Download presentation
Presentation is loading. Please wait.
Published byRolando Mulnix Modified over 10 years ago
1
Advance of Bank Trojan Nov 2005
2
2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information; typically usernames and passwords. PWSteal.JGinko targets Japanese banks. (Trojan- Spy.Win32.Banker.vt [Kaspersky Lab], PWS-Jginko [McAfee], TSPY_BANCOS.ANM [Trend Micro]) These Trojans work closely and actively with Internet Explorer.
3
3 – 2002 Symantec Corporation, All Rights Reserved Submission increase Symantec gets almost 2 million submissions per year. The rate of submissions is increasing. Are Bank Trojan submissions increasing?
4
4 – 2002 Symantec Corporation, All Rights Reserved PWSteal.Bancos submissions Why have submissions decreased?
5
5 – 2002 Symantec Corporation, All Rights Reserved Bancos submissions vs Total Symantec submissions.
6
6 – 2002 Symantec Corporation, All Rights Reserved How samples are collected User submissions Honey pot Web site routine patrol(Adware, Spyware) Brightmail BBS
7
7 – 2002 Symantec Corporation, All Rights Reserved Japanese Banks VS Bank Trojan PWSteal.Bancos originally targeted Brazilian Banks. Then, support was added for German and English Banks. PWSteal.Jginko targets only Japanese Banks. PWSteal.Jginko monitors 27 domains. PWSteal.Bancos.T monitors 2746 domains.
8
8 – 2002 Symantec Corporation, All Rights Reserved PWSteal.Jginko domains resonabank.anser.or.jp, btm.co.jp, ebank.co.jp japannetbank.co.jp, smbc.co.jp, yu-cho.japanpost.jp ufjbank.co.jp, mizuhobank.co.jp shinseibank.co.jp, iy-bank.co.jp shinkinbanking.com, shinkin-webfb-hokkaido.jp shinkin-webfb.jp And more, more, more
9
9 – 2002 Symantec Corporation, All Rights Reserved Other Bank Trojans also target rural banks 82bank.co.jp, akita-bank.co.jp all.rokin.or.jp, toyotrustbank.co.jp hyakugo.co.jp, chibabank.co.jp fukuibank.co.jp, gunmabank.co.jp hirogin.co.jp, hokugin.co.jp joyobank.co.jp, nishigin.co.jp And more, more, more
10
10 – 2002 Symantec Corporation, All Rights Reserved Security measures taken by Japanese Banks recently Software Keyboard Strong password requirements Challenge and response with one-time encryption key Prevent phishing mail Login restricted by IP address SSL
11
11 – 2002 Symantec Corporation, All Rights Reserved Advantage of Trojan over KeyLogger These Trojans are not KeyLogger.Trojans Stealth techniques can be used Intercepts transaction information Silent download Silent update
12
12 – 2002 Symantec Corporation, All Rights Reserved Bank Trojans are not KeyLogger.Trojan Old KeyLoggers log key strokes and send logged data. Difficult to know which application the user was using Logs user error (passeo[Back Space][Back Space]word ) Difficult to know when the user changes to a different input field
13
13 – 2002 Symantec Corporation, All Rights Reserved Stealth techniques used by Bank Trojans Works with Internet Explorer. Firewall does not stop HTTP transaction of Internet Explorer. (BHO, Inject, layered service provider) Injects itself into other process Rootkit may hide files or protect them from security application Hide packet traffic from system to avoid detection
14
14 – 2002 Symantec Corporation, All Rights Reserved Intercept transaction These Trojans can hook specific procedure calls These Trojans can inject itself into an application HTTPS is not secure if the data is intercepted before and after it is encrypted
15
15 – 2002 Symantec Corporation, All Rights Reserved Silent download/ Silent update techniques Trojans may close Alerts from Windows Firewall Delete Zone.Identifier settings Add itself to Authorized Applications list, bypassing the firewall
16
16 – 2002 Symantec Corporation, All Rights Reserved Technique: Key Logging
17
17 – 2002 Symantec Corporation, All Rights Reserved Technique: Key Logging(2)
18
18 – 2002 Symantec Corporation, All Rights Reserved Technique: Inject Taskmanager can enumerate process DLLs are never enumerated by taskmanager. If IEXPLORE.EXE calls loadlibrary? VirtualAllocEx WriteProcessMemory GetProcAddress CreateRemoteThread
19
19 – 2002 Symantec Corporation, All Rights Reserved Technique: BHO A Browser helper object is an additional software component that is loaded when Internet Explorer starts. When a BHO sends a data, It looks like the data is sent by Internet Explorer. The BHO cant be seen with Task manager.
20
20 – 2002 Symantec Corporation, All Rights Reserved Loading BHO How Internet Explorer loads and initializes helper objects.
21
21 – 2002 Symantec Corporation, All Rights Reserved Technique: BHO (2)
22
22 – 2002 Symantec Corporation, All Rights Reserved Technique: Intercept transaction
23
23 – 2002 Symantec Corporation, All Rights Reserved Secure Socket Layer is secure? Secure Not Secure Pickup data Encrypt data
24
24 – 2002 Symantec Corporation, All Rights Reserved Technique: Intercept transaction (2)
25
25 – 2002 Symantec Corporation, All Rights Reserved Technique: Intercept transaction (3)
26
26 – 2002 Symantec Corporation, All Rights Reserved Technique: Intercept transaction (4)
27
27 – 2002 Symantec Corporation, All Rights Reserved Technique: Intercept transaction (5) DWebBrowserEvents2, IHTMLDocument2 Onmouseover User push A or A filled to field. Onsubmit
28
28 – 2002 Symantec Corporation, All Rights Reserved Technique: Silent download
29
29 – 2002 Symantec Corporation, All Rights Reserved Technique: Silent update
30
30 – 2002 Symantec Corporation, All Rights Reserved Technique: Silent update (2) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl Set\Services\SharedAccess\Parameters\FirewallPoli cy\StandardProfile\AuthorizedApplications\List Value: ":*:Enabled:"
31
31 – 2002 Symantec Corporation, All Rights Reserved Steal password
32
32 – 2002 Symantec Corporation, All Rights Reserved Challenge and response Send user name Answer Challenge Answer random Challenge Send one-time password Accepted Calculate one-time password by Challenge and send it Answer fake error page Transfer money
33
Thank You! Hiroshi Shinotsuka Hiroshi_Shintosuka@symantec.com
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.