Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;

Advance of Bank Trojan

Nov 2005

2 – 2002 Symantec Corporation, All Rights Reserved

Current threat from Bank Trojans

Steals online banking information; typically usernames and passwords.

PWSteal.JGinko targets Japanese banks. (Trojan-Spy.Win32.Banker.vt [Kaspersky Lab], PWS-Jginko [McAfee], TSPY_BANCOS.ANM [Trend Micro])

These Trojans work closely and actively with Internet Explorer.


Submission increase

Symantec gets almost 2 million submissions per year.

The rate of submissions is increasing.

Are Bank Trojan submissions increasing?


PWSteal.Bancos submissions

Why have submissions decreased?


Bancos submissions vs Total Symantec submissions.

0

500

1000

1500

2000

2500

3000


How samples are collected

User submissions

Honey pot

Web site routine patrol(Adware, Spyware)

Brightmail

BBS


Japanese Banks VS Bank Trojan

PWSteal.Bancos originally targeted Brazilian Banks.

Then, support was added for German and English Banks.

PWSteal.Jginko targets only Japanese Banks.

PWSteal.Jginko monitors 27 domains.

PWSteal.Bancos.T monitors 2746 domains.


PWSteal.Jginko domains

resonabank.anser.or.jp, btm.co.jp, ebank.co.jp

japannetbank.co.jp, smbc.co.jp, yu-cho.japanpost.jp

ufjbank.co.jp, mizuhobank.co.jp

shinseibank.co.jp, iy-bank.co.jp

shinkinbanking.com, shinkin-webfb-hokkaido.jp

shinkin-webfb.jp

And more, more, more


Other Bank Trojans also target rural banks

82bank.co.jp, akita-bank.co.jp

all.rokin.or.jp, toyotrustbank.co.jp

hyakugo.co.jp, chibabank.co.jp

fukuibank.co.jp, gunmabank.co.jp

hirogin.co.jp, hokugin.co.jp

joyobank.co.jp, nishigin.co.jp

And more, more, more


Security measures taken by Japanese Banks recently

Software Keyboard

Strong password requirements

Challenge and response with one-time encryption key

Prevent phishing mail

Login restricted by IP address

SSL


Advantage of Trojan over KeyLogger

These Trojans are not KeyLogger.Trojans

Stealth techniques can be used

Intercepts transaction information

Silent download

Silent update


Bank Trojans are not KeyLogger.Trojan

Old KeyLoggers log key strokes and send logged data.

Difficult to know which application the user was using

Logs user error (passeo[Back Space][Back Space]word )

Difficult to know when the user changes to a different input field


Stealth techniques used by Bank Trojans

Works with Internet Explorer.

Firewall does not stop HTTP transaction of Internet Explorer. (BHO, Inject, layered service provider)

Injects itself into other process

Rootkit may hide files or protect them from security application

Hide packet traffic from system to avoid detection


Intercept transaction

These Trojans can hook specific procedure calls

These Trojans can inject itself into an application

HTTPS is not secure if the data is intercepted before and after it is encrypted


Silent download/ Silent update techniques

Trojans may close Alerts from Windows Firewall

Delete Zone.Identifier settings

Add itself to Authorized Applications list, bypassing the firewall


Technique: Key Logging


Technique: Key Logging(2)


Technique: Inject

Taskmanager can enumerate process

DLLs are never enumerated by taskmanager.

If IEXPLORE.EXE calls loadlibrary?

VirtualAllocEx

WriteProcessMemory

GetProcAddress

CreateRemoteThread


Technique: BHO

A Browser helper object is an additional software component that is loaded when Internet Explorer starts.

When a BHO sends a data, It looks like the data is sent by Internet Explorer.

The BHO can’t be seen with Task manager.


Loading BHO

How Internet Explorer loads and initializes helper objects.


Technique: BHO (2)


Technique: Intercept transaction


Secure Socket Layer is secure?

Secure

Not SecurePickup data

Encrypt data


Technique: Intercept transaction (2)







DWebBrowserEvents2, IHTMLDocument2

Onmouseover

User push “A” or “A” filled to field.

Onsubmit


Technique: Silent download


Technique: Silent update


Technique: Silent update (2)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Value: ":*:Enabled:"


Steal password


Challenge and response

Send user name

Send user name

Answer “Challenge”Answer random “Challenge”

Send one-time password

Accepted

Calculate one-time password by “Challenge” and send it

Answer fake error page Transfer money

Thank You!

Hiroshi [email protected]

Advance of Bank Trojan Nov 2005. 2 – 2002 Symantec Corporation, All Rights Reserved Current threat from Bank Trojans Steals online banking information;

Documents

symantec corporation

rights reserved technique

rights reserved pwsteal

rights reserved bank

data slide

firewall slide

rights reserved loading

detection slide