Contenu connexe Similaire à [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada (20) [CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada1. Copyright© 2016 SecureBrain Corporation, All rights reserved.Copyright© 2016 SecureBrain Corporation, All rights reserved.
Behind “Operation Banking Malware Takedown”
and the Progression of Malware Sophistication
2016.10.20 - 21
CODE BLUE 2016
SecureBrain Corporation
Kazuki Takada
2. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Profile
• Kazuki Takada
• SecureBrain Corporation
• Software Engineer
My regular work is software development.
Sometimes security researcher (sometime this is
main work…)
1
5. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Answer
4
Amount of fraudulent Internet banking
money transfer in Japan for 2015
3,073,000,000
https://www.npa.go.jp/cyber/pdf/H280303_banking.pdf
$30 million
6. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Internet Banking Fraud in Japan
5
2013年 2014年 2015年
$29 million
$30 million
$14 million
https://www.npa.go.jp/cyber/pdf/H280303_banking.pdf
9. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Operation Banking Malware Takedown
8
http://www.keishicho.metro.tokyo.jp/haiteku/haiteku/haiteku504.htm
10. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Operation Banking Malware Takedown
9
Victim PC
C&C Server
MPD
Distribution
Bank web serverThreat Disabled
MPD : Metropolitan Police Department
11. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
The target is
“VAWTRAK”
10
https://www.flickr.com/photos/arenamontanus/2125942630
*Other name Neverquest, Snifula
13. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s VAWTRAK
• VAWTRAK has been around in Japan since 2014.
• Rewrites MITB communication content
– Browser injection process. (IE, Firefox, Chrome)
• Executes the following during Internet Banking
– Falsifies banking credential information
– Semi-automatic fraudulent money transfer
12
14. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s MITB ?
MITB
Man In The Browser
Browser
VAWTRAK
Victim PC
Injection
Rewrite HTML
Dummy Screen…etc.
Web server
15. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s happened?
14
VAWTRAK
User PC
Registry
infection
Configuration data
C&C server Manipulation
server
Bank
Web server
16. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s happened?
15
15
VAWTRAK
User PC
<html>
<head>
<title>Internet Banking</title>
Request
Injection
<script src=“….”>
Original content
C&C server Manipulation
server
Bank
Web server
17. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s happened?
16
VAWTRAK
User PC Request malicious JavaScript
Download and execute
malicious JavaScript
<html>
<head>
<title>Internet Banking</title>
<script src=“….”>
C&C server Manipulation
server
Bank
Web server
18. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
What’s happened?
17
17
VAWTRAK
User PC
Code number
送信
User accounting
information
*******
C&C server Manipulation
server
Bank
Web server
21. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Semi-automatic remittance fraud
20
ABCダイレクト
メインメニュー
Copyright ABC Bank Co.,Ltd All Right Reserved
お客様番号
ワンタイムパスワード
Fraudulent money transfer procedure is executed from victim PC
while users are waiting for progress bar to finish.
22. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Request flow
21
Victim PC
Login
Bank Manipulation server
Login credential info.
Login process
Login screen
Account info screen
Tap balance info Balance info.
Money transfer info & amount of transfer
Money Transfer process
ProgressBar
Display
some input
screen if
necessary
http://www.slideshare.net/MasataNishida/avtokyo2014-obsevation-of-vawtrakja
23. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Tried to send to the same request as malicious JavaScript
22
Beneficiary Information
Amount of Transfer
(Upper limit / lower limit)
24. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Collaboration with Metropolitan Police Department (MPD)
• Share beneficiary account information with the
Metropolitan Police Department (MPD), which
SecureBrain collected by researching the Manipulation
server
• MPD prevented illegal money transfer by utilizing
beneficiary account information.
23
Metropolitan Police Dept. and SecureBrain
made a cooperative agreement
25. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Collaboration with Metropolitan Police Department (MPD)
• MPD has a domain of C&C server.
• The domain name was obtained using regular procedure.
• They watched the communication between VAWTRAK and
the C&C server.
• They identified 82,000 victim clients worldwide, with 44,000
clients located in Japan.
24
MPD considered distributing a new
“Configuration data” for the takedown.
26. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Technical overview
25
Victim PC
C&C Server
MPD
Distribution
Bank
Web server
No longer under threat
Provide neutralization data
generation tool.
Get domain
and
put under control
27. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Who is in charge of each technology...
Metropolitan Police Department
• Obtain control of the C&C server and construct data
distribution server.
• Testing
SecureBrain
• Development of “Command” and “Configuration data”
generation tool. It uses a decryption technique for
VAWTRAK.
• Investigate the type of data required to neutralize
VAWTRAK.
26
29. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Feature available for a takedown of VAWTRAK(BOT)
28
C&C Server
Victim PC
Poll the server
every minute
When there is an effective
communication, it does not
communicate with other
C&C servers
30. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Command
Identify the 20 commands.
• Configure data
• Download and execute file
• Shutdown, reboot
• Steal Cookie
• Steal CertStore
• Start and Stop Socks server
• Start and Stop VNC server
• Update
• Registry operations ...etc...
29
31. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Configuration data
30
Replace data for communicate
manipulation server
Decrypted Configuration data
Target URL
Malicious code for injection
32. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Component of Configuration data
31
Name Meaning
inject type Type of injection
browser Target browser
pattern match Pattern type to match URL
URL Target URL
string2 Target string
string3 Replace string
string4 Insert string
33. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
inject type
Identify the 18 commands.
• Close connection
• Screen capture
• Insert before
• Insert after
• Replace URL
• Replace host
• Replace string...etc...
32
34. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
browser / pattern
Browser
Internet Explorer
Firefox
Chrome
33
browser
Type Meaning
strstr strstr function
strcmp strcmp function
regexp Regular expression
pattern
36. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Configuration data
35
Type Meaning
inject type insert before
browser IE, Firefox, chrome
URL Target URL(Regular expression)
string2 Target string
string3 -
string4 JavaScript for Injection
37. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Configuration data
36
種別 意味
inject type replace URL
browser IE, Firefox, chrome
URL Target URL
string2 Target string
string3 URL for replace
string4 -
38. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
About generation tool
• Execution check environment
– Linux OS
– Python 2.7.x
• Tool generates the binary data which VAWTRAK can read
as input in Command and Configuration
• Because the output data is delivered by the C&C server
and read by VAWTRAK, its configuration is renewed.
37
39. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Generating flow of Configuration data
38
Encryption process (XOR)
Raw configure data (JSON format)
CRC32 from raw configure data
Compression process (aPLib)
Encrypted configure data (Binary)
41. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Experiment sandbox environment
40
Dummy
C&C Server
Mac OSX
VM Ware
Victim PC
Internet
Host machine Mac OSX 10.10
Dummy C&C Ruby 2.0 + Sinatra
Victim PC Various Windows
(After XP)
Browser Internet Explorer
Chrome
Firefox
44. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Discussion
• Damage by VAWTRAK increased from mid-2013, but
decreased after the operation.
• Because the police carried out the operation, it might have
had a psychological effect to technically influence the
attacker.
• There are some problems. For example, there is the need
to obtain the domain beforehand.
43
46. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Major malware in 2016
45
ROVNIX
URLZONE
VAWTRAK (New)
URSNIF
Other name Cidox
Other name Shiotob, Beblohbd
Other name Neverquest ,Snifula
Other name Gozi
47. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 46
=
Malicious JavaScript
ROVNIX
target 30
Group A Group B
=
Malicious JavaScript
URLZONE
VAWTRAK(New)
target 30
50. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Point
• Prevent rewriting malware communication with C&C
server
– Private key for “Serpent” is encrypted by public key encryption
system RSA-2048.
– RONIX sign contents of communication by RSA-2048.
• Malware is updated frequently
– Detection by pattern matching becomes more difficult
– It can inject even in the latest browsers.
• Various communication methods
– Both HTTP and UDP P2P communications are used to get
Configuration data.
• Sophistication of malicious JavaScript
49
52. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Request flow
51
Victim PC
Login
Bank Manipulation server
Login credential info.
Login process
Login Screen
Remittance process
Request of Settlement info.
Dummyscreenof
securitysoftware
Settlement info
Display
some input
screen an
necessary
53. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Discussion
52
Prevent rewriting communication.
Multiplex of communication channel.
Concealed information is processed
on the server.
Security for attack activity maintenance
is strengthened
55. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.
Conclusions
• It is very important that the police takes the lead in a
takedown operation.
• The reaction of the attacker is very quick. We always have
to think about new prevention techniques.
• It is difficult to simply apply the ways of this operation to
sophisticated malware.
54
57. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 56
It is essential for
the government, the police, the judiciary, and
the company to cooperate together.
Notes de l'éditeur 日本におけるIBのに関わる不正送金の被害額は2013年から急増している。
2015年4月に日本独自としては初の大規模なボットネットをテイクダウンする取り組み
SBは、この作戦で無力化技術の提供要請を受け、技術協力を行った。 コンフィグに記載された正規表現にマッチするURLへのアクセスを監視 空のデータということでEmpty