Скачать презентацию Advance of Bank Trojan Nov 2005 Current Скачать презентацию Advance of Bank Trojan Nov 2005 Current

6eb0feee4276f4ff460c5149306d1170.ppt

  • Количество слайдов: 33

Advance of Bank Trojan Nov 2005 Advance of Bank Trojan Nov 2005

Current threat from Bank Trojans § Steals online banking information; typically usernames and passwords. Current threat from Bank Trojans § Steals online banking information; typically usernames and passwords. § PWSteal. JGinko targets Japanese banks. (Trojan. Spy. Win 32. Banker. vt [Kaspersky Lab], PWS-Jginko [Mc. Afee], TSPY_BANCOS. ANM [Trend Micro]) § These Trojans work closely and actively with Internet Explorer. 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Submission increase § Symantec gets almost 2 million submissions per year. § The rate Submission increase § Symantec gets almost 2 million submissions per year. § The rate of submissions is increasing. § Are Bank Trojan submissions increasing? 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

PWSteal. Bancos submissions § Why have submissions decreased? 2002 Symantec Corporation, All Rights Reserved PWSteal. Bancos submissions § Why have submissions decreased? 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Bancos submissions vs Total Symantec submissions. 2002 Symantec Corporation, All Rights Reserved – 3/16/2018 Bancos submissions vs Total Symantec submissions. 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

How samples are collected § User submissions § Honey pot § Web site routine How samples are collected § User submissions § Honey pot § Web site routine patrol(Adware, Spyware) § Brightmail § BBS 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Japanese Banks VS Bank Trojan § PWSteal. Bancos originally targeted Brazilian Banks. § Then, Japanese Banks VS Bank Trojan § PWSteal. Bancos originally targeted Brazilian Banks. § Then, support was added for German and English Banks. § PWSteal. Jginko targets only Japanese Banks. § PWSteal. Jginko monitors 27 domains. § PWSteal. Bancos. T monitors 2746 domains. 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

PWSteal. Jginko domains § resonabank. anser. or. jp, btm. co. jp, ebank. co. jp PWSteal. Jginko domains § resonabank. anser. or. jp, btm. co. jp, ebank. co. jp § japannetbank. co. jp, smbc. co. jp, yu-cho. japanpost. jp § ufjbank. co. jp, mizuhobank. co. jp § shinseibank. co. jp, iy-bank. co. jp § shinkinbanking. com, shinkin-webfb-hokkaido. jp § shinkin-webfb. jp § And more, more 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Other Bank Trojans also target rural banks § 82 bank. co. jp, akita-bank. co. Other Bank Trojans also target rural banks § 82 bank. co. jp, akita-bank. co. jp § all. rokin. or. jp, toyotrustbank. co. jp § hyakugo. co. jp, chibabank. co. jp § fukuibank. co. jp, gunmabank. co. jp § hirogin. co. jp, hokugin. co. jp § joyobank. co. jp, nishigin. co. jp § And more, more 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Security measures taken by Japanese Banks recently § Software Keyboard § Strong password requirements Security measures taken by Japanese Banks recently § Software Keyboard § Strong password requirements § Challenge and response with one-time encryption key § Prevent phishing mail § Login restricted by IP address § SSL 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Advantage of Trojan over Key. Logger § These Trojans are not Key. Logger. Trojans Advantage of Trojan over Key. Logger § These Trojans are not Key. Logger. Trojans § Stealth techniques can be used § Intercepts transaction information § Silent download § Silent update 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Bank Trojans are not Key. Logger. Trojan § Old Key. Loggers log key strokes Bank Trojans are not Key. Logger. Trojan § Old Key. Loggers log key strokes and send logged data. § Difficult to know which application the user was using § Logs user error (passeo[Back Space]word ) § Difficult to know when the user changes to a different input field 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Stealth techniques used by Bank Trojans § Works with Internet Explorer. § Firewall does Stealth techniques used by Bank Trojans § Works with Internet Explorer. § Firewall does not stop HTTP transaction of Internet Explorer. (BHO, Inject, layered service provider) § Injects itself into other process § Rootkit may hide files or protect them from security application § Hide packet traffic from system to avoid detection 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Intercept transaction § These Trojans can hook specific procedure calls § These Trojans can Intercept transaction § These Trojans can hook specific procedure calls § These Trojans can inject itself into an application § HTTPS is not secure if the data is intercepted before and after it is encrypted 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Silent download/ Silent update techniques § Trojans may close Alerts from Windows Firewall § Silent download/ Silent update techniques § Trojans may close Alerts from Windows Firewall § Delete Zone. Identifier settings § Add itself to Authorized Applications list, bypassing the firewall 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Technique: Key Logging 2002 Symantec Corporation, All Rights Reserved – 3/16/2018 Technique: Key Logging 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Technique: Key Logging(2) 2002 Symantec Corporation, All Rights Reserved – 3/16/2018 Technique: Key Logging(2) 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Technique: Inject § Taskmanager can enumerate process § DLLs are never enumerated by taskmanager. Technique: Inject § Taskmanager can enumerate process § DLLs are never enumerated by taskmanager. § If IEXPLORE. EXE calls loadlibrary? § Virtual. Alloc. Ex § Write. Process. Memory § Get. Proc. Address § Create. Remote. Thread 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Technique: BHO § A Browser helper object is an additional software component that is Technique: BHO § A Browser helper object is an additional software component that is loaded when Internet Explorer starts. § When a BHO sends a data, It looks like the data is sent by Internet Explorer. § The BHO can’t be seen with Task manager. 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Loading BHO § How Internet Explorer loads and initializes helper objects. 2002 Symantec Corporation, Loading BHO § How Internet Explorer loads and initializes helper objects. 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Technique: BHO (2) 2002 Symantec Corporation, All Rights Reserved – 3/16/2018 Technique: BHO (2) 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Technique: Intercept transaction 2002 Symantec Corporation, All Rights Reserved – 3/16/2018 Technique: Intercept transaction 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Secure Socket Layer is secure? Secure Not Secure Pickup data Encrypt data 2002 Symantec Secure Socket Layer is secure? Secure Not Secure Pickup data Encrypt data 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Technique: Intercept transaction (2) 2002 Symantec Corporation, All Rights Reserved – 3/16/2018 Technique: Intercept transaction (2) 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Technique: Intercept transaction (3) 2002 Symantec Corporation, All Rights Reserved – 3/16/2018 Technique: Intercept transaction (3) 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Technique: Intercept transaction (4) 2002 Symantec Corporation, All Rights Reserved – 3/16/2018 Technique: Intercept transaction (4) 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Technique: Intercept transaction (5) § DWeb. Browser. Events 2, IHTMLDocument 2 § Onmouseover § Technique: Intercept transaction (5) § DWeb. Browser. Events 2, IHTMLDocument 2 § Onmouseover § User push “A” or “A” filled to field. § Onsubmit 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Technique: Silent download 2002 Symantec Corporation, All Rights Reserved – 3/16/2018 Technique: Silent download 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Technique: Silent update 2002 Symantec Corporation, All Rights Reserved – 3/16/2018 Technique: Silent update 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Technique: Silent update (2) § HKEY_LOCAL_MACHINESYSTEMCurrent. Control SetServicesShared. AccessParametersFirewall. Poli cyStandard. ProfileAuthorized. ApplicationsList § Technique: Silent update (2) § HKEY_LOCAL_MACHINESYSTEMCurrent. Control SetServicesShared. AccessParametersFirewall. Poli cyStandard. ProfileAuthorized. ApplicationsList § Value: ": *: Enabled: " 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Steal password 2002 Symantec Corporation, All Rights Reserved – 3/16/2018 Steal password 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Challenge and response Send user name Answer “Challenge” Calculate one-time password by “Challenge” and Challenge and response Send user name Answer “Challenge” Calculate one-time password by “Challenge” and send it Answer random “Challenge” Send one-time password Accepted Answer fake error page Transfer money 2002 Symantec Corporation, All Rights Reserved – 3/16/2018

Thank You! Hiroshi Shinotsuka Hiroshi_Shintosuka@symantec. com Thank You! Hiroshi Shinotsuka [email protected] com