cridex / Feodo /
Dridex
– Sinowal / Torpig
– Dyre
19. root [~]# wall Botnet Overview
Trojan Bankers – I want to steal your money
• What is a DGA?
• Domain Generation Algorithm:
• Many samples are using it: Zeus P2P, Dyre, shylock, …
20. root [~]# wall Botnet Overview
Trojan Bankers – A glance at Dyre
• Dyre:
Malicious installer Persistence
Basic sysinfo exfiltrationConfiguration Download
Browser injection Wait for bank connection
MiTM
Bank info exfiltration
and redirection to real
bank website
Spam Victim
Dyre infects the victims and
injects itself different processes
21. root [~]# wall Botnet Overview
Trojan Bankers – A glance at Dyre
22. root [~]# wall Botnet Overview
Trojan Bankers – A glance at Dyre
23. root [~]# wall Botnet Overview
Trojan Bankers – A glance at Dyre
• Dyre – Data Exfiltration:
Request to the C&C
24. root [~]# wall Botnet Overview
Trojan Bankers – A glance at Dyre
• Dyre – Decrypting C&C communications:
25. root [~]# wall Botnet Overview
Trojan Bankers – A glance at Dyre
• Dyre Configs (snipped):
Trigger URLs
“Auth Key” for
The redirect
26. root [~]# wall Botnet Overview
Credential Stealers– I want your passwords
• Most Active Stealers:
– Pony
– Carbon Grabber
– Betabot
• Common Features:
– Keylogger
– Target software in order to steal
vaults from (FTP, SSH, Telnet,
etc.)
– Targets browser’s vaults
– HTTP/s Interception
27. Infection
The pony obtains the list
of users in the system and
tries to login with a
dictionary attack.
Am I
System?
Proceed to steal
creadentials
Proceed to steal user
creadentials
Try to login with
another user
Post credentials to C&C
Yes No
root [~]# wall Botnet Overview
Credential Stealers – A glance at Pony
28. root [~]# wall Botnet Overview
Credential Stealers– A glance at Pony
• PONY – C&C Communication:
29. root [~]# wall Botnet Overview
Credential Stealers– A glance at Pony
• PONY – C&C Communication:
DATA
30. root [~]# wall Botnet Overview
Credential Stealers– A glance at Pony
• PONY – C&C Communication:
31. root [~]# wall Botnet Overview
Credential Stealers– A glance at Pony
• PONY Control Panel:
• gate.php
• PHP script to process all incomming traffic from Bots:
Decryption and Depacking of HTTP Posts.
• includes/password_modules.php
• Contains array of all software it tries to steal
credentials for
• The malware can crack or decrypt quite complex
passwords stored in various forms
• includes/database.php
• Contains db schema and accessors
32. root [~]# wall Botnet Overview
Credential Stealers– A glance at Pony
• PONY Control Panel – Password Modules:
33. root [~]# wall Botnet Overview
Credential Stealers– A glance at Pony
• PONY Control Panel:
34. root [~]# wall Botnet Overview
Credential Stealers– A glance at Pony
• PONY Control Panel:
37. root [~]# wall Fighting back the current
threats
• Traditional solutions aren’t enough anymore
• Organizations need to combine their internal knowledge
with external intelligence
Internal
External
Protection
38. root [~]# wall Fighting back the current
threats
• Information that can be gathered on the wild
– C&C servers
– Exfiltration servers
– Bots IP
– Domain reputation
– Malware samples information
– And a lot more
• How can we gather all that data?
39. root [~]# wall Fighting back the current
threats
• Most effective
technique is
analysing samples:
40. root [~]# wall Fighting back the current
threats
• Once you have harvested data from the samples, you can
feed it to a SIEM
41. root [~]# wall Kicking bad guys asses
• Cyber threats are very much like an organism, mutating and
improving with time
• And so, we must evolve with them. We think that the future
is to build collaborative models
– Sharing information is the key
– The cybercriminals build communities where they share information,
and so must we
– Only collaborating we’ll be able to keep up with the new threats
42. root [~]# wall Kicking’ bad guys asses
• From Blueliv, we’re providing a free API with information
about malicious servers
https://map.blueliv.com
43. Demo: Free Tracker API
https://map.blueliv.com
https://github.com/BluelivSecurity