[CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada

Copyright© 2016 SecureBrain Corporation, All rights reserved.Copyright© 2016 SecureBrain Corporation, All rights reserved.
Behind “Operation Banking Malware Takedown”
and the Progression of Malware Sophistication
2016.10.20 - 21
CODE BLUE 2016
SecureBrain Corporation
Kazuki Takada

http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Profile
• Kazuki Takada
• SecureBrain Corporation
• Software Engineer
 My regular work is software development.
 Sometimes security researcher (sometime this is
main work…)
1

Background
2

Question
3
What’s this number?
3073000000

Answer
4
Amount of fraudulent Internet banking
money transfer in Japan for 2015
3,073,000,000
https://www.npa.go.jp/cyber/pdf/H280303_banking.pdf
$30 million

Internet Banking Fraud in Japan
5
2013年 2014年 2015年
$29 million
$30 million
$14 million

IPA Top Security Threat List
• Top 10 Security Threats for 2016.
6

Overview of “Operation Banking Malware Takedown”
7

Operation Banking Malware Takedown
8
http://www.keishicho.metro.tokyo.jp/haiteku/haiteku/haiteku504.htm

9
Victim PC
C&C Server
MPD
Distribution
Bank web serverThreat Disabled
MPD : Metropolitan Police Department

The target is
“VAWTRAK”
10
https://www.flickr.com/photos/arenamontanus/2125942630
*Other name Neverquest, Snifula

VAWTRAK
11

What’s VAWTRAK
• VAWTRAK has been around in Japan since 2014.
• Rewrites MITB communication content
– Browser injection process. (IE, Firefox, Chrome)
• Executes the following during Internet Banking
– Falsifies banking credential information
– Semi-automatic fraudulent money transfer
12

What’s MITB ?
MITB
Man In The Browser
Browser
VAWTRAK
Victim PC
Injection
Rewrite HTML
Dummy Screen…etc.
Web server

What’s happened?
14
VAWTRAK
User PC
Registry
infection
Configuration data
C&C server Manipulation
server
Bank
Web server

What’s happened?
15
15
VAWTRAK
User PC
<html>
<head>
<title>Internet Banking</title>
Request
Injection
<script src=“….”>
Original content
server
Bank
Web server

What’s happened?
16
VAWTRAK
User PC Request malicious JavaScript
Download and execute
malicious JavaScript
<html>
<head>
<title>Internet Banking</title>
<script src=“….”>
server
Bank
Web server

What’s happened?
17
17
VAWTRAK
User PC
Code number
送信
User accounting
information
*******
server
Bank
Web server

18

http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 19
A chance for collaboration

Semi-automatic remittance fraud
20
ABCダイレクト
メインメニュー
Copyright ABC Bank Co.,Ltd All Right Reserved
お客様番号
ワンタイムパスワード
Fraudulent money transfer procedure is executed from victim PC
while users are waiting for progress bar to finish.

Request flow
21
Victim PC
Login
Bank Manipulation server
Login credential info.
Login process
Login screen
Account info screen
Tap balance info Balance info.
Money transfer info & amount of transfer
Money Transfer process
ProgressBar
Display
some input
screen if
necessary
http://www.slideshare.net/MasataNishida/avtokyo2014-obsevation-of-vawtrakja

Tried to send to the same request as malicious JavaScript
22
Beneficiary Information
Amount of Transfer
(Upper limit / lower limit)

Collaboration with Metropolitan Police Department (MPD)
• Share beneficiary account information with the
Metropolitan Police Department (MPD), which
SecureBrain collected by researching the Manipulation
server
• MPD prevented illegal money transfer by utilizing
beneficiary account information.
23
Metropolitan Police Dept. and SecureBrain
made a cooperative agreement

Collaboration with Metropolitan Police Department (MPD)
• MPD has a domain of C&C server.
• The domain name was obtained using regular procedure.
• They watched the communication between VAWTRAK and
the C&C server.
• They identified 82,000 victim clients worldwide, with 44,000
clients located in Japan.
24
MPD considered distributing a new
“Configuration data” for the takedown.

Technical overview
25
Victim PC
C&C Server
MPD
Distribution
Bank
Web server
No longer under threat
Provide neutralization data
generation tool.
Get domain
and
put under control

Who is in charge of each technology...
Metropolitan Police Department
• Obtain control of the C&C server and construct data
distribution server.
• Testing
SecureBrain
• Development of “Command” and “Configuration data”
generation tool. It uses a decryption technique for
VAWTRAK.
• Investigate the type of data required to neutralize
VAWTRAK.
26

Development of neutralization technique
27

Feature available for a takedown of VAWTRAK(BOT)
28
C&C Server
Victim PC
Poll the server
every minute
When there is an effective
communication, it does not
communicate with other
C&C servers

Command
Identify the 20 commands.
• Configure data
• Download and execute file
• Shutdown, reboot
• Steal Cookie
• Steal CertStore
• Start and Stop Socks server
• Start and Stop VNC server
• Update
• Registry operations ...etc...
29

Configuration data
30
Replace data for communicate
manipulation server
Decrypted Configuration data
Target URL
Malicious code for injection

Component of Configuration data
31
Name Meaning
inject type Type of injection
browser Target browser
pattern match Pattern type to match URL
URL Target URL
string2 Target string
string3 Replace string
string4 Insert string

inject type
Identify the 18 commands.
• Close connection
• Screen capture
• Insert before
• Insert after
• Replace URL
• Replace host
• Replace string...etc...
32

browser / pattern
Browser
Internet Explorer
Firefox
Chrome
33
browser
Type Meaning
strstr strstr function
strcmp strcmp function
regexp Regular expression
pattern

Try to check the “Configuration data“ again.

Configuration data
35
Type Meaning
inject type insert before
browser IE, Firefox, chrome
URL Target URL(Regular expression)
string3 -
string4 JavaScript for Injection

Configuration data
36
種別意味
inject type replace URL
browser IE, Firefox, chrome
URL Target URL
string3 URL for replace
string4 -

About generation tool
• Execution check environment
– Linux OS
– Python 2.7.x
• Tool generates the binary data which VAWTRAK can read
as input in Command and Configuration
• Because the output data is delivered by the C&C server
and read by VAWTRAK, its configuration is renewed.
37

Generating flow of Configuration data
38
Encryption process (XOR)
Raw configure data (JSON format)
CRC32 from raw configure data
Compression process (aPLib)
Encrypted configure data (Binary)

Demo
• Control of VAWTRAK
39

Experiment sandbox environment
40
Dummy
C&C Server
Mac OSX
VM Ware
Victim PC
Internet
Host machine Mac OSX 10.10
Dummy C&C Ruby 2.0 + Sinatra
Victim PC Various Windows
(After XP)
Browser Internet Explorer
Chrome
Firefox

The body of neutralization data
41

Effect of the takedown operation
42

Discussion
• Damage by VAWTRAK increased from mid-2013, but
decreased after the operation.
• Because the police carried out the operation, it might have
had a psychological effect to technically influence the
attacker.
• There are some problems. For example, there is the need
to obtain the domain beforehand.
43

The Progression of Malware Sophistication
44

Major malware in 2016
45
ROVNIX
URLZONE
VAWTRAK (New)
URSNIF
Other name Cidox
Other name Shiotob, Beblohbd
Other name Neverquest ,Snifula
Other name Gozi

=
Malicious JavaScript
ROVNIX
target 30
Group A Group B
=
Malicious JavaScript
URLZONE
VAWTRAK(New)
target 30

The attack method of MITB
is almost the same.

What changes ?

Point
• Prevent rewriting malware communication with C&C
server
– Private key for “Serpent” is encrypted by public key encryption
system RSA-2048.
– RONIX sign contents of communication by RSA-2048.
• Malware is updated frequently
– Detection by pattern matching becomes more difficult
– It can inject even in the latest browsers.
• Various communication methods
– Both HTTP and UDP P2P communications are used to get
Configuration data.
• Sophistication of malicious JavaScript
49

不正JavaScriptの高機能化(1)
50

Request flow
51
Victim PC
Login
Bank Manipulation server
Login credential info.
Login process
Login Screen
Remittance process
Request of Settlement info.
Dummyscreenof
securitysoftware
Settlement info
Display
some input
screen an
necessary

Discussion
52
Prevent rewriting communication.
Multiplex of communication channel.
Concealed information is processed
on the server.
Security for attack activity maintenance
is strengthened

Conclusions
53

Conclusions
• It is very important that the police takes the lead in a
takedown operation.
• The reaction of the attacker is very quick. We always have
to think about new prevention techniques.
• It is difficult to simply apply the ways of this operation to
sophisticated malware.
54

Effective takedown operation…
55
https://www.flickr.com/photos/hackaday/4658391708

It is essential for
the government, the police, the judiciary, and
the company to cooperate together.

[CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada

[CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (8)

Similaire à [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada

Similaire à [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada (20)

Plus de CODE BLUE

Plus de CODE BLUE (20)

Dernier

Dernier (20)

[CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada

Notes de l'éditeur