Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;

Similar presentations


Presentation on theme: "Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;"— Presentation transcript:

1 Advance of Bank Trojan Nov 2005

2 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information; typically usernames and passwords. PWSteal.JGinko targets Japanese banks. (Trojan- Spy.Win32.Banker.vt [Kaspersky Lab], PWS-Jginko [McAfee], TSPY_BANCOS.ANM [Trend Micro]) These Trojans work closely and actively with Internet Explorer.

3 3 – 2002 Symantec Corporation, All Rights Reserved Submission increase Symantec gets almost 2 million submissions per year. The rate of submissions is increasing. Are Bank Trojan submissions increasing?

4 4 – 2002 Symantec Corporation, All Rights Reserved PWSteal.Bancos submissions Why have submissions decreased?

5 5 – 2002 Symantec Corporation, All Rights Reserved Bancos submissions vs Total Symantec submissions.

6 6 – 2002 Symantec Corporation, All Rights Reserved How samples are collected User submissions Honey pot Web site routine patrol(Adware, Spyware) Brightmail BBS

7 7 – 2002 Symantec Corporation, All Rights Reserved Japanese Banks VS Bank Trojan PWSteal.Bancos originally targeted Brazilian Banks. Then, support was added for German and English Banks. PWSteal.Jginko targets only Japanese Banks. PWSteal.Jginko monitors 27 domains. PWSteal.Bancos.T monitors 2746 domains.

8 8 – 2002 Symantec Corporation, All Rights Reserved PWSteal.Jginko domains resonabank.anser.or.jp, btm.co.jp, ebank.co.jp japannetbank.co.jp, smbc.co.jp, yu-cho.japanpost.jp ufjbank.co.jp, mizuhobank.co.jp shinseibank.co.jp, iy-bank.co.jp shinkinbanking.com, shinkin-webfb-hokkaido.jp shinkin-webfb.jp And more, more, more

9 9 – 2002 Symantec Corporation, All Rights Reserved Other Bank Trojans also target rural banks 82bank.co.jp, akita-bank.co.jp all.rokin.or.jp, toyotrustbank.co.jp hyakugo.co.jp, chibabank.co.jp fukuibank.co.jp, gunmabank.co.jp hirogin.co.jp, hokugin.co.jp joyobank.co.jp, nishigin.co.jp And more, more, more

10 10 – 2002 Symantec Corporation, All Rights Reserved Security measures taken by Japanese Banks recently Software Keyboard Strong password requirements Challenge and response with one-time encryption key Prevent phishing mail Login restricted by IP address SSL

11 11 – 2002 Symantec Corporation, All Rights Reserved Advantage of Trojan over KeyLogger These Trojans are not KeyLogger.Trojans Stealth techniques can be used Intercepts transaction information Silent download Silent update

12 12 – 2002 Symantec Corporation, All Rights Reserved Bank Trojans are not KeyLogger.Trojan Old KeyLoggers log key strokes and send logged data. Difficult to know which application the user was using Logs user error (passeo[Back Space][Back Space]word ) Difficult to know when the user changes to a different input field

13 13 – 2002 Symantec Corporation, All Rights Reserved Stealth techniques used by Bank Trojans Works with Internet Explorer. Firewall does not stop HTTP transaction of Internet Explorer. (BHO, Inject, layered service provider) Injects itself into other process Rootkit may hide files or protect them from security application Hide packet traffic from system to avoid detection

14 14 – 2002 Symantec Corporation, All Rights Reserved Intercept transaction These Trojans can hook specific procedure calls These Trojans can inject itself into an application HTTPS is not secure if the data is intercepted before and after it is encrypted

15 15 – 2002 Symantec Corporation, All Rights Reserved Silent download/ Silent update techniques Trojans may close Alerts from Windows Firewall Delete Zone.Identifier settings Add itself to Authorized Applications list, bypassing the firewall

16 16 – 2002 Symantec Corporation, All Rights Reserved Technique: Key Logging

17 17 – 2002 Symantec Corporation, All Rights Reserved Technique: Key Logging(2)

18 18 – 2002 Symantec Corporation, All Rights Reserved Technique: Inject Taskmanager can enumerate process DLLs are never enumerated by taskmanager. If IEXPLORE.EXE calls loadlibrary? VirtualAllocEx WriteProcessMemory GetProcAddress CreateRemoteThread

19 19 – 2002 Symantec Corporation, All Rights Reserved Technique: BHO A Browser helper object is an additional software component that is loaded when Internet Explorer starts. When a BHO sends a data, It looks like the data is sent by Internet Explorer. The BHO cant be seen with Task manager.

20 20 – 2002 Symantec Corporation, All Rights Reserved Loading BHO How Internet Explorer loads and initializes helper objects.

21 21 – 2002 Symantec Corporation, All Rights Reserved Technique: BHO (2)

22 22 – 2002 Symantec Corporation, All Rights Reserved Technique: Intercept transaction

23 23 – 2002 Symantec Corporation, All Rights Reserved Secure Socket Layer is secure? Secure Not Secure Pickup data Encrypt data

24 24 – 2002 Symantec Corporation, All Rights Reserved Technique: Intercept transaction (2)

25 25 – 2002 Symantec Corporation, All Rights Reserved Technique: Intercept transaction (3)

26 26 – 2002 Symantec Corporation, All Rights Reserved Technique: Intercept transaction (4)

27 27 – 2002 Symantec Corporation, All Rights Reserved Technique: Intercept transaction (5) DWebBrowserEvents2, IHTMLDocument2 Onmouseover User push A or A filled to field. Onsubmit

28 28 – 2002 Symantec Corporation, All Rights Reserved Technique: Silent download

29 29 – 2002 Symantec Corporation, All Rights Reserved Technique: Silent update

30 30 – 2002 Symantec Corporation, All Rights Reserved Technique: Silent update (2) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl Set\Services\SharedAccess\Parameters\FirewallPoli cy\StandardProfile\AuthorizedApplications\List Value: ":*:Enabled:"

31 31 – 2002 Symantec Corporation, All Rights Reserved Steal password

32 32 – 2002 Symantec Corporation, All Rights Reserved Challenge and response Send user name Answer Challenge Answer random Challenge Send one-time password Accepted Calculate one-time password by Challenge and send it Answer fake error page Transfer money

33 Thank You! Hiroshi Shinotsuka


Download ppt "Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;"

Similar presentations


Ads by Google