Advance of Bank Trojan - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Advance of Bank Trojan

Description:

Steals online banking information; typically usernames and passwords. ... ( Trojan-Spy.Win32.Banker.vt [Kaspersky Lab], PWS-Jginko [McAfee], TSPY_BANCOS.ANM ... – PowerPoint PPT presentation

Number of Views:171
Avg rating:3.0/5.0
Slides: 34
Provided by: hiroshish
Category:
Tags: advance | bank | spy | trojan

less

Transcript and Presenter's Notes

Title: Advance of Bank Trojan


1
Advance of Bank Trojan
Nov 2005
2
Current threat from Bank Trojans
  • Steals online banking information typically
    usernames and passwords.
  • PWSteal.JGinko targets Japanese banks.
    (Trojan-Spy.Win32.Banker.vt Kaspersky Lab,
    PWS-Jginko McAfee, TSPY_BANCOS.ANM Trend
    Micro)
  • These Trojans work closely and actively with
    Internet Explorer.

3
Submission increase
  • Symantec gets almost 2 million submissions per
    year.
  • The rate of submissions is increasing.
  • Are Bank Trojan submissions increasing?

4
PWSteal.Bancos submissions
  • Why have submissions decreased?

5
Bancos submissions vs Total Symantec submissions.
6
How samples are collected
  • User submissions
  • Honey pot
  • Web site routine patrol(Adware, Spyware)
  • Brightmail
  • BBS

7
Japanese Banks VS Bank Trojan
  • PWSteal.Bancos originally targeted Brazilian
    Banks.
  • Then, support was added for German and English
    Banks.
  • PWSteal.Jginko targets only Japanese Banks.
  • PWSteal.Jginko monitors 27 domains.
  • PWSteal.Bancos.T monitors 2746 domains.

8
PWSteal.Jginko domains
  • resonabank.anser.or.jp, btm.co.jp, ebank.co.jp
  • japannetbank.co.jp, smbc.co.jp,
    yu-cho.japanpost.jp
  • ufjbank.co.jp, mizuhobank.co.jp
  • shinseibank.co.jp, iy-bank.co.jp
  • shinkinbanking.com, shinkin-webfb-hokkaido.jp
  • shinkin-webfb.jp
  • And more, more, more

9
Other Bank Trojans also target rural banks
  • 82bank.co.jp, akita-bank.co.jp
  • all.rokin.or.jp, toyotrustbank.co.jp
  • hyakugo.co.jp, chibabank.co.jp
  • fukuibank.co.jp, gunmabank.co.jp
  • hirogin.co.jp, hokugin.co.jp
  • joyobank.co.jp, nishigin.co.jp
  • And more, more, more

10
Security measures taken by Japanese Banks recently
  • Software Keyboard
  • Strong password requirements
  • Challenge and response with one-time encryption
    key
  • Prevent phishing mail
  • Login restricted by IP address
  • SSL

11
Advantage of Trojan over KeyLogger
  • These Trojans are not KeyLogger.Trojans
  • Stealth techniques can be used
  • Intercepts transaction information
  • Silent download
  • Silent update

12
Bank Trojans are not KeyLogger.Trojan
  • Old KeyLoggers log key strokes and send logged
    data.
  • Difficult to know which application the user was
    using
  • Logs user error
    (passeoBack SpaceBack Spaceword )
  • Difficult to know when the user changes to a
    different input field

13
Stealth techniques used by Bank Trojans
  • Works with Internet Explorer.
  • Firewall does not stop HTTP transaction of
    Internet Explorer. (BHO, Inject, layered service
    provider)
  • Injects itself into other process
  • Rootkit may hide files or protect them from
    security application
  • Hide packet traffic from system to avoid
    detection

14
Intercept transaction
  • These Trojans can hook specific procedure calls
  • These Trojans can inject itself into an
    application
  • HTTPS is not secure if the data is intercepted
    before and after it is encrypted

15
Silent download/ Silent update techniques
  • Trojans may close Alerts from Windows Firewall
  • Delete Zone.Identifier settings
  • Add itself to Authorized Applications list,
    bypassing the firewall

16
Technique Key Logging
17
Technique Key Logging(2)
18
Technique Inject
  • Taskmanager can enumerate process
  • DLLs are never enumerated by taskmanager.
  • If IEXPLORE.EXE calls loadlibrary?
  • VirtualAllocEx
  • WriteProcessMemory
  • GetProcAddress
  • CreateRemoteThread

19
Technique BHO
  • A Browser helper object is an additional software
    component that is loaded when Internet Explorer
    starts.
  • When a BHO sends a data, It looks like the data
    is sent by Internet Explorer.
  • The BHO cant be seen with Task manager.

20
Loading BHO
  • How Internet Explorer loads and initializes
    helper objects.

21
Technique BHO (2)
22
Technique Intercept transaction
23
Secure Socket Layer is secure?
Secure
Not Secure
Pickup data Encrypt data
24
Technique Intercept transaction (2)
25
Technique Intercept transaction (3)
26
Technique Intercept transaction (4)
27
Technique Intercept transaction (5)
  • DWebBrowserEvents2, IHTMLDocument2
  • Onmouseover
  • User push A or A filled to field.
  • Onsubmit

28
Technique Silent download
29
Technique Silent update
30
Technique Silent update (2)
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
    es\SharedAccess\Parameters\FirewallPolicy\Standard
    Profile\AuthorizedApplications\List
  • Value "Enabled"

31
Steal password
32
Challenge and response
Send user name
Send user name
Answer random Challenge
Answer Challenge
Calculate one-time password by Challenge and
send it
Send one-time password
Accepted
Answer fake error page
Transfer money
33
Thank You!
  • Hiroshi Shinotsuka
  • Hiroshi_Shintosuka_at_symantec.com
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Advance of Bank Trojan" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!