OWASP - User contributions [en]

File:Giorgio fedon.jpg

2013-06-03T20:23:25Z

Gfedon: uploaded a new version of "File:Giorgio fedon.jpg"

EUTour2013 Training

2013-06-03T20:11:45Z

Gfedon:

<noinclude>{{:EUTour2013 header}}</noinclude>

{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
|-
| align="center" height="30" style="background:#CCCCEE;" colspan="2" | '''OWASP EU TOUR 2013'''
|-
| align="center" style="background:#EEEEEE;" colspan="2" | == TRAINING SESSIONS ==
| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" |
|-
| align="center" style="background: #4B0082;" colspan="2" | '''SPAIN - Barcelona'''
|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#dbdbf3" align="center" | Jueves, 13 de junio de 2013 09:00h - 18:00h
| valign="middle" bgcolor="#dbdbf3" align="left" | Universitat Ramon Llull, La Salle - URL Sant Joan de La Salle, 42 E-08022 Barcelona, Spain Aula: MFS.03 
[http://goo.gl/maps/yZm2T Google maps] 
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | [[Image:Cerullof.jpg|150px]] Fabio Cerullo
| valign="middle" bgcolor="#EEEEEE" align="justify" | '''Taller: Desarrollo Seguro usando OWASP ESAPI''' 

Este curso tiene como objetivo proporcionar los conocimientos y recursos necesarios para mejorar la seguridad de las aplicaciones Java utilizando las librerias OWASP Enterprise Security API (ESAPI). Estas librerias se han diseñado para que sea más fácil para los desarrolladores mejorar la seguridad en aplicaciones existentes, como asi tambien utilizarlas como base para el desarrollo de nuevas aplicaciones. Los principios generales aprendidos en el curso se puede aplicar en el contexto de otros lenguajes de programación.
 

'''Perﬁl del instructor'''

Fabio Cerullo, CEO y fundador de Cycubix, ayuda a clientes de todo el mundo a mejorar la seguridad de aplicaciones desarrolladas internamente o por terceros, mediante la definición de políticas y normas, implementando iniciativas de desarrollo seguro y gestión de riesgos, así como brindando capacitación sobre el tema a desarrolladores, auditores, ejecutivos y profesionales. 
Como miembro de la Fundación OWASP, Fabio se encarga de coordinar actividades globales de concientizacion sobre seguridad de aplicaciones con empresas privadas, gobiernos e instituciones educativas. 
 

'''Duracion:''' 8 horas (09:00h - 18:00h)
 

'''Precio:''' 250€ No miembros / 200€ Miembros OWASP. Existen tambien descuentos para grupos y miembros de [http://www.ati.es ATI].
 

'''Regístrese a este taller''': [http://www.regonline.com/eutour13esptrainingesapi HAGA CLIC AQUI!]''' 
|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#dbdbf3" align="center" | Jueves, 13 de junio de 2013 14:00h - 18:00h
| valign="middle" bgcolor="#dbdbf3" align="left" | Universitat Ramon Llull, La Salle - URL Sant Joan de La Salle, 42 E-08022 Barcelona, Spain Aula: MFS.04 
[http://goo.gl/maps/yZm2T Google maps] 
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | [[Image:Simonroses.png|150px]] Simón Roses
| valign="middle" bgcolor="#EEEEEE" align="justify" | '''Taller: OSINT + Python = Custom Hacking Workshop''' 

Taller práctico que combina el arte de OSINT (Open Source Inteligence) mediante el desarrollo de scripts en Python utilizando diversas API y librerías disponibles. A lo largo del taller se realizarán ejercicios prácticos con el objetivo de asimilar los conceptos por parte del alumno. 

Para entrar en materia se recomienda la lectura del siguiente artículo: 
http://www.simonroses.com/es/2013/05/osint-python-hacking-a-medida/.
 

'''Perﬁl del instructor'''

Simón Roses eslicenciado en Informática por Suffolk University (Boston), Postgrado en E-Commerce, Harvard University (Boston) y Executive MBA, Instituto de Empresa (Madrid). 

En la actualidad es el CEO de VULNEX. Anteriormente formó parte de Microsoft, PriceWaterhouseCoopers y @Stake. 

Creador y colaborador en varios proyectos de código abierto de seguridad como OWASP Pantera y LibExploit, además de publicar avisos en seguridad de conocidos productos. 

Ponente habitual en eventos del sector de seguridad incluyendo BlackHat, RSA, OWASP, DeepSec, Source y Technets de seguridad de Microsoft. 

CISSP, CEH y CSSLP. 
 

'''Duracion:''' 4 horas (14:00h - 18:00h)
 

'''Precio:''' 125€ No miembros / 100€ Miembros OWASP. Existen tambien descuentos para grupos y miembros de [http://www.ati.es ATI].
 

'''Regístrese a este taller''': [http://www.regonline.com/eutour13esptrainingcustomhacking HAGA CLIC AQUI!].''' 
|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#dbdbf3" align="center" | Jueves, 13 de junio de 2013 09:00h - 13:00h
| valign="middle" bgcolor="#dbdbf3" align="left" | Universitat Ramon Llull, La Salle - URL Sant Joan de La Salle, 42 E-08022 Barcelona, Spain Aula: MFS.04 
[http://goo.gl/maps/yZm2T Google maps] 
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | [[Image:Matiaskatz.png]] Matias Katz
| valign="middle" bgcolor="#EEEEEE" align="justify" | '''Taller: OWASP Top 5''' 

Esta formación incorporará las técnicas de ataque a plataformas Web más importantes en la actualidad, estandarizadas mediante la norma OWASP Top 5. El curso presentará al alumno la forma de realizar estos ataques, y las contramedidas necesarias para mitigar su riesgo en sus desarrollos. La clase contará con contenido teórico y demostraciones prácticas e interactivas de laboratorio. Esta formación está orientada a desarrolladores, administradores de bases de datos, analistas de sistemas, auditores de seguridad, jefes de proyecto, así como cualquier otro interesado en las principales técnicas de ataque y defensa en aplicaciones Web.
 

'''Perﬁl del instructor'''

Matias Katz is an IT architect and a security specialist. He's CISSP, CEH and MCSE certified, and has 10 years of experience in the field, focusing in the implementation of security audits, in infrastructures and critic applications for big organizations, both private and public. 

After working at IBM for several years, in 2008 Matias founded Mkit Argentina (link: http://www.mkit.com.ar), a company that specializes in performing security audits, vulnerability analysis and penetration tests to organizations, companies and the public sector. The company also gives training of a high technical level for companies, organizations and end-users. 

Matias also works as an external consultant for the computer crimes division of the federal police department in Argentina, where he collaborates in open cases through the acquirement of digital evidence and performing active investigations for the potential suspects. 

He is a professor in 3 universities in Argentina, both in engineering courses and information security post-graduate degree courses. 

He has presented at some of the most important security conferences, like BlackHat, Ekoparty, H2HC, Campus Party. He has dozens of published papers, and has created many tools used daily by security professionals world-wide, for their security audits.
 
 

'''Duracion:''' 4 horas (09:00h - 13:00h)
 

'''Precio:''' 125€ No miembros / 100€ Miembros OWASP. Existen tambien descuentos para grupos y miembros de [http://www.ati.es ATI].
 

'''Regístrese a este taller''': [http://www.regonline.com/eutour13esptrainingtop5 HAGA CLIC AQUI!].''' 

 

|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#dbdbf3" align="center" | Tuesday, June 25th, 2013 09:00h - 18:00h
| valign="middle" bgcolor="#dbdbf3" align="left" | TCube 32 - 34 Castle Street, Dublin 2, Ireland 
[https://maps.google.ie/maps?q=32+-+34+Castle+Street,+Dublin+2,+Ireland&hl=en&ll=53.343391,-6.269084&spn=0.004977,0.013679&sll=53.343392,-6.269086&sspn=0.009954,0.027359&hnear=34+Castle+St,+Dublin+2,+County+Dublin&t=m&z=17 Google Maps] 
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | [[Image:Paco2.jpg|150px]] Paco Hope
| valign="middle" bgcolor="#EEEEEE" align="justify" | '''DEFENSIVE PROGRAMMING – JAVASCRIPT AND HTML5''' 

HTML5 is the fifth revision of the HTML standard. HTML5, and its integration with JavaScript, introduces new
security risks that we need to carefully consider when writing web front-end code. Modern web-based software, including
mobile web front-end applications, makes heavy use of innovative JavaScript and HTML5 browser support to deliver
advanced user experiences. Front-end developers focus their efforts on creating this experience and are generally not aware
of the security implications of the technologies they use. 

The Defensive Programming – JavaScript/HTML5 course helps web front-end developers understand the risks involved with
manipulating the HTML Document Object Model (DOM) and using the advanced features of JavaScript and HTML 5 such as
cross-domain requests and local storage. The course reinforces some important security aspects of modern browser
architecture and presents the student with defensive programming techniques that can be immediately applied to prevent common vulnerabilities from being introduced. Additionally, the course provides a detailed description of typical JavaScript sources and sinks and explains how they can be used to detect problems in code. 

Prerequisites: Students should be familiar with Web programming environments and technologies including JavaScript
and HTML. Completion of the Foundations of Software Security, Attack and Defense, or OWASP Top Ten + 2 courses is
highly recommended.
 

'''Instructor Profile'''

Mr. Hope is a Principal Consultant for Cigital with over 12 years experience in the securing of software and systems. He sets the technical direction in Europe and leads consultants delivering static source code analysis, architectural risk assessments, vulnerability assessments, and penetration tests.

His experience covers web applications, online gaming (gambling), embedded gaming devices, lotteries, and business-to-business transaction systems. He has assessed systems for small startups with thousands of lines of code, and massive enterprises with thousands of applications and millions of lines of code.

He is a frequent conference speaker at such venues as OWASP, RSA (US and Europe), Security B-Sides, and SecAppDev. He speaks on issues like integrating security into the software development lifecycle (SDLC), securing web applications, and secure random number generation.

Paco is also involved in the leadership of the London Chapter of (ISC)2. He also serves on (ISC)2's Application Security Advisory Board, helping to advise on the direction of the Certified Secure Software Lifecycle Professional (CSSLP) certification. He has held the CISSP for nearly 10 years and the CSSLP since shortly after its creation.

Mr. Hope has co-authored two books on software security: the Web Security Testing Cookbook and Mastering FreeBSD and OpenBSD Security. He has also authored a chapter of Gary McGraw's Building Security In.
 
 

'''Duration:''' 8 hours (09:00h - 18:00h)
 

'''Price:''' 350€ Non members / 300€ OWASP members.
 

'''Registration link''': [Link].''' 
|-
| align="center" style="background: #4B0082;" colspan="2" | '''ITALY - Rome'''
|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#dbdbf3" align="center" | Friday 28th June 09:00h - 13:00h
| valign="middle" bgcolor="#dbdbf3" align="left" | Università Degli Studi Roma Tre
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | [[Image:giorgio_fedon.jpg]] Giorgio Fedon
| valign="middle" bgcolor="#EEEEEE" align="justify" | '''Title: Mobile Application Security and Security Development Introduction''' 

Students will learn mobile hacking techniques and remediation strategies for Android and iPhone operating systems. They will understand platform security models, mobile application secure design, mobile application security errors, mobile application vulnerabilities related to in-house development. Exploiting techniques for operating system components are explained in the extent they may impact on a company SSDLC process for their mobile applications.
 

'''Instructor Profile'''
Giorgio Fedon is the COO and a cofounder of Minded Security, where he is responsible for running daily operations of the company and managing Professional Services. 

Prior to founding Minded Security, Giorgio was employed as senior security consultant and penetration tester at Emaze Networks S.p.a., delivered code auditing, Forensic and Log analysis, Malware Analysis and complex Penetration Testing services to some of the most important Companies as Banks and Public Agencies in Italy. He participated as speaker in many national and international events talking mainly about web security and malware obfuscation techniques. He was also employed at IBM System & Technology Group in Dublin (Ireland).
 

'''Language:''' English and Italian
 

'''Duration:''' 4 horas (09:00h - 13:00h)
 

'''Price:''' The prices are: 125 Euro for non members / 100 Euro for members.
 

'''Registration Link''': [http://www.regonline.com/eutour13itatrainingmobile Register Here].''' 

 

|}

File:Giorgio fedon.jpg

2013-06-03T20:06:56Z

Gfedon:

EUTour2013 Training

2013-06-03T20:06:39Z

Gfedon:

<noinclude>{{:EUTour2013 header}}</noinclude>

{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
|-
| align="center" height="30" style="background:#CCCCEE;" colspan="2" | '''OWASP EU TOUR 2013'''
|-
| align="center" style="background:#EEEEEE;" colspan="2" | == TRAINING SESSIONS ==
| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" |
|-
| align="center" style="background: #4B0082;" colspan="2" | '''SPAIN - Barcelona'''
|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#dbdbf3" align="center" | Jueves, 13 de junio de 2013 09:00h - 18:00h
| valign="middle" bgcolor="#dbdbf3" align="left" | Universitat Ramon Llull, La Salle - URL Sant Joan de La Salle, 42 E-08022 Barcelona, Spain Aula: MFS.03 
[http://goo.gl/maps/yZm2T Google maps] 
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | [[Image:Cerullof.jpg|150px]] Fabio Cerullo
| valign="middle" bgcolor="#EEEEEE" align="justify" | '''Taller: Desarrollo Seguro usando OWASP ESAPI''' 

Este curso tiene como objetivo proporcionar los conocimientos y recursos necesarios para mejorar la seguridad de las aplicaciones Java utilizando las librerias OWASP Enterprise Security API (ESAPI). Estas librerias se han diseñado para que sea más fácil para los desarrolladores mejorar la seguridad en aplicaciones existentes, como asi tambien utilizarlas como base para el desarrollo de nuevas aplicaciones. Los principios generales aprendidos en el curso se puede aplicar en el contexto de otros lenguajes de programación.
 

'''Perﬁl del instructor'''

Fabio Cerullo, CEO y fundador de Cycubix, ayuda a clientes de todo el mundo a mejorar la seguridad de aplicaciones desarrolladas internamente o por terceros, mediante la definición de políticas y normas, implementando iniciativas de desarrollo seguro y gestión de riesgos, así como brindando capacitación sobre el tema a desarrolladores, auditores, ejecutivos y profesionales. 
Como miembro de la Fundación OWASP, Fabio se encarga de coordinar actividades globales de concientizacion sobre seguridad de aplicaciones con empresas privadas, gobiernos e instituciones educativas. 
 

'''Duracion:''' 8 horas (09:00h - 18:00h)
 

'''Precio:''' 250€ No miembros / 200€ Miembros OWASP. Existen tambien descuentos para grupos y miembros de [http://www.ati.es ATI].
 

'''Regístrese a este taller''': [http://www.regonline.com/eutour13esptrainingesapi HAGA CLIC AQUI!]''' 
|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#dbdbf3" align="center" | Jueves, 13 de junio de 2013 14:00h - 18:00h
| valign="middle" bgcolor="#dbdbf3" align="left" | Universitat Ramon Llull, La Salle - URL Sant Joan de La Salle, 42 E-08022 Barcelona, Spain Aula: MFS.04 
[http://goo.gl/maps/yZm2T Google maps] 
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | [[Image:Simonroses.png|150px]] Simón Roses
| valign="middle" bgcolor="#EEEEEE" align="justify" | '''Taller: OSINT + Python = Custom Hacking Workshop''' 

Taller práctico que combina el arte de OSINT (Open Source Inteligence) mediante el desarrollo de scripts en Python utilizando diversas API y librerías disponibles. A lo largo del taller se realizarán ejercicios prácticos con el objetivo de asimilar los conceptos por parte del alumno. 

Para entrar en materia se recomienda la lectura del siguiente artículo: 
http://www.simonroses.com/es/2013/05/osint-python-hacking-a-medida/.
 

'''Perﬁl del instructor'''

Simón Roses eslicenciado en Informática por Suffolk University (Boston), Postgrado en E-Commerce, Harvard University (Boston) y Executive MBA, Instituto de Empresa (Madrid). 

En la actualidad es el CEO de VULNEX. Anteriormente formó parte de Microsoft, PriceWaterhouseCoopers y @Stake. 

Creador y colaborador en varios proyectos de código abierto de seguridad como OWASP Pantera y LibExploit, además de publicar avisos en seguridad de conocidos productos. 

Ponente habitual en eventos del sector de seguridad incluyendo BlackHat, RSA, OWASP, DeepSec, Source y Technets de seguridad de Microsoft. 

CISSP, CEH y CSSLP. 
 

'''Duracion:''' 4 horas (14:00h - 18:00h)
 

'''Precio:''' 125€ No miembros / 100€ Miembros OWASP. Existen tambien descuentos para grupos y miembros de [http://www.ati.es ATI].
 

'''Regístrese a este taller''': [http://www.regonline.com/eutour13esptrainingcustomhacking HAGA CLIC AQUI!].''' 
|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#dbdbf3" align="center" | Jueves, 13 de junio de 2013 09:00h - 13:00h
| valign="middle" bgcolor="#dbdbf3" align="left" | Universitat Ramon Llull, La Salle - URL Sant Joan de La Salle, 42 E-08022 Barcelona, Spain Aula: MFS.04 
[http://goo.gl/maps/yZm2T Google maps] 
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | [[Image:Matiaskatz.png]] Matias Katz
| valign="middle" bgcolor="#EEEEEE" align="justify" | '''Taller: OWASP Top 5''' 

Esta formación incorporará las técnicas de ataque a plataformas Web más importantes en la actualidad, estandarizadas mediante la norma OWASP Top 5. El curso presentará al alumno la forma de realizar estos ataques, y las contramedidas necesarias para mitigar su riesgo en sus desarrollos. La clase contará con contenido teórico y demostraciones prácticas e interactivas de laboratorio. Esta formación está orientada a desarrolladores, administradores de bases de datos, analistas de sistemas, auditores de seguridad, jefes de proyecto, así como cualquier otro interesado en las principales técnicas de ataque y defensa en aplicaciones Web.
 

'''Perﬁl del instructor'''

Matias Katz is an IT architect and a security specialist. He's CISSP, CEH and MCSE certified, and has 10 years of experience in the field, focusing in the implementation of security audits, in infrastructures and critic applications for big organizations, both private and public. 

After working at IBM for several years, in 2008 Matias founded Mkit Argentina (link: http://www.mkit.com.ar), a company that specializes in performing security audits, vulnerability analysis and penetration tests to organizations, companies and the public sector. The company also gives training of a high technical level for companies, organizations and end-users. 

Matias also works as an external consultant for the computer crimes division of the federal police department in Argentina, where he collaborates in open cases through the acquirement of digital evidence and performing active investigations for the potential suspects. 

He is a professor in 3 universities in Argentina, both in engineering courses and information security post-graduate degree courses. 

He has presented at some of the most important security conferences, like BlackHat, Ekoparty, H2HC, Campus Party. He has dozens of published papers, and has created many tools used daily by security professionals world-wide, for their security audits.
 
 

'''Duracion:''' 4 horas (09:00h - 13:00h)
 

'''Precio:''' 125€ No miembros / 100€ Miembros OWASP. Existen tambien descuentos para grupos y miembros de [http://www.ati.es ATI].
 

'''Regístrese a este taller''': [http://www.regonline.com/eutour13esptrainingtop5 HAGA CLIC AQUI!].''' 

 

|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#dbdbf3" align="center" | Tuesday, June 25th, 2013 09:00h - 18:00h
| valign="middle" bgcolor="#dbdbf3" align="left" | TCube 32 - 34 Castle Street, Dublin 2, Ireland 
[https://maps.google.ie/maps?q=32+-+34+Castle+Street,+Dublin+2,+Ireland&hl=en&ll=53.343391,-6.269084&spn=0.004977,0.013679&sll=53.343392,-6.269086&sspn=0.009954,0.027359&hnear=34+Castle+St,+Dublin+2,+County+Dublin&t=m&z=17 Google Maps] 
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | [[Image:Paco2.jpg|150px]] Paco Hope
| valign="middle" bgcolor="#EEEEEE" align="justify" | '''DEFENSIVE PROGRAMMING – JAVASCRIPT AND HTML5''' 

HTML5 is the fifth revision of the HTML standard. HTML5, and its integration with JavaScript, introduces new
security risks that we need to carefully consider when writing web front-end code. Modern web-based software, including
mobile web front-end applications, makes heavy use of innovative JavaScript and HTML5 browser support to deliver
advanced user experiences. Front-end developers focus their efforts on creating this experience and are generally not aware
of the security implications of the technologies they use. 

The Defensive Programming – JavaScript/HTML5 course helps web front-end developers understand the risks involved with
manipulating the HTML Document Object Model (DOM) and using the advanced features of JavaScript and HTML 5 such as
cross-domain requests and local storage. The course reinforces some important security aspects of modern browser
architecture and presents the student with defensive programming techniques that can be immediately applied to prevent common vulnerabilities from being introduced. Additionally, the course provides a detailed description of typical JavaScript sources and sinks and explains how they can be used to detect problems in code. 

Prerequisites: Students should be familiar with Web programming environments and technologies including JavaScript
and HTML. Completion of the Foundations of Software Security, Attack and Defense, or OWASP Top Ten + 2 courses is
highly recommended.
 

'''Instructor Profile'''

Mr. Hope is a Principal Consultant for Cigital with over 12 years experience in the securing of software and systems. He sets the technical direction in Europe and leads consultants delivering static source code analysis, architectural risk assessments, vulnerability assessments, and penetration tests.

His experience covers web applications, online gaming (gambling), embedded gaming devices, lotteries, and business-to-business transaction systems. He has assessed systems for small startups with thousands of lines of code, and massive enterprises with thousands of applications and millions of lines of code.

He is a frequent conference speaker at such venues as OWASP, RSA (US and Europe), Security B-Sides, and SecAppDev. He speaks on issues like integrating security into the software development lifecycle (SDLC), securing web applications, and secure random number generation.

Paco is also involved in the leadership of the London Chapter of (ISC)2. He also serves on (ISC)2's Application Security Advisory Board, helping to advise on the direction of the Certified Secure Software Lifecycle Professional (CSSLP) certification. He has held the CISSP for nearly 10 years and the CSSLP since shortly after its creation.

Mr. Hope has co-authored two books on software security: the Web Security Testing Cookbook and Mastering FreeBSD and OpenBSD Security. He has also authored a chapter of Gary McGraw's Building Security In.
 
 

'''Duration:''' 8 hours (09:00h - 18:00h)
 

'''Price:''' 350€ Non members / 300€ OWASP members.
 

'''Registration link''': [Link].''' 

|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#dbdbf3" align="center" | Friday 28th June 09:00h - 13:00h
| valign="middle" bgcolor="#dbdbf3" align="left" | Università Degli Studi Roma Tre
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | [[Image:giorgio_fedon.jpg]] Giorgio Fedon
| valign="middle" bgcolor="#EEEEEE" align="justify" | '''Title: Mobile Application Security and Security Development Introduction''' 

Students will learn mobile hacking techniques and remediation strategies for Android and iPhone operating systems. They will understand platform security models, mobile application secure design, mobile application security errors, mobile application vulnerabilities related to in-house development. Exploiting techniques for operating system components are explained in the extent they may impact on a company SSDLC process for their mobile applications.
 

'''Instructor Profile'''
Giorgio Fedon is the COO and a cofounder of Minded Security, where he is responsible for running daily operations of the company and managing Professional Services. 

Prior to founding Minded Security, Giorgio was employed as senior security consultant and penetration tester at Emaze Networks S.p.a., delivered code auditing, Forensic and Log analysis, Malware Analysis and complex Penetration Testing services to some of the most important Companies as Banks and Public Agencies in Italy. He participated as speaker in many national and international events talking mainly about web security and malware obfuscation techniques. He was also employed at IBM System & Technology Group in Dublin (Ireland).
 

'''Language:''' English and Italian
 

'''Duration:''' 4 horas (09:00h - 13:00h)
 

'''Price:''' The prices are: 125 Euro for non members / 100 Euro for members.
 

'''Registration Link''': [http://www.regonline.com/eutour13itatrainingmobile Register Here].''' 

 

|}

EUTour2013 Training

2013-06-03T20:04:59Z

Gfedon:

<noinclude>{{:EUTour2013 header}}</noinclude>

{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
|-
| align="center" height="30" style="background:#CCCCEE;" colspan="2" | '''OWASP EU TOUR 2013'''
|-
| align="center" style="background:#EEEEEE;" colspan="2" | == TRAINING SESSIONS ==
| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" |
|-
| align="center" style="background: #4B0082;" colspan="2" | '''SPAIN - Barcelona'''
|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#dbdbf3" align="center" | Jueves, 13 de junio de 2013 09:00h - 18:00h
| valign="middle" bgcolor="#dbdbf3" align="left" | Universitat Ramon Llull, La Salle - URL Sant Joan de La Salle, 42 E-08022 Barcelona, Spain Aula: MFS.03 
[http://goo.gl/maps/yZm2T Google maps] 
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | [[Image:Cerullof.jpg|150px]] Fabio Cerullo
| valign="middle" bgcolor="#EEEEEE" align="justify" | '''Taller: Desarrollo Seguro usando OWASP ESAPI''' 

Este curso tiene como objetivo proporcionar los conocimientos y recursos necesarios para mejorar la seguridad de las aplicaciones Java utilizando las librerias OWASP Enterprise Security API (ESAPI). Estas librerias se han diseñado para que sea más fácil para los desarrolladores mejorar la seguridad en aplicaciones existentes, como asi tambien utilizarlas como base para el desarrollo de nuevas aplicaciones. Los principios generales aprendidos en el curso se puede aplicar en el contexto de otros lenguajes de programación.
 

'''Perﬁl del instructor'''

Fabio Cerullo, CEO y fundador de Cycubix, ayuda a clientes de todo el mundo a mejorar la seguridad de aplicaciones desarrolladas internamente o por terceros, mediante la definición de políticas y normas, implementando iniciativas de desarrollo seguro y gestión de riesgos, así como brindando capacitación sobre el tema a desarrolladores, auditores, ejecutivos y profesionales. 
Como miembro de la Fundación OWASP, Fabio se encarga de coordinar actividades globales de concientizacion sobre seguridad de aplicaciones con empresas privadas, gobiernos e instituciones educativas. 
 

'''Duracion:''' 8 horas (09:00h - 18:00h)
 

'''Precio:''' 250€ No miembros / 200€ Miembros OWASP. Existen tambien descuentos para grupos y miembros de [http://www.ati.es ATI].
 

'''Regístrese a este taller''': [http://www.regonline.com/eutour13esptrainingesapi HAGA CLIC AQUI!]''' 
|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#dbdbf3" align="center" | Jueves, 13 de junio de 2013 14:00h - 18:00h
| valign="middle" bgcolor="#dbdbf3" align="left" | Universitat Ramon Llull, La Salle - URL Sant Joan de La Salle, 42 E-08022 Barcelona, Spain Aula: MFS.04 
[http://goo.gl/maps/yZm2T Google maps] 
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | [[Image:Simonroses.png|150px]] Simón Roses
| valign="middle" bgcolor="#EEEEEE" align="justify" | '''Taller: OSINT + Python = Custom Hacking Workshop''' 

Taller práctico que combina el arte de OSINT (Open Source Inteligence) mediante el desarrollo de scripts en Python utilizando diversas API y librerías disponibles. A lo largo del taller se realizarán ejercicios prácticos con el objetivo de asimilar los conceptos por parte del alumno. 

Para entrar en materia se recomienda la lectura del siguiente artículo: 
http://www.simonroses.com/es/2013/05/osint-python-hacking-a-medida/.
 

'''Perﬁl del instructor'''

Simón Roses eslicenciado en Informática por Suffolk University (Boston), Postgrado en E-Commerce, Harvard University (Boston) y Executive MBA, Instituto de Empresa (Madrid). 

En la actualidad es el CEO de VULNEX. Anteriormente formó parte de Microsoft, PriceWaterhouseCoopers y @Stake. 

Creador y colaborador en varios proyectos de código abierto de seguridad como OWASP Pantera y LibExploit, además de publicar avisos en seguridad de conocidos productos. 

Ponente habitual en eventos del sector de seguridad incluyendo BlackHat, RSA, OWASP, DeepSec, Source y Technets de seguridad de Microsoft. 

CISSP, CEH y CSSLP. 
 

'''Duracion:''' 4 horas (14:00h - 18:00h)
 

'''Precio:''' 125€ No miembros / 100€ Miembros OWASP. Existen tambien descuentos para grupos y miembros de [http://www.ati.es ATI].
 

'''Regístrese a este taller''': [http://www.regonline.com/eutour13esptrainingcustomhacking HAGA CLIC AQUI!].''' 
|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#dbdbf3" align="center" | Jueves, 13 de junio de 2013 09:00h - 13:00h
| valign="middle" bgcolor="#dbdbf3" align="left" | Universitat Ramon Llull, La Salle - URL Sant Joan de La Salle, 42 E-08022 Barcelona, Spain Aula: MFS.04 
[http://goo.gl/maps/yZm2T Google maps] 
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | [[Image:Matiaskatz.png]] Matias Katz
| valign="middle" bgcolor="#EEEEEE" align="justify" | '''Taller: OWASP Top 5''' 

Esta formación incorporará las técnicas de ataque a plataformas Web más importantes en la actualidad, estandarizadas mediante la norma OWASP Top 5. El curso presentará al alumno la forma de realizar estos ataques, y las contramedidas necesarias para mitigar su riesgo en sus desarrollos. La clase contará con contenido teórico y demostraciones prácticas e interactivas de laboratorio. Esta formación está orientada a desarrolladores, administradores de bases de datos, analistas de sistemas, auditores de seguridad, jefes de proyecto, así como cualquier otro interesado en las principales técnicas de ataque y defensa en aplicaciones Web.
 

'''Perﬁl del instructor'''

Matias Katz is an IT architect and a security specialist. He's CISSP, CEH and MCSE certified, and has 10 years of experience in the field, focusing in the implementation of security audits, in infrastructures and critic applications for big organizations, both private and public. 

After working at IBM for several years, in 2008 Matias founded Mkit Argentina (link: http://www.mkit.com.ar), a company that specializes in performing security audits, vulnerability analysis and penetration tests to organizations, companies and the public sector. The company also gives training of a high technical level for companies, organizations and end-users. 

Matias also works as an external consultant for the computer crimes division of the federal police department in Argentina, where he collaborates in open cases through the acquirement of digital evidence and performing active investigations for the potential suspects. 

He is a professor in 3 universities in Argentina, both in engineering courses and information security post-graduate degree courses. 

He has presented at some of the most important security conferences, like BlackHat, Ekoparty, H2HC, Campus Party. He has dozens of published papers, and has created many tools used daily by security professionals world-wide, for their security audits.
 
 

'''Duracion:''' 4 horas (09:00h - 13:00h)
 

'''Precio:''' 125€ No miembros / 100€ Miembros OWASP. Existen tambien descuentos para grupos y miembros de [http://www.ati.es ATI].
 

'''Regístrese a este taller''': [http://www.regonline.com/eutour13esptrainingtop5 HAGA CLIC AQUI!].''' 

 

|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#dbdbf3" align="center" | Tuesday, June 25th, 2013 09:00h - 18:00h
| valign="middle" bgcolor="#dbdbf3" align="left" | TCube 32 - 34 Castle Street, Dublin 2, Ireland 
[https://maps.google.ie/maps?q=32+-+34+Castle+Street,+Dublin+2,+Ireland&hl=en&ll=53.343391,-6.269084&spn=0.004977,0.013679&sll=53.343392,-6.269086&sspn=0.009954,0.027359&hnear=34+Castle+St,+Dublin+2,+County+Dublin&t=m&z=17 Google Maps] 
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | [[Image:Paco2.jpg|150px]] Paco Hope
| valign="middle" bgcolor="#EEEEEE" align="justify" | '''DEFENSIVE PROGRAMMING – JAVASCRIPT AND HTML5''' 

HTML5 is the fifth revision of the HTML standard. HTML5, and its integration with JavaScript, introduces new
security risks that we need to carefully consider when writing web front-end code. Modern web-based software, including
mobile web front-end applications, makes heavy use of innovative JavaScript and HTML5 browser support to deliver
advanced user experiences. Front-end developers focus their efforts on creating this experience and are generally not aware
of the security implications of the technologies they use. 

The Defensive Programming – JavaScript/HTML5 course helps web front-end developers understand the risks involved with
manipulating the HTML Document Object Model (DOM) and using the advanced features of JavaScript and HTML 5 such as
cross-domain requests and local storage. The course reinforces some important security aspects of modern browser
architecture and presents the student with defensive programming techniques that can be immediately applied to prevent common vulnerabilities from being introduced. Additionally, the course provides a detailed description of typical JavaScript sources and sinks and explains how they can be used to detect problems in code. 

Prerequisites: Students should be familiar with Web programming environments and technologies including JavaScript
and HTML. Completion of the Foundations of Software Security, Attack and Defense, or OWASP Top Ten + 2 courses is
highly recommended.
 

'''Instructor Profile'''

Mr. Hope is a Principal Consultant for Cigital with over 12 years experience in the securing of software and systems. He sets the technical direction in Europe and leads consultants delivering static source code analysis, architectural risk assessments, vulnerability assessments, and penetration tests.

His experience covers web applications, online gaming (gambling), embedded gaming devices, lotteries, and business-to-business transaction systems. He has assessed systems for small startups with thousands of lines of code, and massive enterprises with thousands of applications and millions of lines of code.

He is a frequent conference speaker at such venues as OWASP, RSA (US and Europe), Security B-Sides, and SecAppDev. He speaks on issues like integrating security into the software development lifecycle (SDLC), securing web applications, and secure random number generation.

Paco is also involved in the leadership of the London Chapter of (ISC)2. He also serves on (ISC)2's Application Security Advisory Board, helping to advise on the direction of the Certified Secure Software Lifecycle Professional (CSSLP) certification. He has held the CISSP for nearly 10 years and the CSSLP since shortly after its creation.

Mr. Hope has co-authored two books on software security: the Web Security Testing Cookbook and Mastering FreeBSD and OpenBSD Security. He has also authored a chapter of Gary McGraw's Building Security In.
 
 

'''Duration:''' 8 hours (09:00h - 18:00h)
 

'''Price:''' 350€ Non members / 300€ OWASP members.
 

'''Registration link''': [Link].''' 

|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#dbdbf3" align="center" | Friday 28th June 09:00h - 13:00h
| valign="middle" bgcolor="#dbdbf3" align="left" | Università Degli Studi Roma Tre
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | [[Image:]] Giorgio Fedon
| valign="middle" bgcolor="#EEEEEE" align="justify" | '''Title: Mobile Application Security and Security Development Introduction''' 

Students will learn mobile hacking techniques and remediation strategies for Android and iPhone operating systems. They will understand platform security models, mobile application secure design, mobile application security errors, mobile application vulnerabilities related to in-house development. Exploiting techniques for operating system components are explained in the extent they may impact on a company SSDLC process for their mobile applications.
 

'''Instructor Profile'''
Giorgio Fedon is the COO and a cofounder of Minded Security, where he is responsible for running daily operations of the company and managing Professional Services. 

Prior to founding Minded Security, Giorgio was employed as senior security consultant and penetration tester at Emaze Networks S.p.a., delivered code auditing, Forensic and Log analysis, Malware Analysis and complex Penetration Testing services to some of the most important Companies as Banks and Public Agencies in Italy. He participated as speaker in many national and international events talking mainly about web security and malware obfuscation techniques. He was also employed at IBM System & Technology Group in Dublin (Ireland).

 

'''Duration:''' 4 horas (09:00h - 13:00h)
 

'''Price:''' The prices are: 125 Euro for non members / 100 Euro for members.
 

'''Registration Link''': [http://www.regonline.com/eutour13itatrainingmobile Register Here].''' 

 

|}

OWASP Anti-Malware - Knowledge Base

2012-02-05T14:08:06Z

Gfedon: /* OTP (Time Based, Click Based) */

== Introduction ==
=== A Technical Knowledge Base for Banking Malware Threats ===

== Protecting Banking Resources ==

=== Are your resources protected? ===

=== Enumerate the interesting targets ===
=== Define the path to the targets (Transition graphs) ===
=== Apply trust boundaries (security measures) ===
=== Define the weaknesses of the security measures adopted ===
== Appendix A: Security Considerations about Authentication Solutions and Malware ==

Actually Banking Malware families can bypass the vast majority of the world most secure authentication. How? The answer is simple: by tailoring an appropriate attack on the specific authentication schema with a bit of social engineering. Malware Authors know that the weakest link most of the times is the user himself.

For more information:

* http://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
* http://www.slideshare.net/guestb1956e/csi2008-gunter-ollmann-maninthebrowser-presentation
* https://www.owasp.org/images/e/e4/AppsecEU09_The_Bank_in_The_Browser_Presentation_v1.1.pdf

=== TextField Static Password ===

'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families in their default configuration

[[File:static_password.png|thumb|alt=Static Password|Static Password]]

'''Description'''

A password is a secret word or string of characters that is used for authentication, and is the world most used and simplest way of authenticating a user to a computer. “Static” means that Password does not change over time, unless manually updated. Textbox input field is the HTML element were password is inserted and this element is compatible with HID (Human Input Devices) such as hardware keyboards and Virtual Keyboards.

'''How gets defeated'''

Almost All banking malware can automatically log passwords using two components: Keylogging and Form Grabbing. A software Keylogger component can use a number of very different techniques, because operative systems offer many different ways to know which key is pressing a user. Even if this component seems very powerful, it has the disadvantage of not logging the Clipboard. Users may copy and paste passwords for simplicity or security reasons: many password wallets suggest to use this approach (e.g. [http://www.keepassx.org/ KeePassX] ). For this reason Banking Malware Authors prefer to log web based credentials using form grabbing components instead of keyloggers: from Wikipedia “this method intercepts the on submit API in browsers and collects web form data before it passes over the internet.”.
Since FormGrabbing is actually used by any major Banking Malware Family (e.g. Zeus, Spyeye, IceIX etc.) “text field” static password does not represent a secure way of authentication. In addition Malware families can automatically log any password field without using any particular configuration.

''' External References: '''

* http://www.infosectoday.com/Articles/Form_Grabbing/Form_Grabbing.htm

=== Javascript Keyboard ===
'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.

[[File:js_virtual_keyboard.png|thumb|alt=Javascript Keyboard|Javascript Keyboard]]

'''Description'''

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of [http://en.wikipedia.org/wiki/Turing_test "turing test"] that could be understood by human users but not by malicious software agents.

'''How gets defeated'''

Back in year 2002, after a couple of years, Malware Authors realized that they could visually grab images of the clicked key pressed (click area grabbing) or to video record the sequence of key pressed. "Click Grabbing" feature was born and with a minimal configuration was possible to defeat javascript password in a standard and efficient way. This kind of attack simply stores the information remotely for a subsequent interpretation by a human attacker.

'''External References:'''

From Fortiguard (Zeus trojan defeats a Virtual Javascript Keypad)
* http://www.youtube.com/watch?v=b9Vb4zS6ZmE&feature=player_embedded

=== Behavior Based Authentication ===

=== TAN (Gridcard, Scratch Card) ===

=== OTP (Time Based, Click Based) ===

'''Risk Evaluation:'''
[[File:otp_token.png|thumb|alt=Basic Otp Token|Basic Otp Token]]
Risk Evaluation:
Basic OTPs are vulnerable to HTML Injection and to other more sophisticated techniques, but give to the bank the following important improvements in terms of security:
* Tokens are valid for a very short period of time. Attackers need to engage human assistance to successfully abuse the compromised tokens in the valid time-window . This involves using Instant Messaging and user monitoring that leverages additional costs at their side.
* This authentication measure may need UI redressing or automation to be bypassed, introducing important anomalies that can be detected.

[[File:otp_ui_redressing.png|thumb|alt=Otp UI Redressing|Redressing Attack with custom WebInject]]

'''Description'''

A one-time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. OTPs are difficult for human beings to memorize. Therefore they require additional technology in order to work and this technology may be implemented in software tools or by using external hardware devices (Hardware tokens). Basic OTPs are based on cryptographic One-Way Algorithms and initialized with a different key per each user to avoid impersonation attacks. In addition each token usage is blacklisted and cannot be used a second time to avoid replay attacks.
Since basic OTP standards do not have a direct communication with the remote server, they need indirect standards for assuring synchronization with the remote infrastructure. Synchronization can be achieved on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time) or computing the number of previously generated passwords and set a range of valid passwords (if the user press to often the button the device will go out of sync).

'''How gets defeated'''

Even if this technology seems very resilient against malware attacks, it doesn't! Basic Otps can be defeated very easily with User Interface redressing. This attack is accomplished using the infamous features called WebInjects that permit to inject arbitrary HTML into the original Bank Login pages.
As we previously said, the Token is valid for a single transaction and is blacklisted after the first usage. Malware attackers will never let the token to arrive at the bank, so the bank can not blacklist that information. To defeat time restriction window, they also may make use of Instant Messaging plugins to have a real time communication of the token to the attacker.

=== CAP (Random Nonce, Challenge Response) ===

=== SMS Challenges ===

=== MSISDN (Caller-ID Authentication) ===

== Appendix B: Banking Malware Families (Active in 2012) ==

Taken as inspiration from Marco Morana's Presentation and from other sources (e.g. slides 26-30 The Bank in the Browser Presentation - G. Fedon ), here is a quick summary of Banking Malware features updated as of 2012.

[[File:Malware_Attack_Vectors2.png|thumb|alt=Malware Attack Vectors Summary]]

Schema summarizes every banking trojan by giving the following informations:

*'''Attack Capabilities'''
*'''Type'''

'''Attack Capabilites''' describes the features of the involved trojan, and immediately below the technique used to implement the given feature.

*'''HTTP Injection'''
*'''Browse Redirect'''
*'''Form Grabbing'''
*'''Stored Password Theft'''
*'''Keystroke Logging'''
*'''Bypass MFA'''
*'''ScreenCapture / VideoCapture'''
*'''Certificate Theft'''
*'''Install Backdoor'''
*'''Instant Message'''

'''Type''' field describes what kind how the malware operates:

*'''Automatic'''
*'''Manual'''

=== Spyeye ===

SpyEye is considered the successor of ZeuS and globally considered as
the most advanced Banking Malware kit actually used.

This kit was conceived as botnet easy to manage via a web based control panel.

SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish
its task, it provides a custom Encrypted Configuration File where
there are:

* '''Plugins'''
* '''Web Injection Code'''
* '''Collectors List- where stolen data is sent'''

SpyEye is capable of HTML code injection in the following browsers:

* '''FireFox'''
* '''Internet Explorer'''
* '''Chrome'''
* '''Opera'''

List of commonly used Plugins:

* '''ccgrabber''' - used to collect Credit Card numbers by analyzing POST requests.
* '''ffcertgrabber''' - used to steal Firefox stored Certificates.
* '''ftpbc''' - used to reverse ftp connections to the bot.
* '''socks5''' - allows reverse connections via a proxy server.
* '''billinghammer''' - charges Credit Cards by using stolen card data.
* '''ddos''' - plugin used to ddos a specified target.
* '''bugreport''' - send crash reports to the bot master.
* '''SpySpread''' - capability to spread via USB, IM Messages
* '''rdp''' - Remote Desktop capability

SpyEye kit, actually reached version 1.3.48

In the second half of 2011 appeared a mobile edition of SpyEye, called
SpitMo specifically designed to steal mTAN (mobile TAN) authentication
systems. [http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android/ SpitMo]

Recently (Jenuary 2012) appeared a SpyEye Campaign able to [http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/ Hide its Fraud Footprint] also called Post-Transaction Attack

Resources:

* [http://blog.fortinet.com/a-guide-to-spyeye-cc-messages/ A Guide to SpyEye C&C Messages]
* [http://blogs.rsa.com/rsafarl/new-spyeye-gains-zeus-features-a-detailed-analysis-of-spyeye-trojan-v1-3/ New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3]
* [http://cert.lexsi.com/weblog/index.php/2011/02/23/408-ddos-plugin-for-spyeye DDOS plugin for SpyEye]
* [http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html SpyEye steals your data. Even in a limited account]
* [http://blog.trendmicro.com/the-spyeye-interface-part-1-cn-1/ The SpyEye Interface, Part 1: CN 1]
* [http://blog.trendmicro.com/the-spyeye-interface-part-2-syn-1/ The SpyEye Interface Part 2: SYN 1]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 1)]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications-part-2/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)]

Tracking SpyEye:

* [https://spyeyetracker.abuse.ch/ SpyEye Tracker]

=== Zeus ===

ZeuS is a Banking Trojan identified for the first time in 2007, designed
as '''HTTP Based Botnet''' specifically crafted to steal Online Banking Credentials.

Despite the fact that ZeuS Kit is no longer developed, infection statistics
that can be checked here [https://zeustracker.abuse.ch/statistic.php ZeuS Statistics]
clearly demonstrates that this Trojan has a remarkable diffusion.

The ZeuS Kit functionality is based on MiTB attacks, an encrypted
configuration file contains URL Triggers and HTML Code to be Injected.

In the past year appeared also a ZeuS for mobile called ZitMo, developed
to bypass mTAN authentication system, more information can be reached here:

* [http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security The ZitMo Trojan Bypasses Online Banking Security]
* [http://www.virusbtn.com/news/2011/07_11.xml Zitmo Trojan for Android defeats two-factor authentication]

2011 was also the year of ZeuS Source Code leak, this essentially lead to a
number of new ZeuS Variants, here the most significant:

* ICE IX
* ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet
and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able
to interact with other victims (nodes) and get Updated Binaries and
Configurations.

ZeuS P2P References:

* [http://www.abuse.ch/?p=3499 ZeuS Gets More Sophisticated Using P2P Techniques]
* [http://www.cert.pl/news/4711/langswitch_lang/en ZeuS – P2P+DGA variant – mapping out and understanding the threat]

Other References:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]
* [http://www.abuse.ch/?p=3453 Ice IX – Or Just ZeuS?]
* [http://www.inreverse.net/?p=1551 JaZeus: when Zeus meets Java]
* [http://www.coresec.org/2011/05/21/zeus-malware-analysis-by-sophoslabs/ Zeus Malware Analysis by SophosLabs]
* [http://www.secureworks.com/research/threats/zeus/ ZeuS Banking Trojan Report]
* [http://mnin.blogspot.com/2011/09/abstract-memory-analysis-zeus.html Abstract Memory Analysis: Zeus Encryption Keys]

Tracking ZeuS:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]

=== Carberp ===

After ZeuS and SpyEye the third advanced Malware Banking Trojan is '''Carberp''', that during its evolution reached
a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser
Code Injection online Banking Credentials.

Synthesis of Carberp Functionalities [http://www.trustdefender.com/trustdefender-labs-blog-carberp-a-new-trojan-in-the-making.html]:

*'''Ability to run as non-administrator'''
*'''Ability to infect Windows XP , Windows Vista and Windows 7'''
*'''Will not make any changes to the registry (only in memory modifications)'''
*'''Browser Hooking'''
*'''Stolen data is transmitted in real-time to C&C server'''
*'''Kill AntiVirus Software'''
*'''Screenshot Ability'''
*'''Form Grabber'''
*'''Backconnect'''

Carberp makes use of encrypted Configuration Files that contains plugins and web injection code

*'''miniav.psd''' - Kill Competitors Botnets (SpyEye. ZeuS)
*'''vnc.psd''' - Remote VNC Session Capability
*'''passw.psd''' - password grabber for FTP, VNC, E-Mail Clients, Stored Browser Passwords

References:

* www.malwareint.com/docs/inside-carberp-botnet-en.pdf
* [http://blog.eset.com/2011/12/04/carberp-blackhole-growing-fraud-incidents Carberp + BlackHole growing fraud incidents]
* [http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Bootkit Evolution of Win32Carberp: going deeper]
* [http://securityblog.s21sec.com/2011/07/decrypting-carberp-c-communication.html Decrypting Carberp C&C communication]
* [http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity Facebook New Trends in Carberp Activity]

=== Tatanga ===

Tatanga appeared in the first half of 2011 as MiTB based trojan designed to steal Online Banking Credentials and spoof
(Post Transaction Attack) the real balance of the victim.

Like previously seen trojans, also Tatanga makes use of Encrypted Configuration Files (3-DES) to store plugins and
web injection code.

Additionally Tatanga is able to:

*'''Grab E-Mail addresses'''
*'''Remove Competitors Botnets'''
*'''File Infector to increase malware spread'''
*'''Kill Antivirus Software'''

References:

* [http://securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html 2011 Tatanga: a new banking trojan with MitB functions]
* [http://blog.trendmicro.com/more-on-the-tatanga-banking-trojan/ More on the Tatanga Banking Trojan]

=== Urlzone ===

Urlzone is a Banking Trojan appeared in 2009, its main feature is the ability to hide the evidence of the fraud by changing on fly the balance showed to the Victim.

To accomplish money stealing Urlzone uses a classical MiTB Approach, it works on the following browsers

*'''FireFox'''
*'''Internet Explorer 6,7,8'''
*'''Opera'''

References:

* [http://www.wired.com/images_blogs/threatlevel/2009/09/finjan-cyberintel_sept_2009-sf.pdf Finjan CyberIntel Report September 2009]
* [http://news.cnet.com/8301-27080_3-10363836-245.html Banking Trojan steals money from under your nose]
* [http://www.zdnet.com/blog/security/the-case-of-the-fake-money-mules-inside-the-urlzone-trojan-network/4527 The case of the fake money-mules: Inside the URLZone Trojan network ]
* [http://blogs.rsa.com/rsafarl/the-arms-race-between-black-hats-and-white-hats-steps-up-with-urlzone-trojan/ RSA banking Trojan research underscores problem tracking cybercriminals]

=== Gozi ===

Banking trojan Gozi appeared for the first time in 2007 and was characterized by a Low Detection Rate and ability to Steal from SSL Encrypted Sessions.

Features List:

*'''Steals SSL Data'''
*'''Steals Static Information from Banking Website'''
*'''Steals Dynamic Password Schemes like Two Factor Authentication and OTP'''
*'''KeyLogging Capabilities'''
*'''SSL Encrypted Communication with the C&C Server'''
*'''AntiVirus Bypassing Capabilities'''

SSL Stealing Technique is described here [http://isc.sans.edu/diary.html?storyid=2498 Gozi Trojan Steals SSL Encrypted Data for Fun and Profit]

References:

* [http://www.secureworks.com/research/threats/gozi/ Gozi Technical Analysis]
* [http://www.prweb.com/releases/2010/11/prweb4745544.htm Gozi Trojan - King of Evasion Continues to Avoid Sophisticated Detection]

=== Shylock ===

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside explorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.

Features List:
*'''Gathering system information on compromised system and sends it to dropzone'''
*'''Downloading configuration that will be used from defined domain'''
*'''Injects malicious code into browser's code'''
*'''Hides using rootkit functionality'''
*'''Intercepts network traffic and attempts to add malicious code to network trafic'''

References:

* [http://quequero.org/Shylock_via_volatility Shylock Technical Analysis]
* [http://www.symantec.com/security_response/writeup.jsp?docid=2011-092916-1617-99&tabid=2 Symantec report on Shylock]

=== Sunspot ===

Sunspot appeared for the first time in late 2011 as MiTB based trojan designed to steal Online Banking Credentials.

Features:

*'''Browser Code Injection'''
*'''KeyStroke Logger'''
*'''Screenshotting Capabilities'''
*'''Steals Sensitive Personal Information necessary to carry out User Impersonation Attacks'''
*'''Good AntiVirus Bypassing Capabilities'''

Sunspot works on 32bit and 64bit Systems from Windows XP to Windows 7.

References:

* [http://www.theregister.co.uk/2011/05/11/sunspot_banking_trojan/ Sunspot Banking Trojan]
* [http://www.trusteer.com/blog/windows-malware-morphs-financial-fraud-platform Windows Malware Morphs into Financial Fraud Platform]

=== Oddjob ===

Oddjob Financial Trojan has been publicly reported for the first time 22 February 2011, the peculiar characteristic of Oddjob is the ability to keep open Victim's Session even after they Logout, this implies that Criminals will be able to steal money by Impersonating the Victim by tapping the Session ID.

Oddjob works by injecting malicious code into Internet Explorer and Firefox browsers, the code is contained in custom configuration files.

Will follow a quick summary of the Trojan Functionalities:

*'''Intercepts GET and POST requests'''
*'''HTML Code Injection via MiTB Approach'''
*'''Session Hijacking'''

Session hijacking is performed by changing Logout functionality via malicious html/js injected code, victim will inadvertently keep session open and fraudsters will commit the money transaction.

References:

* [http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-open-after-users-%E2%80%9Clogout%E2%80%9D New Financial Trojan Keeps Online Banking Sessions Open after Users “Logout”]

=== Ramnit ===

Ramnit is a prolific malware that show a wide range of morphings during its arc of existence, between these variations there is also the Financial Stealing one.

Ramnit is essentially a Backdoor Trojan with the ability to perform also MiTB Attacks.

List of Features:

*'''MiTB Capabilities'''
*'''Backdoor Capabilities'''
*'''File Infector Office Files, Windows Executables'''
*'''SSL Secured C&C Communication'''
*'''AntiVirus bypassing Capabilities'''
*'''Cookie Grabber'''

References:

* [http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A Win32/Ramnit.A]
* [http://www.trusteer.com/blog/ramnit-evolution-%E2%80%93-worm-financial-malware Ramnit Evolution – From Worm to Financial Malware]

== Appendix C: Server Side Security Solutions ==

== Appendix D: Client Side Security Solutions ==

== References ==

OWASP Anti-Malware - Knowledge Base

2012-02-05T14:07:24Z

Gfedon: /* OTP (Time Based, Click Based) */

== Introduction ==
=== A Technical Knowledge Base for Banking Malware Threats ===

== Protecting Banking Resources ==

=== Are your resources protected? ===

=== Enumerate the interesting targets ===
=== Define the path to the targets (Transition graphs) ===
=== Apply trust boundaries (security measures) ===
=== Define the weaknesses of the security measures adopted ===
== Appendix A: Security Considerations about Authentication Solutions and Malware ==

Actually Banking Malware families can bypass the vast majority of the world most secure authentication. How? The answer is simple: by tailoring an appropriate attack on the specific authentication schema with a bit of social engineering. Malware Authors know that the weakest link most of the times is the user himself.

For more information:

* http://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
* http://www.slideshare.net/guestb1956e/csi2008-gunter-ollmann-maninthebrowser-presentation
* https://www.owasp.org/images/e/e4/AppsecEU09_The_Bank_in_The_Browser_Presentation_v1.1.pdf

=== TextField Static Password ===

'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families in their default configuration

[[File:static_password.png|thumb|alt=Static Password|Static Password]]

'''Description'''

A password is a secret word or string of characters that is used for authentication, and is the world most used and simplest way of authenticating a user to a computer. “Static” means that Password does not change over time, unless manually updated. Textbox input field is the HTML element were password is inserted and this element is compatible with HID (Human Input Devices) such as hardware keyboards and Virtual Keyboards.

'''How gets defeated'''

Almost All banking malware can automatically log passwords using two components: Keylogging and Form Grabbing. A software Keylogger component can use a number of very different techniques, because operative systems offer many different ways to know which key is pressing a user. Even if this component seems very powerful, it has the disadvantage of not logging the Clipboard. Users may copy and paste passwords for simplicity or security reasons: many password wallets suggest to use this approach (e.g. [http://www.keepassx.org/ KeePassX] ). For this reason Banking Malware Authors prefer to log web based credentials using form grabbing components instead of keyloggers: from Wikipedia “this method intercepts the on submit API in browsers and collects web form data before it passes over the internet.”.
Since FormGrabbing is actually used by any major Banking Malware Family (e.g. Zeus, Spyeye, IceIX etc.) “text field” static password does not represent a secure way of authentication. In addition Malware families can automatically log any password field without using any particular configuration.

''' External References: '''

* http://www.infosectoday.com/Articles/Form_Grabbing/Form_Grabbing.htm

=== Javascript Keyboard ===
'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.

[[File:js_virtual_keyboard.png|thumb|alt=Javascript Keyboard|Javascript Keyboard]]

'''Description'''

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of [http://en.wikipedia.org/wiki/Turing_test "turing test"] that could be understood by human users but not by malicious software agents.

'''How gets defeated'''

Back in year 2002, after a couple of years, Malware Authors realized that they could visually grab images of the clicked key pressed (click area grabbing) or to video record the sequence of key pressed. "Click Grabbing" feature was born and with a minimal configuration was possible to defeat javascript password in a standard and efficient way. This kind of attack simply stores the information remotely for a subsequent interpretation by a human attacker.

'''External References:'''

From Fortiguard (Zeus trojan defeats a Virtual Javascript Keypad)
* http://www.youtube.com/watch?v=b9Vb4zS6ZmE&feature=player_embedded

=== Behavior Based Authentication ===

=== TAN (Gridcard, Scratch Card) ===

=== OTP (Time Based, Click Based) ===

'''Risk Evaluation:'''
[[File:otp_token.png|thumb|alt=Basic Otp Token|Basic Otp Token]]
Risk Evaluation:
Basic OTPs are vulnerable to HTML Injection and to other more sophisticated techniques, but give to the bank the following important improvements in terms of security:
* Tokens are valid for a very short period of time. Attackers need to engage human assistance to successfully abuse the compromised tokens in the valid time-window . This involves using Instant Messaging and user monitoring that leverages additional costs at their side.
* This authentication measure may need UI redressing or automation to be bypassed, introducing important anamalies.

[[File:otp_ui_redressing.png|thumb|alt=Otp UI Redressing|Redressing Attack with custom WebInject]]

'''Description'''

A one-time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. OTPs are difficult for human beings to memorize. Therefore they require additional technology in order to work and this technology may be implemented in software tools or by using external hardware devices (Hardware tokens). Basic OTPs are based on cryptographic One-Way Algorithms and initialized with a different key per each user to avoid impersonation attacks. In addition each token usage is blacklisted and cannot be used a second time to avoid replay attacks.
Since basic OTP standards do not have a direct communication with the remote server, they need indirect standards for assuring synchronization with the remote infrastructure. Synchronization can be achieved on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time) or computing the number of previously generated passwords and set a range of valid passwords (if the user press to often the button the device will go out of sync).

'''How gets defeated'''

Even if this technology seems very resilient against malware attacks, it doesn't! Basic Otps can be defeated very easily with User Interface redressing. This attack is accomplished using the infamous features called WebInjects that permit to inject arbitrary HTML into the original Bank Login pages.
As we previously said, the Token is valid for a single transaction and is blacklisted after the first usage. Malware attackers will never let the token to arrive at the bank, so the bank can not blacklist that information. To defeat time restriction window, they also may make use of Instant Messaging plugins to have a real time communication of the token to the attacker.

=== CAP (Random Nonce, Challenge Response) ===

=== SMS Challenges ===

=== MSISDN (Caller-ID Authentication) ===

== Appendix B: Banking Malware Families (Active in 2012) ==

Taken as inspiration from Marco Morana's Presentation and from other sources (e.g. slides 26-30 The Bank in the Browser Presentation - G. Fedon ), here is a quick summary of Banking Malware features updated as of 2012.

[[File:Malware_Attack_Vectors2.png|thumb|alt=Malware Attack Vectors Summary]]

Schema summarizes every banking trojan by giving the following informations:

*'''Attack Capabilities'''
*'''Type'''

'''Attack Capabilites''' describes the features of the involved trojan, and immediately below the technique used to implement the given feature.

*'''HTTP Injection'''
*'''Browse Redirect'''
*'''Form Grabbing'''
*'''Stored Password Theft'''
*'''Keystroke Logging'''
*'''Bypass MFA'''
*'''ScreenCapture / VideoCapture'''
*'''Certificate Theft'''
*'''Install Backdoor'''
*'''Instant Message'''

'''Type''' field describes what kind how the malware operates:

*'''Automatic'''
*'''Manual'''

=== Spyeye ===

SpyEye is considered the successor of ZeuS and globally considered as
the most advanced Banking Malware kit actually used.

This kit was conceived as botnet easy to manage via a web based control panel.

SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish
its task, it provides a custom Encrypted Configuration File where
there are:

* '''Plugins'''
* '''Web Injection Code'''
* '''Collectors List- where stolen data is sent'''

SpyEye is capable of HTML code injection in the following browsers:

* '''FireFox'''
* '''Internet Explorer'''
* '''Chrome'''
* '''Opera'''

List of commonly used Plugins:

* '''ccgrabber''' - used to collect Credit Card numbers by analyzing POST requests.
* '''ffcertgrabber''' - used to steal Firefox stored Certificates.
* '''ftpbc''' - used to reverse ftp connections to the bot.
* '''socks5''' - allows reverse connections via a proxy server.
* '''billinghammer''' - charges Credit Cards by using stolen card data.
* '''ddos''' - plugin used to ddos a specified target.
* '''bugreport''' - send crash reports to the bot master.
* '''SpySpread''' - capability to spread via USB, IM Messages
* '''rdp''' - Remote Desktop capability

SpyEye kit, actually reached version 1.3.48

In the second half of 2011 appeared a mobile edition of SpyEye, called
SpitMo specifically designed to steal mTAN (mobile TAN) authentication
systems. [http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android/ SpitMo]

Recently (Jenuary 2012) appeared a SpyEye Campaign able to [http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/ Hide its Fraud Footprint] also called Post-Transaction Attack

Resources:

* [http://blog.fortinet.com/a-guide-to-spyeye-cc-messages/ A Guide to SpyEye C&C Messages]
* [http://blogs.rsa.com/rsafarl/new-spyeye-gains-zeus-features-a-detailed-analysis-of-spyeye-trojan-v1-3/ New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3]
* [http://cert.lexsi.com/weblog/index.php/2011/02/23/408-ddos-plugin-for-spyeye DDOS plugin for SpyEye]
* [http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html SpyEye steals your data. Even in a limited account]
* [http://blog.trendmicro.com/the-spyeye-interface-part-1-cn-1/ The SpyEye Interface, Part 1: CN 1]
* [http://blog.trendmicro.com/the-spyeye-interface-part-2-syn-1/ The SpyEye Interface Part 2: SYN 1]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 1)]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications-part-2/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)]

Tracking SpyEye:

* [https://spyeyetracker.abuse.ch/ SpyEye Tracker]

=== Zeus ===

ZeuS is a Banking Trojan identified for the first time in 2007, designed
as '''HTTP Based Botnet''' specifically crafted to steal Online Banking Credentials.

Despite the fact that ZeuS Kit is no longer developed, infection statistics
that can be checked here [https://zeustracker.abuse.ch/statistic.php ZeuS Statistics]
clearly demonstrates that this Trojan has a remarkable diffusion.

The ZeuS Kit functionality is based on MiTB attacks, an encrypted
configuration file contains URL Triggers and HTML Code to be Injected.

In the past year appeared also a ZeuS for mobile called ZitMo, developed
to bypass mTAN authentication system, more information can be reached here:

* [http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security The ZitMo Trojan Bypasses Online Banking Security]
* [http://www.virusbtn.com/news/2011/07_11.xml Zitmo Trojan for Android defeats two-factor authentication]

2011 was also the year of ZeuS Source Code leak, this essentially lead to a
number of new ZeuS Variants, here the most significant:

* ICE IX
* ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet
and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able
to interact with other victims (nodes) and get Updated Binaries and
Configurations.

ZeuS P2P References:

* [http://www.abuse.ch/?p=3499 ZeuS Gets More Sophisticated Using P2P Techniques]
* [http://www.cert.pl/news/4711/langswitch_lang/en ZeuS – P2P+DGA variant – mapping out and understanding the threat]

Other References:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]
* [http://www.abuse.ch/?p=3453 Ice IX – Or Just ZeuS?]
* [http://www.inreverse.net/?p=1551 JaZeus: when Zeus meets Java]
* [http://www.coresec.org/2011/05/21/zeus-malware-analysis-by-sophoslabs/ Zeus Malware Analysis by SophosLabs]
* [http://www.secureworks.com/research/threats/zeus/ ZeuS Banking Trojan Report]
* [http://mnin.blogspot.com/2011/09/abstract-memory-analysis-zeus.html Abstract Memory Analysis: Zeus Encryption Keys]

Tracking ZeuS:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]

=== Carberp ===

After ZeuS and SpyEye the third advanced Malware Banking Trojan is '''Carberp''', that during its evolution reached
a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser
Code Injection online Banking Credentials.

Synthesis of Carberp Functionalities [http://www.trustdefender.com/trustdefender-labs-blog-carberp-a-new-trojan-in-the-making.html]:

*'''Ability to run as non-administrator'''
*'''Ability to infect Windows XP , Windows Vista and Windows 7'''
*'''Will not make any changes to the registry (only in memory modifications)'''
*'''Browser Hooking'''
*'''Stolen data is transmitted in real-time to C&C server'''
*'''Kill AntiVirus Software'''
*'''Screenshot Ability'''
*'''Form Grabber'''
*'''Backconnect'''

Carberp makes use of encrypted Configuration Files that contains plugins and web injection code

*'''miniav.psd''' - Kill Competitors Botnets (SpyEye. ZeuS)
*'''vnc.psd''' - Remote VNC Session Capability
*'''passw.psd''' - password grabber for FTP, VNC, E-Mail Clients, Stored Browser Passwords

References:

* www.malwareint.com/docs/inside-carberp-botnet-en.pdf
* [http://blog.eset.com/2011/12/04/carberp-blackhole-growing-fraud-incidents Carberp + BlackHole growing fraud incidents]
* [http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Bootkit Evolution of Win32Carberp: going deeper]
* [http://securityblog.s21sec.com/2011/07/decrypting-carberp-c-communication.html Decrypting Carberp C&C communication]
* [http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity Facebook New Trends in Carberp Activity]

=== Tatanga ===

Tatanga appeared in the first half of 2011 as MiTB based trojan designed to steal Online Banking Credentials and spoof
(Post Transaction Attack) the real balance of the victim.

Like previously seen trojans, also Tatanga makes use of Encrypted Configuration Files (3-DES) to store plugins and
web injection code.

Additionally Tatanga is able to:

*'''Grab E-Mail addresses'''
*'''Remove Competitors Botnets'''
*'''File Infector to increase malware spread'''
*'''Kill Antivirus Software'''

References:

* [http://securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html 2011 Tatanga: a new banking trojan with MitB functions]
* [http://blog.trendmicro.com/more-on-the-tatanga-banking-trojan/ More on the Tatanga Banking Trojan]

=== Urlzone ===

Urlzone is a Banking Trojan appeared in 2009, its main feature is the ability to hide the evidence of the fraud by changing on fly the balance showed to the Victim.

To accomplish money stealing Urlzone uses a classical MiTB Approach, it works on the following browsers

*'''FireFox'''
*'''Internet Explorer 6,7,8'''
*'''Opera'''

References:

* [http://www.wired.com/images_blogs/threatlevel/2009/09/finjan-cyberintel_sept_2009-sf.pdf Finjan CyberIntel Report September 2009]
* [http://news.cnet.com/8301-27080_3-10363836-245.html Banking Trojan steals money from under your nose]
* [http://www.zdnet.com/blog/security/the-case-of-the-fake-money-mules-inside-the-urlzone-trojan-network/4527 The case of the fake money-mules: Inside the URLZone Trojan network ]
* [http://blogs.rsa.com/rsafarl/the-arms-race-between-black-hats-and-white-hats-steps-up-with-urlzone-trojan/ RSA banking Trojan research underscores problem tracking cybercriminals]

=== Gozi ===

Banking trojan Gozi appeared for the first time in 2007 and was characterized by a Low Detection Rate and ability to Steal from SSL Encrypted Sessions.

Features List:

*'''Steals SSL Data'''
*'''Steals Static Information from Banking Website'''
*'''Steals Dynamic Password Schemes like Two Factor Authentication and OTP'''
*'''KeyLogging Capabilities'''
*'''SSL Encrypted Communication with the C&C Server'''
*'''AntiVirus Bypassing Capabilities'''

SSL Stealing Technique is described here [http://isc.sans.edu/diary.html?storyid=2498 Gozi Trojan Steals SSL Encrypted Data for Fun and Profit]

References:

* [http://www.secureworks.com/research/threats/gozi/ Gozi Technical Analysis]
* [http://www.prweb.com/releases/2010/11/prweb4745544.htm Gozi Trojan - King of Evasion Continues to Avoid Sophisticated Detection]

=== Shylock ===

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside explorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.

Features List:
*'''Gathering system information on compromised system and sends it to dropzone'''
*'''Downloading configuration that will be used from defined domain'''
*'''Injects malicious code into browser's code'''
*'''Hides using rootkit functionality'''
*'''Intercepts network traffic and attempts to add malicious code to network trafic'''

References:

* [http://quequero.org/Shylock_via_volatility Shylock Technical Analysis]
* [http://www.symantec.com/security_response/writeup.jsp?docid=2011-092916-1617-99&tabid=2 Symantec report on Shylock]

=== Sunspot ===

Sunspot appeared for the first time in late 2011 as MiTB based trojan designed to steal Online Banking Credentials.

Features:

*'''Browser Code Injection'''
*'''KeyStroke Logger'''
*'''Screenshotting Capabilities'''
*'''Steals Sensitive Personal Information necessary to carry out User Impersonation Attacks'''
*'''Good AntiVirus Bypassing Capabilities'''

Sunspot works on 32bit and 64bit Systems from Windows XP to Windows 7.

References:

* [http://www.theregister.co.uk/2011/05/11/sunspot_banking_trojan/ Sunspot Banking Trojan]
* [http://www.trusteer.com/blog/windows-malware-morphs-financial-fraud-platform Windows Malware Morphs into Financial Fraud Platform]

=== Oddjob ===

Oddjob Financial Trojan has been publicly reported for the first time 22 February 2011, the peculiar characteristic of Oddjob is the ability to keep open Victim's Session even after they Logout, this implies that Criminals will be able to steal money by Impersonating the Victim by tapping the Session ID.

Oddjob works by injecting malicious code into Internet Explorer and Firefox browsers, the code is contained in custom configuration files.

Will follow a quick summary of the Trojan Functionalities:

*'''Intercepts GET and POST requests'''
*'''HTML Code Injection via MiTB Approach'''
*'''Session Hijacking'''

Session hijacking is performed by changing Logout functionality via malicious html/js injected code, victim will inadvertently keep session open and fraudsters will commit the money transaction.

References:

* [http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-open-after-users-%E2%80%9Clogout%E2%80%9D New Financial Trojan Keeps Online Banking Sessions Open after Users “Logout”]

=== Ramnit ===

Ramnit is a prolific malware that show a wide range of morphings during its arc of existence, between these variations there is also the Financial Stealing one.

Ramnit is essentially a Backdoor Trojan with the ability to perform also MiTB Attacks.

List of Features:

*'''MiTB Capabilities'''
*'''Backdoor Capabilities'''
*'''File Infector Office Files, Windows Executables'''
*'''SSL Secured C&C Communication'''
*'''AntiVirus bypassing Capabilities'''
*'''Cookie Grabber'''

References:

* [http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A Win32/Ramnit.A]
* [http://www.trusteer.com/blog/ramnit-evolution-%E2%80%93-worm-financial-malware Ramnit Evolution – From Worm to Financial Malware]

== Appendix C: Server Side Security Solutions ==

== Appendix D: Client Side Security Solutions ==

== References ==

OWASP Anti-Malware - Knowledge Base

2012-02-05T14:06:32Z

Gfedon: /* OTP (Time Based, Click Based) */

== Introduction ==
=== A Technical Knowledge Base for Banking Malware Threats ===

== Protecting Banking Resources ==

=== Are your resources protected? ===

=== Enumerate the interesting targets ===
=== Define the path to the targets (Transition graphs) ===
=== Apply trust boundaries (security measures) ===
=== Define the weaknesses of the security measures adopted ===
== Appendix A: Security Considerations about Authentication Solutions and Malware ==

Actually Banking Malware families can bypass the vast majority of the world most secure authentication. How? The answer is simple: by tailoring an appropriate attack on the specific authentication schema with a bit of social engineering. Malware Authors know that the weakest link most of the times is the user himself.

For more information:

* http://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
* http://www.slideshare.net/guestb1956e/csi2008-gunter-ollmann-maninthebrowser-presentation
* https://www.owasp.org/images/e/e4/AppsecEU09_The_Bank_in_The_Browser_Presentation_v1.1.pdf

=== TextField Static Password ===

'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families in their default configuration

[[File:static_password.png|thumb|alt=Static Password|Static Password]]

'''Description'''

A password is a secret word or string of characters that is used for authentication, and is the world most used and simplest way of authenticating a user to a computer. “Static” means that Password does not change over time, unless manually updated. Textbox input field is the HTML element were password is inserted and this element is compatible with HID (Human Input Devices) such as hardware keyboards and Virtual Keyboards.

'''How gets defeated'''

Almost All banking malware can automatically log passwords using two components: Keylogging and Form Grabbing. A software Keylogger component can use a number of very different techniques, because operative systems offer many different ways to know which key is pressing a user. Even if this component seems very powerful, it has the disadvantage of not logging the Clipboard. Users may copy and paste passwords for simplicity or security reasons: many password wallets suggest to use this approach (e.g. [http://www.keepassx.org/ KeePassX] ). For this reason Banking Malware Authors prefer to log web based credentials using form grabbing components instead of keyloggers: from Wikipedia “this method intercepts the on submit API in browsers and collects web form data before it passes over the internet.”.
Since FormGrabbing is actually used by any major Banking Malware Family (e.g. Zeus, Spyeye, IceIX etc.) “text field” static password does not represent a secure way of authentication. In addition Malware families can automatically log any password field without using any particular configuration.

''' External References: '''

* http://www.infosectoday.com/Articles/Form_Grabbing/Form_Grabbing.htm

=== Javascript Keyboard ===
'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.

[[File:js_virtual_keyboard.png|thumb|alt=Javascript Keyboard|Javascript Keyboard]]

'''Description'''

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of [http://en.wikipedia.org/wiki/Turing_test "turing test"] that could be understood by human users but not by malicious software agents.

'''How gets defeated'''

Back in year 2002, after a couple of years, Malware Authors realized that they could visually grab images of the clicked key pressed (click area grabbing) or to video record the sequence of key pressed. "Click Grabbing" feature was born and with a minimal configuration was possible to defeat javascript password in a standard and efficient way. This kind of attack simply stores the information remotely for a subsequent interpretation by a human attacker.

'''External References:'''

From Fortiguard (Zeus trojan defeats a Virtual Javascript Keypad)
* http://www.youtube.com/watch?v=b9Vb4zS6ZmE&feature=player_embedded

=== Behavior Based Authentication ===

=== TAN (Gridcard, Scratch Card) ===

=== OTP (Time Based, Click Based) ===

'''Risk Evaluation:'''
[[File:otp_token.png|thumb|alt=Basic Otp Token|Basic Otp Token]]
Risk Evaluation:
Basic OTPs are vulnerable to HTML Injection and to other more sophisticated techniques, but give to the bank the following important improvements in terms of security:
* Tokens are valid for a very short period of time. Attackers need to engage human assistance to successfully abuse the compromised tokens in the valid time-window .
* This involves using Instant Messaging and user monitoring that leverages additional costs at their side.
This authentication measure needs UI redressing or automation to be bypassed.

[[File:otp_ui_redressing.png|thumb|alt=Otp UI Redressing|Redressing Attack with custom WebInject]]

'''Description'''

A one-time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. OTPs are difficult for human beings to memorize. Therefore they require additional technology in order to work and this technology may be implemented in software tools or by using external hardware devices (Hardware tokens). Basic OTPs are based on cryptographic One-Way Algorithms and initialized with a different key per each user to avoid impersonation attacks. In addition each token usage is blacklisted and cannot be used a second time to avoid replay attacks.
Since basic OTP standards do not have a direct communication with the remote server, they need indirect standards for assuring synchronization with the remote infrastructure. Synchronization can be achieved on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time) or computing the number of previously generated passwords and set a range of valid passwords (if the user press to often the button the device will go out of sync).

'''How gets defeated'''

Even if this technology seems very resilient against malware attacks, it doesn't! Basic Otps can be defeated very easily with User Interface redressing. This attack is accomplished using the infamous features called WebInjects that permit to inject arbitrary HTML into the original Bank Login pages.
As we previously said, the Token is valid for a single transaction and is blacklisted after the first usage. Malware attackers will never let the token to arrive at the bank, so the bank can not blacklist that information. To defeat time restriction window, they also may make use of Instant Messaging plugins to have a real time communication of the token to the attacker.

=== CAP (Random Nonce, Challenge Response) ===

=== SMS Challenges ===

=== MSISDN (Caller-ID Authentication) ===

== Appendix B: Banking Malware Families (Active in 2012) ==

Taken as inspiration from Marco Morana's Presentation and from other sources (e.g. slides 26-30 The Bank in the Browser Presentation - G. Fedon ), here is a quick summary of Banking Malware features updated as of 2012.

[[File:Malware_Attack_Vectors2.png|thumb|alt=Malware Attack Vectors Summary]]

Schema summarizes every banking trojan by giving the following informations:

*'''Attack Capabilities'''
*'''Type'''

'''Attack Capabilites''' describes the features of the involved trojan, and immediately below the technique used to implement the given feature.

*'''HTTP Injection'''
*'''Browse Redirect'''
*'''Form Grabbing'''
*'''Stored Password Theft'''
*'''Keystroke Logging'''
*'''Bypass MFA'''
*'''ScreenCapture / VideoCapture'''
*'''Certificate Theft'''
*'''Install Backdoor'''
*'''Instant Message'''

'''Type''' field describes what kind how the malware operates:

*'''Automatic'''
*'''Manual'''

=== Spyeye ===

SpyEye is considered the successor of ZeuS and globally considered as
the most advanced Banking Malware kit actually used.

This kit was conceived as botnet easy to manage via a web based control panel.

SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish
its task, it provides a custom Encrypted Configuration File where
there are:

* '''Plugins'''
* '''Web Injection Code'''
* '''Collectors List- where stolen data is sent'''

SpyEye is capable of HTML code injection in the following browsers:

* '''FireFox'''
* '''Internet Explorer'''
* '''Chrome'''
* '''Opera'''

List of commonly used Plugins:

* '''ccgrabber''' - used to collect Credit Card numbers by analyzing POST requests.
* '''ffcertgrabber''' - used to steal Firefox stored Certificates.
* '''ftpbc''' - used to reverse ftp connections to the bot.
* '''socks5''' - allows reverse connections via a proxy server.
* '''billinghammer''' - charges Credit Cards by using stolen card data.
* '''ddos''' - plugin used to ddos a specified target.
* '''bugreport''' - send crash reports to the bot master.
* '''SpySpread''' - capability to spread via USB, IM Messages
* '''rdp''' - Remote Desktop capability

SpyEye kit, actually reached version 1.3.48

In the second half of 2011 appeared a mobile edition of SpyEye, called
SpitMo specifically designed to steal mTAN (mobile TAN) authentication
systems. [http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android/ SpitMo]

Recently (Jenuary 2012) appeared a SpyEye Campaign able to [http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/ Hide its Fraud Footprint] also called Post-Transaction Attack

Resources:

* [http://blog.fortinet.com/a-guide-to-spyeye-cc-messages/ A Guide to SpyEye C&C Messages]
* [http://blogs.rsa.com/rsafarl/new-spyeye-gains-zeus-features-a-detailed-analysis-of-spyeye-trojan-v1-3/ New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3]
* [http://cert.lexsi.com/weblog/index.php/2011/02/23/408-ddos-plugin-for-spyeye DDOS plugin for SpyEye]
* [http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html SpyEye steals your data. Even in a limited account]
* [http://blog.trendmicro.com/the-spyeye-interface-part-1-cn-1/ The SpyEye Interface, Part 1: CN 1]
* [http://blog.trendmicro.com/the-spyeye-interface-part-2-syn-1/ The SpyEye Interface Part 2: SYN 1]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 1)]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications-part-2/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)]

Tracking SpyEye:

* [https://spyeyetracker.abuse.ch/ SpyEye Tracker]

=== Zeus ===

ZeuS is a Banking Trojan identified for the first time in 2007, designed
as '''HTTP Based Botnet''' specifically crafted to steal Online Banking Credentials.

Despite the fact that ZeuS Kit is no longer developed, infection statistics
that can be checked here [https://zeustracker.abuse.ch/statistic.php ZeuS Statistics]
clearly demonstrates that this Trojan has a remarkable diffusion.

The ZeuS Kit functionality is based on MiTB attacks, an encrypted
configuration file contains URL Triggers and HTML Code to be Injected.

In the past year appeared also a ZeuS for mobile called ZitMo, developed
to bypass mTAN authentication system, more information can be reached here:

* [http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security The ZitMo Trojan Bypasses Online Banking Security]
* [http://www.virusbtn.com/news/2011/07_11.xml Zitmo Trojan for Android defeats two-factor authentication]

2011 was also the year of ZeuS Source Code leak, this essentially lead to a
number of new ZeuS Variants, here the most significant:

* ICE IX
* ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet
and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able
to interact with other victims (nodes) and get Updated Binaries and
Configurations.

ZeuS P2P References:

* [http://www.abuse.ch/?p=3499 ZeuS Gets More Sophisticated Using P2P Techniques]
* [http://www.cert.pl/news/4711/langswitch_lang/en ZeuS – P2P+DGA variant – mapping out and understanding the threat]

Other References:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]
* [http://www.abuse.ch/?p=3453 Ice IX – Or Just ZeuS?]
* [http://www.inreverse.net/?p=1551 JaZeus: when Zeus meets Java]
* [http://www.coresec.org/2011/05/21/zeus-malware-analysis-by-sophoslabs/ Zeus Malware Analysis by SophosLabs]
* [http://www.secureworks.com/research/threats/zeus/ ZeuS Banking Trojan Report]
* [http://mnin.blogspot.com/2011/09/abstract-memory-analysis-zeus.html Abstract Memory Analysis: Zeus Encryption Keys]

Tracking ZeuS:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]

=== Carberp ===

After ZeuS and SpyEye the third advanced Malware Banking Trojan is '''Carberp''', that during its evolution reached
a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser
Code Injection online Banking Credentials.

Synthesis of Carberp Functionalities [http://www.trustdefender.com/trustdefender-labs-blog-carberp-a-new-trojan-in-the-making.html]:

*'''Ability to run as non-administrator'''
*'''Ability to infect Windows XP , Windows Vista and Windows 7'''
*'''Will not make any changes to the registry (only in memory modifications)'''
*'''Browser Hooking'''
*'''Stolen data is transmitted in real-time to C&C server'''
*'''Kill AntiVirus Software'''
*'''Screenshot Ability'''
*'''Form Grabber'''
*'''Backconnect'''

Carberp makes use of encrypted Configuration Files that contains plugins and web injection code

*'''miniav.psd''' - Kill Competitors Botnets (SpyEye. ZeuS)
*'''vnc.psd''' - Remote VNC Session Capability
*'''passw.psd''' - password grabber for FTP, VNC, E-Mail Clients, Stored Browser Passwords

References:

* www.malwareint.com/docs/inside-carberp-botnet-en.pdf
* [http://blog.eset.com/2011/12/04/carberp-blackhole-growing-fraud-incidents Carberp + BlackHole growing fraud incidents]
* [http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Bootkit Evolution of Win32Carberp: going deeper]
* [http://securityblog.s21sec.com/2011/07/decrypting-carberp-c-communication.html Decrypting Carberp C&C communication]
* [http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity Facebook New Trends in Carberp Activity]

=== Tatanga ===

Tatanga appeared in the first half of 2011 as MiTB based trojan designed to steal Online Banking Credentials and spoof
(Post Transaction Attack) the real balance of the victim.

Like previously seen trojans, also Tatanga makes use of Encrypted Configuration Files (3-DES) to store plugins and
web injection code.

Additionally Tatanga is able to:

*'''Grab E-Mail addresses'''
*'''Remove Competitors Botnets'''
*'''File Infector to increase malware spread'''
*'''Kill Antivirus Software'''

References:

* [http://securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html 2011 Tatanga: a new banking trojan with MitB functions]
* [http://blog.trendmicro.com/more-on-the-tatanga-banking-trojan/ More on the Tatanga Banking Trojan]

=== Urlzone ===

Urlzone is a Banking Trojan appeared in 2009, its main feature is the ability to hide the evidence of the fraud by changing on fly the balance showed to the Victim.

To accomplish money stealing Urlzone uses a classical MiTB Approach, it works on the following browsers

*'''FireFox'''
*'''Internet Explorer 6,7,8'''
*'''Opera'''

References:

* [http://www.wired.com/images_blogs/threatlevel/2009/09/finjan-cyberintel_sept_2009-sf.pdf Finjan CyberIntel Report September 2009]
* [http://news.cnet.com/8301-27080_3-10363836-245.html Banking Trojan steals money from under your nose]
* [http://www.zdnet.com/blog/security/the-case-of-the-fake-money-mules-inside-the-urlzone-trojan-network/4527 The case of the fake money-mules: Inside the URLZone Trojan network ]
* [http://blogs.rsa.com/rsafarl/the-arms-race-between-black-hats-and-white-hats-steps-up-with-urlzone-trojan/ RSA banking Trojan research underscores problem tracking cybercriminals]

=== Gozi ===

Banking trojan Gozi appeared for the first time in 2007 and was characterized by a Low Detection Rate and ability to Steal from SSL Encrypted Sessions.

Features List:

*'''Steals SSL Data'''
*'''Steals Static Information from Banking Website'''
*'''Steals Dynamic Password Schemes like Two Factor Authentication and OTP'''
*'''KeyLogging Capabilities'''
*'''SSL Encrypted Communication with the C&C Server'''
*'''AntiVirus Bypassing Capabilities'''

SSL Stealing Technique is described here [http://isc.sans.edu/diary.html?storyid=2498 Gozi Trojan Steals SSL Encrypted Data for Fun and Profit]

References:

* [http://www.secureworks.com/research/threats/gozi/ Gozi Technical Analysis]
* [http://www.prweb.com/releases/2010/11/prweb4745544.htm Gozi Trojan - King of Evasion Continues to Avoid Sophisticated Detection]

=== Shylock ===

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside explorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.

Features List:
*'''Gathering system information on compromised system and sends it to dropzone'''
*'''Downloading configuration that will be used from defined domain'''
*'''Injects malicious code into browser's code'''
*'''Hides using rootkit functionality'''
*'''Intercepts network traffic and attempts to add malicious code to network trafic'''

References:

* [http://quequero.org/Shylock_via_volatility Shylock Technical Analysis]
* [http://www.symantec.com/security_response/writeup.jsp?docid=2011-092916-1617-99&tabid=2 Symantec report on Shylock]

=== Sunspot ===

Sunspot appeared for the first time in late 2011 as MiTB based trojan designed to steal Online Banking Credentials.

Features:

*'''Browser Code Injection'''
*'''KeyStroke Logger'''
*'''Screenshotting Capabilities'''
*'''Steals Sensitive Personal Information necessary to carry out User Impersonation Attacks'''
*'''Good AntiVirus Bypassing Capabilities'''

Sunspot works on 32bit and 64bit Systems from Windows XP to Windows 7.

References:

* [http://www.theregister.co.uk/2011/05/11/sunspot_banking_trojan/ Sunspot Banking Trojan]
* [http://www.trusteer.com/blog/windows-malware-morphs-financial-fraud-platform Windows Malware Morphs into Financial Fraud Platform]

=== Oddjob ===

Oddjob Financial Trojan has been publicly reported for the first time 22 February 2011, the peculiar characteristic of Oddjob is the ability to keep open Victim's Session even after they Logout, this implies that Criminals will be able to steal money by Impersonating the Victim by tapping the Session ID.

Oddjob works by injecting malicious code into Internet Explorer and Firefox browsers, the code is contained in custom configuration files.

Will follow a quick summary of the Trojan Functionalities:

*'''Intercepts GET and POST requests'''
*'''HTML Code Injection via MiTB Approach'''
*'''Session Hijacking'''

Session hijacking is performed by changing Logout functionality via malicious html/js injected code, victim will inadvertently keep session open and fraudsters will commit the money transaction.

References:

* [http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-open-after-users-%E2%80%9Clogout%E2%80%9D New Financial Trojan Keeps Online Banking Sessions Open after Users “Logout”]

=== Ramnit ===

Ramnit is a prolific malware that show a wide range of morphings during its arc of existence, between these variations there is also the Financial Stealing one.

Ramnit is essentially a Backdoor Trojan with the ability to perform also MiTB Attacks.

List of Features:

*'''MiTB Capabilities'''
*'''Backdoor Capabilities'''
*'''File Infector Office Files, Windows Executables'''
*'''SSL Secured C&C Communication'''
*'''AntiVirus bypassing Capabilities'''
*'''Cookie Grabber'''

References:

* [http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A Win32/Ramnit.A]
* [http://www.trusteer.com/blog/ramnit-evolution-%E2%80%93-worm-financial-malware Ramnit Evolution – From Worm to Financial Malware]

== Appendix C: Server Side Security Solutions ==

== Appendix D: Client Side Security Solutions ==

== References ==

OWASP Anti-Malware - Knowledge Base

2012-02-05T14:05:43Z

Gfedon: /* OTP (Time Based, Click Based) */

== Introduction ==
=== A Technical Knowledge Base for Banking Malware Threats ===

== Protecting Banking Resources ==

=== Are your resources protected? ===

=== Enumerate the interesting targets ===
=== Define the path to the targets (Transition graphs) ===
=== Apply trust boundaries (security measures) ===
=== Define the weaknesses of the security measures adopted ===
== Appendix A: Security Considerations about Authentication Solutions and Malware ==

Actually Banking Malware families can bypass the vast majority of the world most secure authentication. How? The answer is simple: by tailoring an appropriate attack on the specific authentication schema with a bit of social engineering. Malware Authors know that the weakest link most of the times is the user himself.

For more information:

* http://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
* http://www.slideshare.net/guestb1956e/csi2008-gunter-ollmann-maninthebrowser-presentation
* https://www.owasp.org/images/e/e4/AppsecEU09_The_Bank_in_The_Browser_Presentation_v1.1.pdf

=== TextField Static Password ===

'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families in their default configuration

[[File:static_password.png|thumb|alt=Static Password|Static Password]]

'''Description'''

A password is a secret word or string of characters that is used for authentication, and is the world most used and simplest way of authenticating a user to a computer. “Static” means that Password does not change over time, unless manually updated. Textbox input field is the HTML element were password is inserted and this element is compatible with HID (Human Input Devices) such as hardware keyboards and Virtual Keyboards.

'''How gets defeated'''

Almost All banking malware can automatically log passwords using two components: Keylogging and Form Grabbing. A software Keylogger component can use a number of very different techniques, because operative systems offer many different ways to know which key is pressing a user. Even if this component seems very powerful, it has the disadvantage of not logging the Clipboard. Users may copy and paste passwords for simplicity or security reasons: many password wallets suggest to use this approach (e.g. [http://www.keepassx.org/ KeePassX] ). For this reason Banking Malware Authors prefer to log web based credentials using form grabbing components instead of keyloggers: from Wikipedia “this method intercepts the on submit API in browsers and collects web form data before it passes over the internet.”.
Since FormGrabbing is actually used by any major Banking Malware Family (e.g. Zeus, Spyeye, IceIX etc.) “text field” static password does not represent a secure way of authentication. In addition Malware families can automatically log any password field without using any particular configuration.

''' External References: '''

* http://www.infosectoday.com/Articles/Form_Grabbing/Form_Grabbing.htm

=== Javascript Keyboard ===
'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.

[[File:js_virtual_keyboard.png|thumb|alt=Javascript Keyboard|Javascript Keyboard]]

'''Description'''

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of [http://en.wikipedia.org/wiki/Turing_test "turing test"] that could be understood by human users but not by malicious software agents.

'''How gets defeated'''

Back in year 2002, after a couple of years, Malware Authors realized that they could visually grab images of the clicked key pressed (click area grabbing) or to video record the sequence of key pressed. "Click Grabbing" feature was born and with a minimal configuration was possible to defeat javascript password in a standard and efficient way. This kind of attack simply stores the information remotely for a subsequent interpretation by a human attacker.

'''External References:'''

From Fortiguard (Zeus trojan defeats a Virtual Javascript Keypad)
* http://www.youtube.com/watch?v=b9Vb4zS6ZmE&feature=player_embedded

=== Behavior Based Authentication ===

=== TAN (Gridcard, Scratch Card) ===

=== OTP (Time Based, Click Based) ===

'''Risk Evaluation:'''
[[File:otp_token.png|thumb|alt=Basic Otp Token|Basic Otp Token]]
Risk Evaluation:
Basic OTPs are vulnerable to HTML Injection and to other more sophisticated techniques, but give to the bank the following important improvements in terms of security:
* Tokens are valid in a very short time-window. Attackers need to engage human assistance to successfully abuse the compromised tokens in the valid time-window .
* This involves using Instant Messaging and user monitoring that leverages additional costs at their side.
This authentication measure needs UI redressing or automation to be bypassed.

[[File:otp_ui_redressing.png|thumb|alt=Otp UI Redressing|Redressing Attack with custom WebInject]]

'''Description'''

A one-time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. OTPs are difficult for human beings to memorize. Therefore they require additional technology in order to work and this technology may be implemented in software tools or by using external hardware devices (Hardware tokens). Basic OTPs are based on cryptographic One-Way Algorithms and initialized with a different key per each user to avoid impersonation attacks. In addition each token usage is blacklisted and cannot be used a second time to avoid replay attacks.
Since basic OTP standards do not have a direct communication with the remote server, they need indirect standards for assuring synchronization with the remote infrastructure. Synchronization can be achieved on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time) or computing the number of previously generated passwords and set a range of valid passwords (if the user press to often the button the device will go out of sync).

'''How gets defeated'''

Even if this technology seems very resilient against malware attacks, it doesn't! Basic Otps can be defeated very easily with User Interface redressing. This attack is accomplished using the infamous features called WebInjects that permit to inject arbitrary HTML into the original Bank Login pages.
As we previously said, the Token is valid for a single transaction and is blacklisted after the first usage. Malware attackers will never let the token to arrive at the bank, so the bank can not blacklist that information. To defeat time restriction window, they also may make use of Instant Messaging plugins to have a real time communication of the token to the attacker.

=== CAP (Random Nonce, Challenge Response) ===

=== SMS Challenges ===

=== MSISDN (Caller-ID Authentication) ===

== Appendix B: Banking Malware Families (Active in 2012) ==

Taken as inspiration from Marco Morana's Presentation and from other sources (e.g. slides 26-30 The Bank in the Browser Presentation - G. Fedon ), here is a quick summary of Banking Malware features updated as of 2012.

[[File:Malware_Attack_Vectors2.png|thumb|alt=Malware Attack Vectors Summary]]

Schema summarizes every banking trojan by giving the following informations:

*'''Attack Capabilities'''
*'''Type'''

'''Attack Capabilites''' describes the features of the involved trojan, and immediately below the technique used to implement the given feature.

*'''HTTP Injection'''
*'''Browse Redirect'''
*'''Form Grabbing'''
*'''Stored Password Theft'''
*'''Keystroke Logging'''
*'''Bypass MFA'''
*'''ScreenCapture / VideoCapture'''
*'''Certificate Theft'''
*'''Install Backdoor'''
*'''Instant Message'''

'''Type''' field describes what kind how the malware operates:

*'''Automatic'''
*'''Manual'''

=== Spyeye ===

SpyEye is considered the successor of ZeuS and globally considered as
the most advanced Banking Malware kit actually used.

This kit was conceived as botnet easy to manage via a web based control panel.

SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish
its task, it provides a custom Encrypted Configuration File where
there are:

* '''Plugins'''
* '''Web Injection Code'''
* '''Collectors List- where stolen data is sent'''

SpyEye is capable of HTML code injection in the following browsers:

* '''FireFox'''
* '''Internet Explorer'''
* '''Chrome'''
* '''Opera'''

List of commonly used Plugins:

* '''ccgrabber''' - used to collect Credit Card numbers by analyzing POST requests.
* '''ffcertgrabber''' - used to steal Firefox stored Certificates.
* '''ftpbc''' - used to reverse ftp connections to the bot.
* '''socks5''' - allows reverse connections via a proxy server.
* '''billinghammer''' - charges Credit Cards by using stolen card data.
* '''ddos''' - plugin used to ddos a specified target.
* '''bugreport''' - send crash reports to the bot master.
* '''SpySpread''' - capability to spread via USB, IM Messages
* '''rdp''' - Remote Desktop capability

SpyEye kit, actually reached version 1.3.48

In the second half of 2011 appeared a mobile edition of SpyEye, called
SpitMo specifically designed to steal mTAN (mobile TAN) authentication
systems. [http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android/ SpitMo]

Recently (Jenuary 2012) appeared a SpyEye Campaign able to [http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/ Hide its Fraud Footprint] also called Post-Transaction Attack

Resources:

* [http://blog.fortinet.com/a-guide-to-spyeye-cc-messages/ A Guide to SpyEye C&C Messages]
* [http://blogs.rsa.com/rsafarl/new-spyeye-gains-zeus-features-a-detailed-analysis-of-spyeye-trojan-v1-3/ New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3]
* [http://cert.lexsi.com/weblog/index.php/2011/02/23/408-ddos-plugin-for-spyeye DDOS plugin for SpyEye]
* [http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html SpyEye steals your data. Even in a limited account]
* [http://blog.trendmicro.com/the-spyeye-interface-part-1-cn-1/ The SpyEye Interface, Part 1: CN 1]
* [http://blog.trendmicro.com/the-spyeye-interface-part-2-syn-1/ The SpyEye Interface Part 2: SYN 1]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 1)]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications-part-2/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)]

Tracking SpyEye:

* [https://spyeyetracker.abuse.ch/ SpyEye Tracker]

=== Zeus ===

ZeuS is a Banking Trojan identified for the first time in 2007, designed
as '''HTTP Based Botnet''' specifically crafted to steal Online Banking Credentials.

Despite the fact that ZeuS Kit is no longer developed, infection statistics
that can be checked here [https://zeustracker.abuse.ch/statistic.php ZeuS Statistics]
clearly demonstrates that this Trojan has a remarkable diffusion.

The ZeuS Kit functionality is based on MiTB attacks, an encrypted
configuration file contains URL Triggers and HTML Code to be Injected.

In the past year appeared also a ZeuS for mobile called ZitMo, developed
to bypass mTAN authentication system, more information can be reached here:

* [http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security The ZitMo Trojan Bypasses Online Banking Security]
* [http://www.virusbtn.com/news/2011/07_11.xml Zitmo Trojan for Android defeats two-factor authentication]

2011 was also the year of ZeuS Source Code leak, this essentially lead to a
number of new ZeuS Variants, here the most significant:

* ICE IX
* ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet
and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able
to interact with other victims (nodes) and get Updated Binaries and
Configurations.

ZeuS P2P References:

* [http://www.abuse.ch/?p=3499 ZeuS Gets More Sophisticated Using P2P Techniques]
* [http://www.cert.pl/news/4711/langswitch_lang/en ZeuS – P2P+DGA variant – mapping out and understanding the threat]

Other References:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]
* [http://www.abuse.ch/?p=3453 Ice IX – Or Just ZeuS?]
* [http://www.inreverse.net/?p=1551 JaZeus: when Zeus meets Java]
* [http://www.coresec.org/2011/05/21/zeus-malware-analysis-by-sophoslabs/ Zeus Malware Analysis by SophosLabs]
* [http://www.secureworks.com/research/threats/zeus/ ZeuS Banking Trojan Report]
* [http://mnin.blogspot.com/2011/09/abstract-memory-analysis-zeus.html Abstract Memory Analysis: Zeus Encryption Keys]

Tracking ZeuS:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]

=== Carberp ===

After ZeuS and SpyEye the third advanced Malware Banking Trojan is '''Carberp''', that during its evolution reached
a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser
Code Injection online Banking Credentials.

Synthesis of Carberp Functionalities [http://www.trustdefender.com/trustdefender-labs-blog-carberp-a-new-trojan-in-the-making.html]:

*'''Ability to run as non-administrator'''
*'''Ability to infect Windows XP , Windows Vista and Windows 7'''
*'''Will not make any changes to the registry (only in memory modifications)'''
*'''Browser Hooking'''
*'''Stolen data is transmitted in real-time to C&C server'''
*'''Kill AntiVirus Software'''
*'''Screenshot Ability'''
*'''Form Grabber'''
*'''Backconnect'''

Carberp makes use of encrypted Configuration Files that contains plugins and web injection code

*'''miniav.psd''' - Kill Competitors Botnets (SpyEye. ZeuS)
*'''vnc.psd''' - Remote VNC Session Capability
*'''passw.psd''' - password grabber for FTP, VNC, E-Mail Clients, Stored Browser Passwords

References:

* www.malwareint.com/docs/inside-carberp-botnet-en.pdf
* [http://blog.eset.com/2011/12/04/carberp-blackhole-growing-fraud-incidents Carberp + BlackHole growing fraud incidents]
* [http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Bootkit Evolution of Win32Carberp: going deeper]
* [http://securityblog.s21sec.com/2011/07/decrypting-carberp-c-communication.html Decrypting Carberp C&C communication]
* [http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity Facebook New Trends in Carberp Activity]

=== Tatanga ===

Tatanga appeared in the first half of 2011 as MiTB based trojan designed to steal Online Banking Credentials and spoof
(Post Transaction Attack) the real balance of the victim.

Like previously seen trojans, also Tatanga makes use of Encrypted Configuration Files (3-DES) to store plugins and
web injection code.

Additionally Tatanga is able to:

*'''Grab E-Mail addresses'''
*'''Remove Competitors Botnets'''
*'''File Infector to increase malware spread'''
*'''Kill Antivirus Software'''

References:

* [http://securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html 2011 Tatanga: a new banking trojan with MitB functions]
* [http://blog.trendmicro.com/more-on-the-tatanga-banking-trojan/ More on the Tatanga Banking Trojan]

=== Urlzone ===

Urlzone is a Banking Trojan appeared in 2009, its main feature is the ability to hide the evidence of the fraud by changing on fly the balance showed to the Victim.

To accomplish money stealing Urlzone uses a classical MiTB Approach, it works on the following browsers

*'''FireFox'''
*'''Internet Explorer 6,7,8'''
*'''Opera'''

References:

* [http://www.wired.com/images_blogs/threatlevel/2009/09/finjan-cyberintel_sept_2009-sf.pdf Finjan CyberIntel Report September 2009]
* [http://news.cnet.com/8301-27080_3-10363836-245.html Banking Trojan steals money from under your nose]
* [http://www.zdnet.com/blog/security/the-case-of-the-fake-money-mules-inside-the-urlzone-trojan-network/4527 The case of the fake money-mules: Inside the URLZone Trojan network ]
* [http://blogs.rsa.com/rsafarl/the-arms-race-between-black-hats-and-white-hats-steps-up-with-urlzone-trojan/ RSA banking Trojan research underscores problem tracking cybercriminals]

=== Gozi ===

Banking trojan Gozi appeared for the first time in 2007 and was characterized by a Low Detection Rate and ability to Steal from SSL Encrypted Sessions.

Features List:

*'''Steals SSL Data'''
*'''Steals Static Information from Banking Website'''
*'''Steals Dynamic Password Schemes like Two Factor Authentication and OTP'''
*'''KeyLogging Capabilities'''
*'''SSL Encrypted Communication with the C&C Server'''
*'''AntiVirus Bypassing Capabilities'''

SSL Stealing Technique is described here [http://isc.sans.edu/diary.html?storyid=2498 Gozi Trojan Steals SSL Encrypted Data for Fun and Profit]

References:

* [http://www.secureworks.com/research/threats/gozi/ Gozi Technical Analysis]
* [http://www.prweb.com/releases/2010/11/prweb4745544.htm Gozi Trojan - King of Evasion Continues to Avoid Sophisticated Detection]

=== Shylock ===

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside explorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.

Features List:
*'''Gathering system information on compromised system and sends it to dropzone'''
*'''Downloading configuration that will be used from defined domain'''
*'''Injects malicious code into browser's code'''
*'''Hides using rootkit functionality'''
*'''Intercepts network traffic and attempts to add malicious code to network trafic'''

References:

* [http://quequero.org/Shylock_via_volatility Shylock Technical Analysis]
* [http://www.symantec.com/security_response/writeup.jsp?docid=2011-092916-1617-99&tabid=2 Symantec report on Shylock]

=== Sunspot ===

Sunspot appeared for the first time in late 2011 as MiTB based trojan designed to steal Online Banking Credentials.

Features:

*'''Browser Code Injection'''
*'''KeyStroke Logger'''
*'''Screenshotting Capabilities'''
*'''Steals Sensitive Personal Information necessary to carry out User Impersonation Attacks'''
*'''Good AntiVirus Bypassing Capabilities'''

Sunspot works on 32bit and 64bit Systems from Windows XP to Windows 7.

References:

* [http://www.theregister.co.uk/2011/05/11/sunspot_banking_trojan/ Sunspot Banking Trojan]
* [http://www.trusteer.com/blog/windows-malware-morphs-financial-fraud-platform Windows Malware Morphs into Financial Fraud Platform]

=== Oddjob ===

Oddjob Financial Trojan has been publicly reported for the first time 22 February 2011, the peculiar characteristic of Oddjob is the ability to keep open Victim's Session even after they Logout, this implies that Criminals will be able to steal money by Impersonating the Victim by tapping the Session ID.

Oddjob works by injecting malicious code into Internet Explorer and Firefox browsers, the code is contained in custom configuration files.

Will follow a quick summary of the Trojan Functionalities:

*'''Intercepts GET and POST requests'''
*'''HTML Code Injection via MiTB Approach'''
*'''Session Hijacking'''

Session hijacking is performed by changing Logout functionality via malicious html/js injected code, victim will inadvertently keep session open and fraudsters will commit the money transaction.

References:

* [http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-open-after-users-%E2%80%9Clogout%E2%80%9D New Financial Trojan Keeps Online Banking Sessions Open after Users “Logout”]

=== Ramnit ===

Ramnit is a prolific malware that show a wide range of morphings during its arc of existence, between these variations there is also the Financial Stealing one.

Ramnit is essentially a Backdoor Trojan with the ability to perform also MiTB Attacks.

List of Features:

*'''MiTB Capabilities'''
*'''Backdoor Capabilities'''
*'''File Infector Office Files, Windows Executables'''
*'''SSL Secured C&C Communication'''
*'''AntiVirus bypassing Capabilities'''
*'''Cookie Grabber'''

References:

* [http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A Win32/Ramnit.A]
* [http://www.trusteer.com/blog/ramnit-evolution-%E2%80%93-worm-financial-malware Ramnit Evolution – From Worm to Financial Malware]

== Appendix C: Server Side Security Solutions ==

== Appendix D: Client Side Security Solutions ==

== References ==

OWASP Anti-Malware - Knowledge Base

2012-02-05T14:04:50Z

Gfedon: /* OTP (Time Based, Click Based) */

== Introduction ==
=== A Technical Knowledge Base for Banking Malware Threats ===

== Protecting Banking Resources ==

=== Are your resources protected? ===

=== Enumerate the interesting targets ===
=== Define the path to the targets (Transition graphs) ===
=== Apply trust boundaries (security measures) ===
=== Define the weaknesses of the security measures adopted ===
== Appendix A: Security Considerations about Authentication Solutions and Malware ==

Actually Banking Malware families can bypass the vast majority of the world most secure authentication. How? The answer is simple: by tailoring an appropriate attack on the specific authentication schema with a bit of social engineering. Malware Authors know that the weakest link most of the times is the user himself.

For more information:

* http://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
* http://www.slideshare.net/guestb1956e/csi2008-gunter-ollmann-maninthebrowser-presentation
* https://www.owasp.org/images/e/e4/AppsecEU09_The_Bank_in_The_Browser_Presentation_v1.1.pdf

=== TextField Static Password ===

'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families in their default configuration

[[File:static_password.png|thumb|alt=Static Password|Static Password]]

'''Description'''

A password is a secret word or string of characters that is used for authentication, and is the world most used and simplest way of authenticating a user to a computer. “Static” means that Password does not change over time, unless manually updated. Textbox input field is the HTML element were password is inserted and this element is compatible with HID (Human Input Devices) such as hardware keyboards and Virtual Keyboards.

'''How gets defeated'''

Almost All banking malware can automatically log passwords using two components: Keylogging and Form Grabbing. A software Keylogger component can use a number of very different techniques, because operative systems offer many different ways to know which key is pressing a user. Even if this component seems very powerful, it has the disadvantage of not logging the Clipboard. Users may copy and paste passwords for simplicity or security reasons: many password wallets suggest to use this approach (e.g. [http://www.keepassx.org/ KeePassX] ). For this reason Banking Malware Authors prefer to log web based credentials using form grabbing components instead of keyloggers: from Wikipedia “this method intercepts the on submit API in browsers and collects web form data before it passes over the internet.”.
Since FormGrabbing is actually used by any major Banking Malware Family (e.g. Zeus, Spyeye, IceIX etc.) “text field” static password does not represent a secure way of authentication. In addition Malware families can automatically log any password field without using any particular configuration.

''' External References: '''

* http://www.infosectoday.com/Articles/Form_Grabbing/Form_Grabbing.htm

=== Javascript Keyboard ===
'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.

[[File:js_virtual_keyboard.png|thumb|alt=Javascript Keyboard|Javascript Keyboard]]

'''Description'''

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of [http://en.wikipedia.org/wiki/Turing_test "turing test"] that could be understood by human users but not by malicious software agents.

'''How gets defeated'''

Back in year 2002, after a couple of years, Malware Authors realized that they could visually grab images of the clicked key pressed (click area grabbing) or to video record the sequence of key pressed. "Click Grabbing" feature was born and with a minimal configuration was possible to defeat javascript password in a standard and efficient way. This kind of attack simply stores the information remotely for a subsequent interpretation by a human attacker.

'''External References:'''

From Fortiguard (Zeus trojan defeats a Virtual Javascript Keypad)
* http://www.youtube.com/watch?v=b9Vb4zS6ZmE&feature=player_embedded

=== Behavior Based Authentication ===

=== TAN (Gridcard, Scratch Card) ===

=== OTP (Time Based, Click Based) ===

'''Risk Evaluation:'''
[[File:otp_token.png|thumb|alt=Basic Otp Token|Basic Otp Token]]
Risk Evaluation:
Basic OTPs are vulnerable to HTML Injection and to other more sophisticated techniques, but give to the bank the following important improvements in terms of security:
* Tokens are valid in a very short time-window. Attackers need to engage human assistance to successfully abuse the compromised tokens in the valid time-window .
* This involves using Instant Messaging and user monitoring that leverages additional costs at their side.
This authentication measure needs UI redressing or automation to be bypassed.

[[File:otp_ui_redressing.png|thumb|alt=Otp UI Redressing|Otp UI Redressing]]

'''Description'''

A one-time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. OTPs are difficult for human beings to memorize. Therefore they require additional technology in order to work and this technology may be implemented in software tools or by using external hardware devices (Hardware tokens). Basic OTPs are based on cryptographic One-Way Algorithms and initialized with a different key per each user to avoid impersonation attacks. In addition each token usage is blacklisted and cannot be used a second time to avoid replay attacks.
Since basic OTP standards do not have a direct communication with the remote server, they need indirect standards for assuring synchronization with the remote infrastructure. Synchronization can be achieved on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time) or computing the number of previously generated passwords and set a range of valid passwords (if the user press to often the button the device will go out of sync).

'''How gets defeated'''

Even if this technology seems very resilient against malware attacks, it doesn't! Basic Otps can be defeated very easily with User Interface redressing. This attack is accomplished using the infamous features called WebInjects that permit to inject arbitrary HTML into the original Bank Login pages.
As we previously said, the Token is valid for a single transaction and is blacklisted after the first usage. Malware attackers will never let the token to arrive at the bank, so the bank can not blacklist that information. To defeat time restriction window, they also may make use of Instant Messaging plugins to have a real time communication of the token to the attacker.

=== CAP (Random Nonce, Challenge Response) ===

=== SMS Challenges ===

=== MSISDN (Caller-ID Authentication) ===

== Appendix B: Banking Malware Families (Active in 2012) ==

Taken as inspiration from Marco Morana's Presentation and from other sources (e.g. slides 26-30 The Bank in the Browser Presentation - G. Fedon ), here is a quick summary of Banking Malware features updated as of 2012.

[[File:Malware_Attack_Vectors2.png|thumb|alt=Malware Attack Vectors Summary]]

Schema summarizes every banking trojan by giving the following informations:

*'''Attack Capabilities'''
*'''Type'''

'''Attack Capabilites''' describes the features of the involved trojan, and immediately below the technique used to implement the given feature.

*'''HTTP Injection'''
*'''Browse Redirect'''
*'''Form Grabbing'''
*'''Stored Password Theft'''
*'''Keystroke Logging'''
*'''Bypass MFA'''
*'''ScreenCapture / VideoCapture'''
*'''Certificate Theft'''
*'''Install Backdoor'''
*'''Instant Message'''

'''Type''' field describes what kind how the malware operates:

*'''Automatic'''
*'''Manual'''

=== Spyeye ===

SpyEye is considered the successor of ZeuS and globally considered as
the most advanced Banking Malware kit actually used.

This kit was conceived as botnet easy to manage via a web based control panel.

SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish
its task, it provides a custom Encrypted Configuration File where
there are:

* '''Plugins'''
* '''Web Injection Code'''
* '''Collectors List- where stolen data is sent'''

SpyEye is capable of HTML code injection in the following browsers:

* '''FireFox'''
* '''Internet Explorer'''
* '''Chrome'''
* '''Opera'''

List of commonly used Plugins:

* '''ccgrabber''' - used to collect Credit Card numbers by analyzing POST requests.
* '''ffcertgrabber''' - used to steal Firefox stored Certificates.
* '''ftpbc''' - used to reverse ftp connections to the bot.
* '''socks5''' - allows reverse connections via a proxy server.
* '''billinghammer''' - charges Credit Cards by using stolen card data.
* '''ddos''' - plugin used to ddos a specified target.
* '''bugreport''' - send crash reports to the bot master.
* '''SpySpread''' - capability to spread via USB, IM Messages
* '''rdp''' - Remote Desktop capability

SpyEye kit, actually reached version 1.3.48

In the second half of 2011 appeared a mobile edition of SpyEye, called
SpitMo specifically designed to steal mTAN (mobile TAN) authentication
systems. [http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android/ SpitMo]

Recently (Jenuary 2012) appeared a SpyEye Campaign able to [http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/ Hide its Fraud Footprint] also called Post-Transaction Attack

Resources:

* [http://blog.fortinet.com/a-guide-to-spyeye-cc-messages/ A Guide to SpyEye C&C Messages]
* [http://blogs.rsa.com/rsafarl/new-spyeye-gains-zeus-features-a-detailed-analysis-of-spyeye-trojan-v1-3/ New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3]
* [http://cert.lexsi.com/weblog/index.php/2011/02/23/408-ddos-plugin-for-spyeye DDOS plugin for SpyEye]
* [http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html SpyEye steals your data. Even in a limited account]
* [http://blog.trendmicro.com/the-spyeye-interface-part-1-cn-1/ The SpyEye Interface, Part 1: CN 1]
* [http://blog.trendmicro.com/the-spyeye-interface-part-2-syn-1/ The SpyEye Interface Part 2: SYN 1]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 1)]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications-part-2/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)]

Tracking SpyEye:

* [https://spyeyetracker.abuse.ch/ SpyEye Tracker]

=== Zeus ===

ZeuS is a Banking Trojan identified for the first time in 2007, designed
as '''HTTP Based Botnet''' specifically crafted to steal Online Banking Credentials.

Despite the fact that ZeuS Kit is no longer developed, infection statistics
that can be checked here [https://zeustracker.abuse.ch/statistic.php ZeuS Statistics]
clearly demonstrates that this Trojan has a remarkable diffusion.

The ZeuS Kit functionality is based on MiTB attacks, an encrypted
configuration file contains URL Triggers and HTML Code to be Injected.

In the past year appeared also a ZeuS for mobile called ZitMo, developed
to bypass mTAN authentication system, more information can be reached here:

* [http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security The ZitMo Trojan Bypasses Online Banking Security]
* [http://www.virusbtn.com/news/2011/07_11.xml Zitmo Trojan for Android defeats two-factor authentication]

2011 was also the year of ZeuS Source Code leak, this essentially lead to a
number of new ZeuS Variants, here the most significant:

* ICE IX
* ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet
and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able
to interact with other victims (nodes) and get Updated Binaries and
Configurations.

ZeuS P2P References:

* [http://www.abuse.ch/?p=3499 ZeuS Gets More Sophisticated Using P2P Techniques]
* [http://www.cert.pl/news/4711/langswitch_lang/en ZeuS – P2P+DGA variant – mapping out and understanding the threat]

Other References:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]
* [http://www.abuse.ch/?p=3453 Ice IX – Or Just ZeuS?]
* [http://www.inreverse.net/?p=1551 JaZeus: when Zeus meets Java]
* [http://www.coresec.org/2011/05/21/zeus-malware-analysis-by-sophoslabs/ Zeus Malware Analysis by SophosLabs]
* [http://www.secureworks.com/research/threats/zeus/ ZeuS Banking Trojan Report]
* [http://mnin.blogspot.com/2011/09/abstract-memory-analysis-zeus.html Abstract Memory Analysis: Zeus Encryption Keys]

Tracking ZeuS:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]

=== Carberp ===

After ZeuS and SpyEye the third advanced Malware Banking Trojan is '''Carberp''', that during its evolution reached
a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser
Code Injection online Banking Credentials.

Synthesis of Carberp Functionalities [http://www.trustdefender.com/trustdefender-labs-blog-carberp-a-new-trojan-in-the-making.html]:

*'''Ability to run as non-administrator'''
*'''Ability to infect Windows XP , Windows Vista and Windows 7'''
*'''Will not make any changes to the registry (only in memory modifications)'''
*'''Browser Hooking'''
*'''Stolen data is transmitted in real-time to C&C server'''
*'''Kill AntiVirus Software'''
*'''Screenshot Ability'''
*'''Form Grabber'''
*'''Backconnect'''

Carberp makes use of encrypted Configuration Files that contains plugins and web injection code

*'''miniav.psd''' - Kill Competitors Botnets (SpyEye. ZeuS)
*'''vnc.psd''' - Remote VNC Session Capability
*'''passw.psd''' - password grabber for FTP, VNC, E-Mail Clients, Stored Browser Passwords

References:

* www.malwareint.com/docs/inside-carberp-botnet-en.pdf
* [http://blog.eset.com/2011/12/04/carberp-blackhole-growing-fraud-incidents Carberp + BlackHole growing fraud incidents]
* [http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Bootkit Evolution of Win32Carberp: going deeper]
* [http://securityblog.s21sec.com/2011/07/decrypting-carberp-c-communication.html Decrypting Carberp C&C communication]
* [http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity Facebook New Trends in Carberp Activity]

=== Tatanga ===

Tatanga appeared in the first half of 2011 as MiTB based trojan designed to steal Online Banking Credentials and spoof
(Post Transaction Attack) the real balance of the victim.

Like previously seen trojans, also Tatanga makes use of Encrypted Configuration Files (3-DES) to store plugins and
web injection code.

Additionally Tatanga is able to:

*'''Grab E-Mail addresses'''
*'''Remove Competitors Botnets'''
*'''File Infector to increase malware spread'''
*'''Kill Antivirus Software'''

References:

* [http://securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html 2011 Tatanga: a new banking trojan with MitB functions]
* [http://blog.trendmicro.com/more-on-the-tatanga-banking-trojan/ More on the Tatanga Banking Trojan]

=== Urlzone ===

Urlzone is a Banking Trojan appeared in 2009, its main feature is the ability to hide the evidence of the fraud by changing on fly the balance showed to the Victim.

To accomplish money stealing Urlzone uses a classical MiTB Approach, it works on the following browsers

*'''FireFox'''
*'''Internet Explorer 6,7,8'''
*'''Opera'''

References:

* [http://www.wired.com/images_blogs/threatlevel/2009/09/finjan-cyberintel_sept_2009-sf.pdf Finjan CyberIntel Report September 2009]
* [http://news.cnet.com/8301-27080_3-10363836-245.html Banking Trojan steals money from under your nose]
* [http://www.zdnet.com/blog/security/the-case-of-the-fake-money-mules-inside-the-urlzone-trojan-network/4527 The case of the fake money-mules: Inside the URLZone Trojan network ]
* [http://blogs.rsa.com/rsafarl/the-arms-race-between-black-hats-and-white-hats-steps-up-with-urlzone-trojan/ RSA banking Trojan research underscores problem tracking cybercriminals]

=== Gozi ===

Banking trojan Gozi appeared for the first time in 2007 and was characterized by a Low Detection Rate and ability to Steal from SSL Encrypted Sessions.

Features List:

*'''Steals SSL Data'''
*'''Steals Static Information from Banking Website'''
*'''Steals Dynamic Password Schemes like Two Factor Authentication and OTP'''
*'''KeyLogging Capabilities'''
*'''SSL Encrypted Communication with the C&C Server'''
*'''AntiVirus Bypassing Capabilities'''

SSL Stealing Technique is described here [http://isc.sans.edu/diary.html?storyid=2498 Gozi Trojan Steals SSL Encrypted Data for Fun and Profit]

References:

* [http://www.secureworks.com/research/threats/gozi/ Gozi Technical Analysis]
* [http://www.prweb.com/releases/2010/11/prweb4745544.htm Gozi Trojan - King of Evasion Continues to Avoid Sophisticated Detection]

=== Shylock ===

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside explorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.

Features List:
*'''Gathering system information on compromised system and sends it to dropzone'''
*'''Downloading configuration that will be used from defined domain'''
*'''Injects malicious code into browser's code'''
*'''Hides using rootkit functionality'''
*'''Intercepts network traffic and attempts to add malicious code to network trafic'''

References:

* [http://quequero.org/Shylock_via_volatility Shylock Technical Analysis]
* [http://www.symantec.com/security_response/writeup.jsp?docid=2011-092916-1617-99&tabid=2 Symantec report on Shylock]

=== Sunspot ===

Sunspot appeared for the first time in late 2011 as MiTB based trojan designed to steal Online Banking Credentials.

Features:

*'''Browser Code Injection'''
*'''KeyStroke Logger'''
*'''Screenshotting Capabilities'''
*'''Steals Sensitive Personal Information necessary to carry out User Impersonation Attacks'''
*'''Good AntiVirus Bypassing Capabilities'''

Sunspot works on 32bit and 64bit Systems from Windows XP to Windows 7.

References:

* [http://www.theregister.co.uk/2011/05/11/sunspot_banking_trojan/ Sunspot Banking Trojan]
* [http://www.trusteer.com/blog/windows-malware-morphs-financial-fraud-platform Windows Malware Morphs into Financial Fraud Platform]

=== Oddjob ===

Oddjob Financial Trojan has been publicly reported for the first time 22 February 2011, the peculiar characteristic of Oddjob is the ability to keep open Victim's Session even after they Logout, this implies that Criminals will be able to steal money by Impersonating the Victim by tapping the Session ID.

Oddjob works by injecting malicious code into Internet Explorer and Firefox browsers, the code is contained in custom configuration files.

Will follow a quick summary of the Trojan Functionalities:

*'''Intercepts GET and POST requests'''
*'''HTML Code Injection via MiTB Approach'''
*'''Session Hijacking'''

Session hijacking is performed by changing Logout functionality via malicious html/js injected code, victim will inadvertently keep session open and fraudsters will commit the money transaction.

References:

* [http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-open-after-users-%E2%80%9Clogout%E2%80%9D New Financial Trojan Keeps Online Banking Sessions Open after Users “Logout”]

=== Ramnit ===

Ramnit is a prolific malware that show a wide range of morphings during its arc of existence, between these variations there is also the Financial Stealing one.

Ramnit is essentially a Backdoor Trojan with the ability to perform also MiTB Attacks.

List of Features:

*'''MiTB Capabilities'''
*'''Backdoor Capabilities'''
*'''File Infector Office Files, Windows Executables'''
*'''SSL Secured C&C Communication'''
*'''AntiVirus bypassing Capabilities'''
*'''Cookie Grabber'''

References:

* [http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A Win32/Ramnit.A]
* [http://www.trusteer.com/blog/ramnit-evolution-%E2%80%93-worm-financial-malware Ramnit Evolution – From Worm to Financial Malware]

== Appendix C: Server Side Security Solutions ==

== Appendix D: Client Side Security Solutions ==

== References ==

File:Otp ui redressing.png

2012-02-05T14:04:18Z

Gfedon:

File:Otp token.png

2012-02-05T14:03:31Z

Gfedon:

OWASP Anti-Malware - Knowledge Base

2012-02-05T14:03:19Z

Gfedon: /* OTP (Time Based, Click Based) */

== Introduction ==
=== A Technical Knowledge Base for Banking Malware Threats ===

== Protecting Banking Resources ==

=== Are your resources protected? ===

=== Enumerate the interesting targets ===
=== Define the path to the targets (Transition graphs) ===
=== Apply trust boundaries (security measures) ===
=== Define the weaknesses of the security measures adopted ===
== Appendix A: Security Considerations about Authentication Solutions and Malware ==

Actually Banking Malware families can bypass the vast majority of the world most secure authentication. How? The answer is simple: by tailoring an appropriate attack on the specific authentication schema with a bit of social engineering. Malware Authors know that the weakest link most of the times is the user himself.

For more information:

* http://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
* http://www.slideshare.net/guestb1956e/csi2008-gunter-ollmann-maninthebrowser-presentation
* https://www.owasp.org/images/e/e4/AppsecEU09_The_Bank_in_The_Browser_Presentation_v1.1.pdf

=== TextField Static Password ===

'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families in their default configuration

[[File:static_password.png|thumb|alt=Static Password|Static Password]]

'''Description'''

A password is a secret word or string of characters that is used for authentication, and is the world most used and simplest way of authenticating a user to a computer. “Static” means that Password does not change over time, unless manually updated. Textbox input field is the HTML element were password is inserted and this element is compatible with HID (Human Input Devices) such as hardware keyboards and Virtual Keyboards.

'''How gets defeated'''

Almost All banking malware can automatically log passwords using two components: Keylogging and Form Grabbing. A software Keylogger component can use a number of very different techniques, because operative systems offer many different ways to know which key is pressing a user. Even if this component seems very powerful, it has the disadvantage of not logging the Clipboard. Users may copy and paste passwords for simplicity or security reasons: many password wallets suggest to use this approach (e.g. [http://www.keepassx.org/ KeePassX] ). For this reason Banking Malware Authors prefer to log web based credentials using form grabbing components instead of keyloggers: from Wikipedia “this method intercepts the on submit API in browsers and collects web form data before it passes over the internet.”.
Since FormGrabbing is actually used by any major Banking Malware Family (e.g. Zeus, Spyeye, IceIX etc.) “text field” static password does not represent a secure way of authentication. In addition Malware families can automatically log any password field without using any particular configuration.

''' External References: '''

* http://www.infosectoday.com/Articles/Form_Grabbing/Form_Grabbing.htm

=== Javascript Keyboard ===
'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.

[[File:js_virtual_keyboard.png|thumb|alt=Javascript Keyboard|Javascript Keyboard]]

'''Description'''

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of [http://en.wikipedia.org/wiki/Turing_test "turing test"] that could be understood by human users but not by malicious software agents.

'''How gets defeated'''

Back in year 2002, after a couple of years, Malware Authors realized that they could visually grab images of the clicked key pressed (click area grabbing) or to video record the sequence of key pressed. "Click Grabbing" feature was born and with a minimal configuration was possible to defeat javascript password in a standard and efficient way. This kind of attack simply stores the information remotely for a subsequent interpretation by a human attacker.

'''External References:'''

From Fortiguard (Zeus trojan defeats a Virtual Javascript Keypad)
* http://www.youtube.com/watch?v=b9Vb4zS6ZmE&feature=player_embedded

=== Behavior Based Authentication ===

=== TAN (Gridcard, Scratch Card) ===

=== OTP (Time Based, Click Based) ===

'''Risk Evaluation:'''

Risk Evaluation:
Basic OTPs are vulnerable to HTML Injection and to other more sophisticated techniques, but give to the bank the following important improvements in terms of security:
* Tokens are valid in a very short time-window. Attackers need to engage human assistance to successfully abuse the compromised tokens in the valid time-window .
* This involves using Instant Messaging and user monitoring that leverages additional costs at their side.
This authentication measure needs UI redressing or automation to be bypassed.

[[File:otp_token.png|thumb|alt=Basic Otp Token|Basic Otp Token]]

[[File:otp_ui_redressing.png|thumb|alt=Otp UI Redressing|Otp UI Redressing]]

'''Description'''

A one-time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. OTPs are difficult for human beings to memorize. Therefore they require additional technology in order to work and this technology may be implemented in software tools or by using external hardware devices (Hardware tokens). Basic OTPs are based on cryptographic One-Way Algorithms and initialized with a different key per each user to avoid impersonation attacks. In addition each token usage is blacklisted and cannot be used a second time to avoid replay attacks.
Since basic OTP standards do not have a direct communication with the remote server, they need indirect standards for assuring synchronization with the remote infrastructure. Synchronization can be achieved on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time) or computing the number of previously generated passwords and set a range of valid passwords (if the user press to often the button the device will go out of sync).

'''How gets defeated'''

Even if this technology seems very resilient against malware attacks, it doesn't! Basic Otps can be defeated very easily with User Interface redressing. This attack is accomplished using the infamous features called WebInjects that permit to inject arbitrary HTML into the original Bank Login pages.
As we previously said, the Token is valid for a single transaction and is blacklisted after the first usage. Malware attackers will never let the token to arrive at the bank, so the bank can not blacklist that information. To defeat time restriction window, they also may make use of Instant Messaging plugins to have a real time communication of the token to the attacker.

=== CAP (Random Nonce, Challenge Response) ===

=== SMS Challenges ===

=== MSISDN (Caller-ID Authentication) ===

== Appendix B: Banking Malware Families (Active in 2012) ==

Taken as inspiration from Marco Morana's Presentation and from other sources (e.g. slides 26-30 The Bank in the Browser Presentation - G. Fedon ), here is a quick summary of Banking Malware features updated as of 2012.

[[File:Malware_Attack_Vectors2.png|thumb|alt=Malware Attack Vectors Summary]]

Schema summarizes every banking trojan by giving the following informations:

*'''Attack Capabilities'''
*'''Type'''

'''Attack Capabilites''' describes the features of the involved trojan, and immediately below the technique used to implement the given feature.

*'''HTTP Injection'''
*'''Browse Redirect'''
*'''Form Grabbing'''
*'''Stored Password Theft'''
*'''Keystroke Logging'''
*'''Bypass MFA'''
*'''ScreenCapture / VideoCapture'''
*'''Certificate Theft'''
*'''Install Backdoor'''
*'''Instant Message'''

'''Type''' field describes what kind how the malware operates:

*'''Automatic'''
*'''Manual'''

=== Spyeye ===

SpyEye is considered the successor of ZeuS and globally considered as
the most advanced Banking Malware kit actually used.

This kit was conceived as botnet easy to manage via a web based control panel.

SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish
its task, it provides a custom Encrypted Configuration File where
there are:

* '''Plugins'''
* '''Web Injection Code'''
* '''Collectors List- where stolen data is sent'''

SpyEye is capable of HTML code injection in the following browsers:

* '''FireFox'''
* '''Internet Explorer'''
* '''Chrome'''
* '''Opera'''

List of commonly used Plugins:

* '''ccgrabber''' - used to collect Credit Card numbers by analyzing POST requests.
* '''ffcertgrabber''' - used to steal Firefox stored Certificates.
* '''ftpbc''' - used to reverse ftp connections to the bot.
* '''socks5''' - allows reverse connections via a proxy server.
* '''billinghammer''' - charges Credit Cards by using stolen card data.
* '''ddos''' - plugin used to ddos a specified target.
* '''bugreport''' - send crash reports to the bot master.
* '''SpySpread''' - capability to spread via USB, IM Messages
* '''rdp''' - Remote Desktop capability

SpyEye kit, actually reached version 1.3.48

In the second half of 2011 appeared a mobile edition of SpyEye, called
SpitMo specifically designed to steal mTAN (mobile TAN) authentication
systems. [http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android/ SpitMo]

Recently (Jenuary 2012) appeared a SpyEye Campaign able to [http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/ Hide its Fraud Footprint] also called Post-Transaction Attack

Resources:

* [http://blog.fortinet.com/a-guide-to-spyeye-cc-messages/ A Guide to SpyEye C&C Messages]
* [http://blogs.rsa.com/rsafarl/new-spyeye-gains-zeus-features-a-detailed-analysis-of-spyeye-trojan-v1-3/ New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3]
* [http://cert.lexsi.com/weblog/index.php/2011/02/23/408-ddos-plugin-for-spyeye DDOS plugin for SpyEye]
* [http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html SpyEye steals your data. Even in a limited account]
* [http://blog.trendmicro.com/the-spyeye-interface-part-1-cn-1/ The SpyEye Interface, Part 1: CN 1]
* [http://blog.trendmicro.com/the-spyeye-interface-part-2-syn-1/ The SpyEye Interface Part 2: SYN 1]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 1)]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications-part-2/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)]

Tracking SpyEye:

* [https://spyeyetracker.abuse.ch/ SpyEye Tracker]

=== Zeus ===

ZeuS is a Banking Trojan identified for the first time in 2007, designed
as '''HTTP Based Botnet''' specifically crafted to steal Online Banking Credentials.

Despite the fact that ZeuS Kit is no longer developed, infection statistics
that can be checked here [https://zeustracker.abuse.ch/statistic.php ZeuS Statistics]
clearly demonstrates that this Trojan has a remarkable diffusion.

The ZeuS Kit functionality is based on MiTB attacks, an encrypted
configuration file contains URL Triggers and HTML Code to be Injected.

In the past year appeared also a ZeuS for mobile called ZitMo, developed
to bypass mTAN authentication system, more information can be reached here:

* [http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security The ZitMo Trojan Bypasses Online Banking Security]
* [http://www.virusbtn.com/news/2011/07_11.xml Zitmo Trojan for Android defeats two-factor authentication]

2011 was also the year of ZeuS Source Code leak, this essentially lead to a
number of new ZeuS Variants, here the most significant:

* ICE IX
* ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet
and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able
to interact with other victims (nodes) and get Updated Binaries and
Configurations.

ZeuS P2P References:

* [http://www.abuse.ch/?p=3499 ZeuS Gets More Sophisticated Using P2P Techniques]
* [http://www.cert.pl/news/4711/langswitch_lang/en ZeuS – P2P+DGA variant – mapping out and understanding the threat]

Other References:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]
* [http://www.abuse.ch/?p=3453 Ice IX – Or Just ZeuS?]
* [http://www.inreverse.net/?p=1551 JaZeus: when Zeus meets Java]
* [http://www.coresec.org/2011/05/21/zeus-malware-analysis-by-sophoslabs/ Zeus Malware Analysis by SophosLabs]
* [http://www.secureworks.com/research/threats/zeus/ ZeuS Banking Trojan Report]
* [http://mnin.blogspot.com/2011/09/abstract-memory-analysis-zeus.html Abstract Memory Analysis: Zeus Encryption Keys]

Tracking ZeuS:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]

=== Carberp ===

After ZeuS and SpyEye the third advanced Malware Banking Trojan is '''Carberp''', that during its evolution reached
a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser
Code Injection online Banking Credentials.

Synthesis of Carberp Functionalities [http://www.trustdefender.com/trustdefender-labs-blog-carberp-a-new-trojan-in-the-making.html]:

*'''Ability to run as non-administrator'''
*'''Ability to infect Windows XP , Windows Vista and Windows 7'''
*'''Will not make any changes to the registry (only in memory modifications)'''
*'''Browser Hooking'''
*'''Stolen data is transmitted in real-time to C&C server'''
*'''Kill AntiVirus Software'''
*'''Screenshot Ability'''
*'''Form Grabber'''
*'''Backconnect'''

Carberp makes use of encrypted Configuration Files that contains plugins and web injection code

*'''miniav.psd''' - Kill Competitors Botnets (SpyEye. ZeuS)
*'''vnc.psd''' - Remote VNC Session Capability
*'''passw.psd''' - password grabber for FTP, VNC, E-Mail Clients, Stored Browser Passwords

References:

* www.malwareint.com/docs/inside-carberp-botnet-en.pdf
* [http://blog.eset.com/2011/12/04/carberp-blackhole-growing-fraud-incidents Carberp + BlackHole growing fraud incidents]
* [http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Bootkit Evolution of Win32Carberp: going deeper]
* [http://securityblog.s21sec.com/2011/07/decrypting-carberp-c-communication.html Decrypting Carberp C&C communication]
* [http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity Facebook New Trends in Carberp Activity]

=== Tatanga ===

Tatanga appeared in the first half of 2011 as MiTB based trojan designed to steal Online Banking Credentials and spoof
(Post Transaction Attack) the real balance of the victim.

Like previously seen trojans, also Tatanga makes use of Encrypted Configuration Files (3-DES) to store plugins and
web injection code.

Additionally Tatanga is able to:

*'''Grab E-Mail addresses'''
*'''Remove Competitors Botnets'''
*'''File Infector to increase malware spread'''
*'''Kill Antivirus Software'''

References:

* [http://securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html 2011 Tatanga: a new banking trojan with MitB functions]
* [http://blog.trendmicro.com/more-on-the-tatanga-banking-trojan/ More on the Tatanga Banking Trojan]

=== Urlzone ===

Urlzone is a Banking Trojan appeared in 2009, its main feature is the ability to hide the evidence of the fraud by changing on fly the balance showed to the Victim.

To accomplish money stealing Urlzone uses a classical MiTB Approach, it works on the following browsers

*'''FireFox'''
*'''Internet Explorer 6,7,8'''
*'''Opera'''

References:

* [http://www.wired.com/images_blogs/threatlevel/2009/09/finjan-cyberintel_sept_2009-sf.pdf Finjan CyberIntel Report September 2009]
* [http://news.cnet.com/8301-27080_3-10363836-245.html Banking Trojan steals money from under your nose]
* [http://www.zdnet.com/blog/security/the-case-of-the-fake-money-mules-inside-the-urlzone-trojan-network/4527 The case of the fake money-mules: Inside the URLZone Trojan network ]
* [http://blogs.rsa.com/rsafarl/the-arms-race-between-black-hats-and-white-hats-steps-up-with-urlzone-trojan/ RSA banking Trojan research underscores problem tracking cybercriminals]

=== Gozi ===

Banking trojan Gozi appeared for the first time in 2007 and was characterized by a Low Detection Rate and ability to Steal from SSL Encrypted Sessions.

Features List:

*'''Steals SSL Data'''
*'''Steals Static Information from Banking Website'''
*'''Steals Dynamic Password Schemes like Two Factor Authentication and OTP'''
*'''KeyLogging Capabilities'''
*'''SSL Encrypted Communication with the C&C Server'''
*'''AntiVirus Bypassing Capabilities'''

SSL Stealing Technique is described here [http://isc.sans.edu/diary.html?storyid=2498 Gozi Trojan Steals SSL Encrypted Data for Fun and Profit]

References:

* [http://www.secureworks.com/research/threats/gozi/ Gozi Technical Analysis]
* [http://www.prweb.com/releases/2010/11/prweb4745544.htm Gozi Trojan - King of Evasion Continues to Avoid Sophisticated Detection]

=== Shylock ===

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside explorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.

Features List:
*'''Gathering system information on compromised system and sends it to dropzone'''
*'''Downloading configuration that will be used from defined domain'''
*'''Injects malicious code into browser's code'''
*'''Hides using rootkit functionality'''
*'''Intercepts network traffic and attempts to add malicious code to network trafic'''

References:

* [http://quequero.org/Shylock_via_volatility Shylock Technical Analysis]
* [http://www.symantec.com/security_response/writeup.jsp?docid=2011-092916-1617-99&tabid=2 Symantec report on Shylock]

=== Sunspot ===

Sunspot appeared for the first time in late 2011 as MiTB based trojan designed to steal Online Banking Credentials.

Features:

*'''Browser Code Injection'''
*'''KeyStroke Logger'''
*'''Screenshotting Capabilities'''
*'''Steals Sensitive Personal Information necessary to carry out User Impersonation Attacks'''
*'''Good AntiVirus Bypassing Capabilities'''

Sunspot works on 32bit and 64bit Systems from Windows XP to Windows 7.

References:

* [http://www.theregister.co.uk/2011/05/11/sunspot_banking_trojan/ Sunspot Banking Trojan]
* [http://www.trusteer.com/blog/windows-malware-morphs-financial-fraud-platform Windows Malware Morphs into Financial Fraud Platform]

=== Oddjob ===

Oddjob Financial Trojan has been publicly reported for the first time 22 February 2011, the peculiar characteristic of Oddjob is the ability to keep open Victim's Session even after they Logout, this implies that Criminals will be able to steal money by Impersonating the Victim by tapping the Session ID.

Oddjob works by injecting malicious code into Internet Explorer and Firefox browsers, the code is contained in custom configuration files.

Will follow a quick summary of the Trojan Functionalities:

*'''Intercepts GET and POST requests'''
*'''HTML Code Injection via MiTB Approach'''
*'''Session Hijacking'''

Session hijacking is performed by changing Logout functionality via malicious html/js injected code, victim will inadvertently keep session open and fraudsters will commit the money transaction.

References:

* [http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-open-after-users-%E2%80%9Clogout%E2%80%9D New Financial Trojan Keeps Online Banking Sessions Open after Users “Logout”]

=== Ramnit ===

Ramnit is a prolific malware that show a wide range of morphings during its arc of existence, between these variations there is also the Financial Stealing one.

Ramnit is essentially a Backdoor Trojan with the ability to perform also MiTB Attacks.

List of Features:

*'''MiTB Capabilities'''
*'''Backdoor Capabilities'''
*'''File Infector Office Files, Windows Executables'''
*'''SSL Secured C&C Communication'''
*'''AntiVirus bypassing Capabilities'''
*'''Cookie Grabber'''

References:

* [http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A Win32/Ramnit.A]
* [http://www.trusteer.com/blog/ramnit-evolution-%E2%80%93-worm-financial-malware Ramnit Evolution – From Worm to Financial Malware]

== Appendix C: Server Side Security Solutions ==

== Appendix D: Client Side Security Solutions ==

== References ==

OWASP Anti-Malware - Knowledge Base

2012-02-05T14:02:57Z

Gfedon: /* OTP (Time Based, Click Based) */

== Introduction ==
=== A Technical Knowledge Base for Banking Malware Threats ===

== Protecting Banking Resources ==

=== Are your resources protected? ===

=== Enumerate the interesting targets ===
=== Define the path to the targets (Transition graphs) ===
=== Apply trust boundaries (security measures) ===
=== Define the weaknesses of the security measures adopted ===
== Appendix A: Security Considerations about Authentication Solutions and Malware ==

Actually Banking Malware families can bypass the vast majority of the world most secure authentication. How? The answer is simple: by tailoring an appropriate attack on the specific authentication schema with a bit of social engineering. Malware Authors know that the weakest link most of the times is the user himself.

For more information:

* http://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
* http://www.slideshare.net/guestb1956e/csi2008-gunter-ollmann-maninthebrowser-presentation
* https://www.owasp.org/images/e/e4/AppsecEU09_The_Bank_in_The_Browser_Presentation_v1.1.pdf

=== TextField Static Password ===

'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families in their default configuration

[[File:static_password.png|thumb|alt=Static Password|Static Password]]

'''Description'''

A password is a secret word or string of characters that is used for authentication, and is the world most used and simplest way of authenticating a user to a computer. “Static” means that Password does not change over time, unless manually updated. Textbox input field is the HTML element were password is inserted and this element is compatible with HID (Human Input Devices) such as hardware keyboards and Virtual Keyboards.

'''How gets defeated'''

Almost All banking malware can automatically log passwords using two components: Keylogging and Form Grabbing. A software Keylogger component can use a number of very different techniques, because operative systems offer many different ways to know which key is pressing a user. Even if this component seems very powerful, it has the disadvantage of not logging the Clipboard. Users may copy and paste passwords for simplicity or security reasons: many password wallets suggest to use this approach (e.g. [http://www.keepassx.org/ KeePassX] ). For this reason Banking Malware Authors prefer to log web based credentials using form grabbing components instead of keyloggers: from Wikipedia “this method intercepts the on submit API in browsers and collects web form data before it passes over the internet.”.
Since FormGrabbing is actually used by any major Banking Malware Family (e.g. Zeus, Spyeye, IceIX etc.) “text field” static password does not represent a secure way of authentication. In addition Malware families can automatically log any password field without using any particular configuration.

''' External References: '''

* http://www.infosectoday.com/Articles/Form_Grabbing/Form_Grabbing.htm

=== Javascript Keyboard ===
'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.

[[File:js_virtual_keyboard.png|thumb|alt=Javascript Keyboard|Javascript Keyboard]]

'''Description'''

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of [http://en.wikipedia.org/wiki/Turing_test "turing test"] that could be understood by human users but not by malicious software agents.

'''How gets defeated'''

Back in year 2002, after a couple of years, Malware Authors realized that they could visually grab images of the clicked key pressed (click area grabbing) or to video record the sequence of key pressed. "Click Grabbing" feature was born and with a minimal configuration was possible to defeat javascript password in a standard and efficient way. This kind of attack simply stores the information remotely for a subsequent interpretation by a human attacker.

'''External References:'''

From Fortiguard (Zeus trojan defeats a Virtual Javascript Keypad)
* http://www.youtube.com/watch?v=b9Vb4zS6ZmE&feature=player_embedded

=== Behavior Based Authentication ===

=== TAN (Gridcard, Scratch Card) ===

=== OTP (Time Based, Click Based) ===

'''Risk Evaluation:'''

Risk Evaluation:
Basic OTPs are vulnerable to HTML Injection and to other more sophisticated techniques, but give to the bank the following important improvements in terms of security:
* Tokens are valid in a very short time-window. Attackers need to engage human assistance to successfully abuse the compromised tokens in the valid time-window .
* This involves using Instant Messaging and user monitoring that leverages additional costs at their side.
This authentication measure needs UI redressing or automation to be bypassed.

[[File:otp_token.png|thumb|alt=Basic Otp Token|Basic Otp Token]]

'''Description'''

A one-time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. OTPs are difficult for human beings to memorize. Therefore they require additional technology in order to work and this technology may be implemented in software tools or by using external hardware devices (Hardware tokens). Basic OTPs are based on cryptographic One-Way Algorithms and initialized with a different key per each user to avoid impersonation attacks. In addition each token usage is blacklisted and cannot be used a second time to avoid replay attacks.
Since basic OTP standards do not have a direct communication with the remote server, they need indirect standards for assuring synchronization with the remote infrastructure. Synchronization can be achieved on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time) or computing the number of previously generated passwords and set a range of valid passwords (if the user press to often the button the device will go out of sync).

'''How gets defeated'''

Even if this technology seems very resilient against malware attacks, it doesn't! Basic Otps can be defeated very easily with User Interface redressing. This attack is accomplished using the infamous features called WebInjects that permit to inject arbitrary HTML into the original Bank Login pages.
As we previously said, the Token is valid for a single transaction and is blacklisted after the first usage. Malware attackers will never let the token to arrive at the bank, so the bank can not blacklist that information. To defeat time restriction window, they also may make use of Instant Messaging plugins to have a real time communication of the token to the attacker.

[[File:otp_ui_redressing.png|thumb|alt=Otp UI Redressing|Otp UI Redressing]]

=== CAP (Random Nonce, Challenge Response) ===

=== SMS Challenges ===

=== MSISDN (Caller-ID Authentication) ===

== Appendix B: Banking Malware Families (Active in 2012) ==

Taken as inspiration from Marco Morana's Presentation and from other sources (e.g. slides 26-30 The Bank in the Browser Presentation - G. Fedon ), here is a quick summary of Banking Malware features updated as of 2012.

[[File:Malware_Attack_Vectors2.png|thumb|alt=Malware Attack Vectors Summary]]

Schema summarizes every banking trojan by giving the following informations:

*'''Attack Capabilities'''
*'''Type'''

'''Attack Capabilites''' describes the features of the involved trojan, and immediately below the technique used to implement the given feature.

*'''HTTP Injection'''
*'''Browse Redirect'''
*'''Form Grabbing'''
*'''Stored Password Theft'''
*'''Keystroke Logging'''
*'''Bypass MFA'''
*'''ScreenCapture / VideoCapture'''
*'''Certificate Theft'''
*'''Install Backdoor'''
*'''Instant Message'''

'''Type''' field describes what kind how the malware operates:

*'''Automatic'''
*'''Manual'''

=== Spyeye ===

SpyEye is considered the successor of ZeuS and globally considered as
the most advanced Banking Malware kit actually used.

This kit was conceived as botnet easy to manage via a web based control panel.

SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish
its task, it provides a custom Encrypted Configuration File where
there are:

* '''Plugins'''
* '''Web Injection Code'''
* '''Collectors List- where stolen data is sent'''

SpyEye is capable of HTML code injection in the following browsers:

* '''FireFox'''
* '''Internet Explorer'''
* '''Chrome'''
* '''Opera'''

List of commonly used Plugins:

* '''ccgrabber''' - used to collect Credit Card numbers by analyzing POST requests.
* '''ffcertgrabber''' - used to steal Firefox stored Certificates.
* '''ftpbc''' - used to reverse ftp connections to the bot.
* '''socks5''' - allows reverse connections via a proxy server.
* '''billinghammer''' - charges Credit Cards by using stolen card data.
* '''ddos''' - plugin used to ddos a specified target.
* '''bugreport''' - send crash reports to the bot master.
* '''SpySpread''' - capability to spread via USB, IM Messages
* '''rdp''' - Remote Desktop capability

SpyEye kit, actually reached version 1.3.48

In the second half of 2011 appeared a mobile edition of SpyEye, called
SpitMo specifically designed to steal mTAN (mobile TAN) authentication
systems. [http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android/ SpitMo]

Recently (Jenuary 2012) appeared a SpyEye Campaign able to [http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/ Hide its Fraud Footprint] also called Post-Transaction Attack

Resources:

* [http://blog.fortinet.com/a-guide-to-spyeye-cc-messages/ A Guide to SpyEye C&C Messages]
* [http://blogs.rsa.com/rsafarl/new-spyeye-gains-zeus-features-a-detailed-analysis-of-spyeye-trojan-v1-3/ New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3]
* [http://cert.lexsi.com/weblog/index.php/2011/02/23/408-ddos-plugin-for-spyeye DDOS plugin for SpyEye]
* [http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html SpyEye steals your data. Even in a limited account]
* [http://blog.trendmicro.com/the-spyeye-interface-part-1-cn-1/ The SpyEye Interface, Part 1: CN 1]
* [http://blog.trendmicro.com/the-spyeye-interface-part-2-syn-1/ The SpyEye Interface Part 2: SYN 1]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 1)]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications-part-2/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)]

Tracking SpyEye:

* [https://spyeyetracker.abuse.ch/ SpyEye Tracker]

=== Zeus ===

ZeuS is a Banking Trojan identified for the first time in 2007, designed
as '''HTTP Based Botnet''' specifically crafted to steal Online Banking Credentials.

Despite the fact that ZeuS Kit is no longer developed, infection statistics
that can be checked here [https://zeustracker.abuse.ch/statistic.php ZeuS Statistics]
clearly demonstrates that this Trojan has a remarkable diffusion.

The ZeuS Kit functionality is based on MiTB attacks, an encrypted
configuration file contains URL Triggers and HTML Code to be Injected.

In the past year appeared also a ZeuS for mobile called ZitMo, developed
to bypass mTAN authentication system, more information can be reached here:

* [http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security The ZitMo Trojan Bypasses Online Banking Security]
* [http://www.virusbtn.com/news/2011/07_11.xml Zitmo Trojan for Android defeats two-factor authentication]

2011 was also the year of ZeuS Source Code leak, this essentially lead to a
number of new ZeuS Variants, here the most significant:

* ICE IX
* ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet
and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able
to interact with other victims (nodes) and get Updated Binaries and
Configurations.

ZeuS P2P References:

* [http://www.abuse.ch/?p=3499 ZeuS Gets More Sophisticated Using P2P Techniques]
* [http://www.cert.pl/news/4711/langswitch_lang/en ZeuS – P2P+DGA variant – mapping out and understanding the threat]

Other References:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]
* [http://www.abuse.ch/?p=3453 Ice IX – Or Just ZeuS?]
* [http://www.inreverse.net/?p=1551 JaZeus: when Zeus meets Java]
* [http://www.coresec.org/2011/05/21/zeus-malware-analysis-by-sophoslabs/ Zeus Malware Analysis by SophosLabs]
* [http://www.secureworks.com/research/threats/zeus/ ZeuS Banking Trojan Report]
* [http://mnin.blogspot.com/2011/09/abstract-memory-analysis-zeus.html Abstract Memory Analysis: Zeus Encryption Keys]

Tracking ZeuS:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]

=== Carberp ===

After ZeuS and SpyEye the third advanced Malware Banking Trojan is '''Carberp''', that during its evolution reached
a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser
Code Injection online Banking Credentials.

Synthesis of Carberp Functionalities [http://www.trustdefender.com/trustdefender-labs-blog-carberp-a-new-trojan-in-the-making.html]:

*'''Ability to run as non-administrator'''
*'''Ability to infect Windows XP , Windows Vista and Windows 7'''
*'''Will not make any changes to the registry (only in memory modifications)'''
*'''Browser Hooking'''
*'''Stolen data is transmitted in real-time to C&C server'''
*'''Kill AntiVirus Software'''
*'''Screenshot Ability'''
*'''Form Grabber'''
*'''Backconnect'''

Carberp makes use of encrypted Configuration Files that contains plugins and web injection code

*'''miniav.psd''' - Kill Competitors Botnets (SpyEye. ZeuS)
*'''vnc.psd''' - Remote VNC Session Capability
*'''passw.psd''' - password grabber for FTP, VNC, E-Mail Clients, Stored Browser Passwords

References:

* www.malwareint.com/docs/inside-carberp-botnet-en.pdf
* [http://blog.eset.com/2011/12/04/carberp-blackhole-growing-fraud-incidents Carberp + BlackHole growing fraud incidents]
* [http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Bootkit Evolution of Win32Carberp: going deeper]
* [http://securityblog.s21sec.com/2011/07/decrypting-carberp-c-communication.html Decrypting Carberp C&C communication]
* [http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity Facebook New Trends in Carberp Activity]

=== Tatanga ===

Tatanga appeared in the first half of 2011 as MiTB based trojan designed to steal Online Banking Credentials and spoof
(Post Transaction Attack) the real balance of the victim.

Like previously seen trojans, also Tatanga makes use of Encrypted Configuration Files (3-DES) to store plugins and
web injection code.

Additionally Tatanga is able to:

*'''Grab E-Mail addresses'''
*'''Remove Competitors Botnets'''
*'''File Infector to increase malware spread'''
*'''Kill Antivirus Software'''

References:

* [http://securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html 2011 Tatanga: a new banking trojan with MitB functions]
* [http://blog.trendmicro.com/more-on-the-tatanga-banking-trojan/ More on the Tatanga Banking Trojan]

=== Urlzone ===

Urlzone is a Banking Trojan appeared in 2009, its main feature is the ability to hide the evidence of the fraud by changing on fly the balance showed to the Victim.

To accomplish money stealing Urlzone uses a classical MiTB Approach, it works on the following browsers

*'''FireFox'''
*'''Internet Explorer 6,7,8'''
*'''Opera'''

References:

* [http://www.wired.com/images_blogs/threatlevel/2009/09/finjan-cyberintel_sept_2009-sf.pdf Finjan CyberIntel Report September 2009]
* [http://news.cnet.com/8301-27080_3-10363836-245.html Banking Trojan steals money from under your nose]
* [http://www.zdnet.com/blog/security/the-case-of-the-fake-money-mules-inside-the-urlzone-trojan-network/4527 The case of the fake money-mules: Inside the URLZone Trojan network ]
* [http://blogs.rsa.com/rsafarl/the-arms-race-between-black-hats-and-white-hats-steps-up-with-urlzone-trojan/ RSA banking Trojan research underscores problem tracking cybercriminals]

=== Gozi ===

Banking trojan Gozi appeared for the first time in 2007 and was characterized by a Low Detection Rate and ability to Steal from SSL Encrypted Sessions.

Features List:

*'''Steals SSL Data'''
*'''Steals Static Information from Banking Website'''
*'''Steals Dynamic Password Schemes like Two Factor Authentication and OTP'''
*'''KeyLogging Capabilities'''
*'''SSL Encrypted Communication with the C&C Server'''
*'''AntiVirus Bypassing Capabilities'''

SSL Stealing Technique is described here [http://isc.sans.edu/diary.html?storyid=2498 Gozi Trojan Steals SSL Encrypted Data for Fun and Profit]

References:

* [http://www.secureworks.com/research/threats/gozi/ Gozi Technical Analysis]
* [http://www.prweb.com/releases/2010/11/prweb4745544.htm Gozi Trojan - King of Evasion Continues to Avoid Sophisticated Detection]

=== Shylock ===

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside explorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.

Features List:
*'''Gathering system information on compromised system and sends it to dropzone'''
*'''Downloading configuration that will be used from defined domain'''
*'''Injects malicious code into browser's code'''
*'''Hides using rootkit functionality'''
*'''Intercepts network traffic and attempts to add malicious code to network trafic'''

References:

* [http://quequero.org/Shylock_via_volatility Shylock Technical Analysis]
* [http://www.symantec.com/security_response/writeup.jsp?docid=2011-092916-1617-99&tabid=2 Symantec report on Shylock]

=== Sunspot ===

Sunspot appeared for the first time in late 2011 as MiTB based trojan designed to steal Online Banking Credentials.

Features:

*'''Browser Code Injection'''
*'''KeyStroke Logger'''
*'''Screenshotting Capabilities'''
*'''Steals Sensitive Personal Information necessary to carry out User Impersonation Attacks'''
*'''Good AntiVirus Bypassing Capabilities'''

Sunspot works on 32bit and 64bit Systems from Windows XP to Windows 7.

References:

* [http://www.theregister.co.uk/2011/05/11/sunspot_banking_trojan/ Sunspot Banking Trojan]
* [http://www.trusteer.com/blog/windows-malware-morphs-financial-fraud-platform Windows Malware Morphs into Financial Fraud Platform]

=== Oddjob ===

Oddjob Financial Trojan has been publicly reported for the first time 22 February 2011, the peculiar characteristic of Oddjob is the ability to keep open Victim's Session even after they Logout, this implies that Criminals will be able to steal money by Impersonating the Victim by tapping the Session ID.

Oddjob works by injecting malicious code into Internet Explorer and Firefox browsers, the code is contained in custom configuration files.

Will follow a quick summary of the Trojan Functionalities:

*'''Intercepts GET and POST requests'''
*'''HTML Code Injection via MiTB Approach'''
*'''Session Hijacking'''

Session hijacking is performed by changing Logout functionality via malicious html/js injected code, victim will inadvertently keep session open and fraudsters will commit the money transaction.

References:

* [http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-open-after-users-%E2%80%9Clogout%E2%80%9D New Financial Trojan Keeps Online Banking Sessions Open after Users “Logout”]

=== Ramnit ===

Ramnit is a prolific malware that show a wide range of morphings during its arc of existence, between these variations there is also the Financial Stealing one.

Ramnit is essentially a Backdoor Trojan with the ability to perform also MiTB Attacks.

List of Features:

*'''MiTB Capabilities'''
*'''Backdoor Capabilities'''
*'''File Infector Office Files, Windows Executables'''
*'''SSL Secured C&C Communication'''
*'''AntiVirus bypassing Capabilities'''
*'''Cookie Grabber'''

References:

* [http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A Win32/Ramnit.A]
* [http://www.trusteer.com/blog/ramnit-evolution-%E2%80%93-worm-financial-malware Ramnit Evolution – From Worm to Financial Malware]

== Appendix C: Server Side Security Solutions ==

== Appendix D: Client Side Security Solutions ==

== References ==

OWASP Anti-Malware - Knowledge Base

2012-02-05T12:18:20Z

Gfedon: /* Appendix B: Banking Malware Families (Active in 2012) */

== Introduction ==
=== A Technical Knowledge Base for Banking Malware Threats ===

== Protecting Banking Resources ==

=== Are your resources protected? ===

=== Enumerate the interesting targets ===
=== Define the path to the targets (Transition graphs) ===
=== Apply trust boundaries (security measures) ===
=== Define the weaknesses of the security measures adopted ===
== Appendix A: Security Considerations about Authentication Solutions and Malware ==

Actually Banking Malware families can bypass the vast majority of the world most secure authentication. How? The answer is simple: by tailoring an appropriate attack on the specific authentication schema with a bit of social engineering. Malware Authors know that the weakest link most of the times is the user himself.

For more information:

* http://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
* http://www.slideshare.net/guestb1956e/csi2008-gunter-ollmann-maninthebrowser-presentation
* https://www.owasp.org/images/e/e4/AppsecEU09_The_Bank_in_The_Browser_Presentation_v1.1.pdf

=== TextField Static Password ===

'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families in their default configuration

[[File:static_password.png|thumb|alt=Static Password|Static Password]]

'''Description'''

A password is a secret word or string of characters that is used for authentication, and is the world most used and simplest way of authenticating a user to a computer. “Static” means that Password does not change over time, unless manually updated. Textbox input field is the HTML element were password is inserted and this element is compatible with HID (Human Input Devices) such as hardware keyboards and Virtual Keyboards.

'''How gets defeated'''

Almost All banking malware can automatically log passwords using two components: Keylogging and Form Grabbing. A software Keylogger component can use a number of very different techniques, because operative systems offer many different ways to know which key is pressing a user. Even if this component seems very powerful, it has the disadvantage of not logging the Clipboard. Users may copy and paste passwords for simplicity or security reasons: many password wallets suggest to use this approach (e.g. [http://www.keepassx.org/ KeePassX] ). For this reason Banking Malware Authors prefer to log web based credentials using form grabbing components instead of keyloggers: from Wikipedia “this method intercepts the on submit API in browsers and collects web form data before it passes over the internet.”.
Since FormGrabbing is actually used by any major Banking Malware Family (e.g. Zeus, Spyeye, IceIX etc.) “text field” static password does not represent a secure way of authentication. In addition Malware families can automatically log any password field without using any particular configuration.

''' External References: '''

* http://www.infosectoday.com/Articles/Form_Grabbing/Form_Grabbing.htm

=== Javascript Keyboard ===
'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.

[[File:js_virtual_keyboard.png|thumb|alt=Javascript Keyboard|Javascript Keyboard]]

'''Description'''

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of [http://en.wikipedia.org/wiki/Turing_test "turing test"] that could be understood by human users but not by malicious software agents.

'''How gets defeated'''

Back in year 2002, after a couple of years, Malware Authors realized that they could visually grab images of the clicked key pressed (click area grabbing) or to video record the sequence of key pressed. "Click Grabbing" feature was born and with a minimal configuration was possible to defeat javascript password in a standard and efficient way. This kind of attack simply stores the information remotely for a subsequent interpretation by a human attacker.

'''External References:'''

From Fortiguard (Zeus trojan defeats a Virtual Javascript Keypad)
* http://www.youtube.com/watch?v=b9Vb4zS6ZmE&feature=player_embedded

=== Behavior Based Authentication ===

=== TAN (Gridcard, Scratch Card) ===

=== OTP (Time Based, Click Based) ===

=== CAP (Random Nonce, Challenge Response) ===

=== SMS Challenges ===

=== MSISDN (Caller-ID Authentication) ===

== Appendix B: Banking Malware Families (Active in 2012) ==

Taken as inspiration from Marco Morana's Presentation and from other sources (e.g. slides 26-30 The Bank in the Browser Presentation - G. Fedon ), here is a quick summary of Banking Malware features updated as of 2012.

[[File:Malware_Attack_Vectors2.png|thumb|alt=Malware Attack Vectors Summary]]

Schema summarizes every banking trojan by giving the following informations:

*'''Attack Capabilities'''
*'''Type'''

'''Attack Capabilites''' describes the features of the involved trojan, and immediately below the technique used to implement the given feature.

*'''HTTP Injection'''
*'''Browse Redirect'''
*'''Form Grabbing'''
*'''Stored Password Theft'''
*'''Keystroke Logging'''
*'''Bypass MFA'''
*'''ScreenCapture / VideoCapture'''
*'''Certificate Theft'''
*'''Install Backdoor'''
*'''Instant Message'''

'''Type''' field describes what kind how the malware operates:

*'''Automatic'''
*'''Manual'''

=== Spyeye ===

SpyEye is considered the successor of ZeuS and globally considered as
the most advanced Banking Malware kit actually used.

This kit was conceived as botnet easy to manage via a web based control panel.

SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish
its task, it provides a custom Encrypted Configuration File where
there are:

* '''Plugins'''
* '''Web Injection Code'''
* '''Collectors List- where stolen data is sent'''

SpyEye is capable of HTML code injection in the following browsers:

* '''FireFox'''
* '''Internet Explorer'''
* '''Chrome'''
* '''Opera'''

List of commonly used Plugins:

* '''ccgrabber''' - used to collect Credit Card numbers by analyzing POST requests.
* '''ffcertgrabber''' - used to steal Firefox stored Certificates.
* '''ftpbc''' - used to reverse ftp connections to the bot.
* '''socks5''' - allows reverse connections via a proxy server.
* '''billinghammer''' - charges Credit Cards by using stolen card data.
* '''ddos''' - plugin used to ddos a specified target.
* '''bugreport''' - send crash reports to the bot master.
* '''SpySpread''' - capability to spread via USB, IM Messages
* '''rdp''' - Remote Desktop capability

SpyEye kit, actually reached version 1.3.48

In the second half of 2011 appeared a mobile edition of SpyEye, called
SpitMo specifically designed to steal mTAN (mobile TAN) authentication
systems. [http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android/ SpitMo]

Recently (Jenuary 2012) appeared a SpyEye Campaign able to [http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/ Hide its Fraud Footprint] also called Post-Transaction Attack

Resources:

* [http://blog.fortinet.com/a-guide-to-spyeye-cc-messages/ A Guide to SpyEye C&C Messages]
* [http://blogs.rsa.com/rsafarl/new-spyeye-gains-zeus-features-a-detailed-analysis-of-spyeye-trojan-v1-3/ New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3]
* [http://cert.lexsi.com/weblog/index.php/2011/02/23/408-ddos-plugin-for-spyeye DDOS plugin for SpyEye]
* [http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html SpyEye steals your data. Even in a limited account]
* [http://blog.trendmicro.com/the-spyeye-interface-part-1-cn-1/ The SpyEye Interface, Part 1: CN 1]
* [http://blog.trendmicro.com/the-spyeye-interface-part-2-syn-1/ The SpyEye Interface Part 2: SYN 1]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 1)]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications-part-2/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)]

Tracking SpyEye:

* [https://spyeyetracker.abuse.ch/ SpyEye Tracker]

=== Zeus ===

ZeuS is a Banking Trojan identified for the first time in 2007, designed
as '''HTTP Based Botnet''' specifically crafted to steal Online Banking Credentials.

Despite the fact that ZeuS Kit is no longer developed, infection statistics
that can be checked here [https://zeustracker.abuse.ch/statistic.php ZeuS Statistics]
clearly demonstrates that this Trojan has a remarkable diffusion.

The ZeuS Kit functionality is based on MiTB attacks, an encrypted
configuration file contains URL Triggers and HTML Code to be Injected.

In the past year appeared also a ZeuS for mobile called ZitMo, developed
to bypass mTAN authentication system, more information can be reached here:

* [http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security The ZitMo Trojan Bypasses Online Banking Security]
* [http://www.virusbtn.com/news/2011/07_11.xml Zitmo Trojan for Android defeats two-factor authentication]

2011 was also the year of ZeuS Source Code leak, this essentially lead to a
number of new ZeuS Variants, here the most significant:

* ICE IX
* ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet
and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able
to interact with other victims (nodes) and get Updated Binaries and
Configurations.

ZeuS P2P References:

* [http://www.abuse.ch/?p=3499 ZeuS Gets More Sophisticated Using P2P Techniques]
* [http://www.cert.pl/news/4711/langswitch_lang/en ZeuS – P2P+DGA variant – mapping out and understanding the threat]

Other References:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]
* [http://www.abuse.ch/?p=3453 Ice IX – Or Just ZeuS?]
* [http://www.inreverse.net/?p=1551 JaZeus: when Zeus meets Java]
* [http://www.coresec.org/2011/05/21/zeus-malware-analysis-by-sophoslabs/ Zeus Malware Analysis by SophosLabs]
* [http://www.secureworks.com/research/threats/zeus/ ZeuS Banking Trojan Report]
* [http://mnin.blogspot.com/2011/09/abstract-memory-analysis-zeus.html Abstract Memory Analysis: Zeus Encryption Keys]

Tracking ZeuS:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]

=== Carberp ===

After ZeuS and SpyEye the third advanced Malware Banking Trojan is '''Carberp''', that during its evolution reached
a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser
Code Injection online Banking Credentials.

Synthesis of Carberp Functionalities [http://www.trustdefender.com/trustdefender-labs-blog-carberp-a-new-trojan-in-the-making.html]:

*'''Ability to run as non-administrator'''
*'''Ability to infect Windows XP , Windows Vista and Windows 7'''
*'''Will not make any changes to the registry (only in memory modifications)'''
*'''Browser Hooking'''
*'''Stolen data is transmitted in real-time to C&C server'''
*'''Kill AntiVirus Software'''
*'''Screenshot Ability'''
*'''Form Grabber'''
*'''Backconnect'''

Carberp makes use of encrypted Configuration Files that contains plugins and web injection code

*'''miniav.psd''' - Kill Competitors Botnets (SpyEye. ZeuS)
*'''vnc.psd''' - Remote VNC Session Capability
*'''passw.psd''' - password grabber for FTP, VNC, E-Mail Clients, Stored Browser Passwords

References:

* www.malwareint.com/docs/inside-carberp-botnet-en.pdf
* [http://blog.eset.com/2011/12/04/carberp-blackhole-growing-fraud-incidents Carberp + BlackHole growing fraud incidents]
* [http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Bootkit Evolution of Win32Carberp: going deeper]
* [http://securityblog.s21sec.com/2011/07/decrypting-carberp-c-communication.html Decrypting Carberp C&C communication]
* [http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity Facebook New Trends in Carberp Activity]

=== Tatanga ===

Tatanga appeared in the first half of 2011 as MiTB based trojan designed to steal Online Banking Credentials and spoof
(Post Transaction Attack) the real balance of the victim.

Like previously seen trojans, also Tatanga makes use of Encrypted Configuration Files (3-DES) to store plugins and
web injection code.

Additionally Tatanga is able to:

*'''Grab E-Mail addresses'''
*'''Remove Competitors Botnets'''
*'''File Infector to increase malware spread'''
*'''Kill Antivirus Software'''

References:

* [http://securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html 2011 Tatanga: a new banking trojan with MitB functions]
* [http://blog.trendmicro.com/more-on-the-tatanga-banking-trojan/ More on the Tatanga Banking Trojan]

=== Urlzone ===

Urlzone is a Banking Trojan appeared in 2009, its main feature is the ability to hide the evidence of the fraud by changing on fly the balance showed to the Victim.

To accomplish money stealing Urlzone uses a classical MiTB Approach, it works on the following browsers

*'''FireFox'''
*'''Internet Explorer 6,7,8'''
*'''Opera'''

References:

* [http://www.wired.com/images_blogs/threatlevel/2009/09/finjan-cyberintel_sept_2009-sf.pdf Finjan CyberIntel Report September 2009]
* [http://news.cnet.com/8301-27080_3-10363836-245.html Banking Trojan steals money from under your nose]
* [http://www.zdnet.com/blog/security/the-case-of-the-fake-money-mules-inside-the-urlzone-trojan-network/4527 The case of the fake money-mules: Inside the URLZone Trojan network ]
* [http://blogs.rsa.com/rsafarl/the-arms-race-between-black-hats-and-white-hats-steps-up-with-urlzone-trojan/ RSA banking Trojan research underscores problem tracking cybercriminals]

=== Gozi ===

Banking trojan Gozi appeared for the first time in 2007 and was characterized by a Low Detection Rate and ability to Steal from SSL Encrypted Sessions.

Features List:

*'''Steals SSL Data'''
*'''Steals Static Information from Banking Website'''
*'''Steals Dynamic Password Schemes like Two Factor Authentication and OTP'''
*'''KeyLogging Capabilities'''
*'''SSL Encrypted Communication with the C&C Server'''
*'''AntiVirus Bypassing Capabilities'''

SSL Stealing Technique is described here [http://isc.sans.edu/diary.html?storyid=2498 Gozi Trojan Steals SSL Encrypted Data for Fun and Profit]

References:

* [http://www.secureworks.com/research/threats/gozi/ Gozi Technical Analysis]
* [http://www.prweb.com/releases/2010/11/prweb4745544.htm Gozi Trojan - King of Evasion Continues to Avoid Sophisticated Detection]

=== Shylock ===

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside explorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.

Features List:
*'''Gathering system information on compromised system and sends it to dropzone'''
*'''Downloading configuration that will be used from defined domain'''
*'''Injects malicious code into browser's code'''
*'''Hides using rootkit functionality'''
*'''Intercepts network traffic and attempts to add malicious code to network trafic'''

References:

* [http://quequero.org/Shylock_via_volatility Shylock Technical Analysis]
* [http://www.symantec.com/security_response/writeup.jsp?docid=2011-092916-1617-99&tabid=2 Symantec report on Shylock]

=== Sunspot ===

Sunspot appeared for the first time in late 2011 as MiTB based trojan designed to steal Online Banking Credentials.

Features:

*'''Browser Code Injection'''
*'''KeyStroke Logger'''
*'''Screenshotting Capabilities'''
*'''Steals Sensitive Personal Information necessary to carry out User Impersonation Attacks'''
*'''Good AntiVirus Bypassing Capabilities'''

Sunspot works on 32bit and 64bit Systems from Windows XP to Windows 7.

References:

* [http://www.theregister.co.uk/2011/05/11/sunspot_banking_trojan/ Sunspot Banking Trojan]
* [http://www.trusteer.com/blog/windows-malware-morphs-financial-fraud-platform Windows Malware Morphs into Financial Fraud Platform]

=== Oddjob ===

Oddjob Financial Trojan has been publicly reported for the first time 22 February 2011, the peculiar characteristic of Oddjob is the ability to keep open Victim's Session even after they Logout, this implies that Criminals will be able to steal money by Impersonating the Victim by tapping the Session ID.

Oddjob works by injecting malicious code into Internet Explorer and Firefox browsers, the code is contained in custom configuration files.

Will follow a quick summary of the Trojan Functionalities:

*'''Intercepts GET and POST requests'''
*'''HTML Code Injection via MiTB Approach'''
*'''Session Hijacking'''

Session hijacking is performed by changing Logout functionality via malicious html/js injected code, victim will inadvertently keep session open and fraudsters will commit the money transaction.

References:

* [http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-open-after-users-%E2%80%9Clogout%E2%80%9D New Financial Trojan Keeps Online Banking Sessions Open after Users “Logout”]

=== Ramnit ===

Ramnit is a prolific malware that show a wide range of morphings during its arc of existence, between these variations there is also the Financial Stealing one.

Ramnit is essentially a Backdoor Trojan with the ability to perform also MiTB Attacks.

List of Features:

*'''MiTB Capabilities'''
*'''Backdoor Capabilities'''
*'''File Infector Office Files, Windows Executables'''
*'''SSL Secured C&C Communication'''
*'''AntiVirus bypassing Capabilities'''
*'''Cookie Grabber'''

References:

* [http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A Win32/Ramnit.A]
* [http://www.trusteer.com/blog/ramnit-evolution-%E2%80%93-worm-financial-malware Ramnit Evolution – From Worm to Financial Malware]

== Appendix C: Server Side Security Solutions ==

== Appendix D: Client Side Security Solutions ==

== References ==

OWASP Anti-Malware - Knowledge Base

2012-02-05T12:17:35Z

Gfedon: /* Appendix B: Banking Malware Families (Active in 2012) */

== Introduction ==
=== A Technical Knowledge Base for Banking Malware Threats ===

== Protecting Banking Resources ==

=== Are your resources protected? ===

=== Enumerate the interesting targets ===
=== Define the path to the targets (Transition graphs) ===
=== Apply trust boundaries (security measures) ===
=== Define the weaknesses of the security measures adopted ===
== Appendix A: Security Considerations about Authentication Solutions and Malware ==

Actually Banking Malware families can bypass the vast majority of the world most secure authentication. How? The answer is simple: by tailoring an appropriate attack on the specific authentication schema with a bit of social engineering. Malware Authors know that the weakest link most of the times is the user himself.

For more information:

* http://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
* http://www.slideshare.net/guestb1956e/csi2008-gunter-ollmann-maninthebrowser-presentation
* https://www.owasp.org/images/e/e4/AppsecEU09_The_Bank_in_The_Browser_Presentation_v1.1.pdf

=== TextField Static Password ===

'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families in their default configuration

[[File:static_password.png|thumb|alt=Static Password|Static Password]]

'''Description'''

A password is a secret word or string of characters that is used for authentication, and is the world most used and simplest way of authenticating a user to a computer. “Static” means that Password does not change over time, unless manually updated. Textbox input field is the HTML element were password is inserted and this element is compatible with HID (Human Input Devices) such as hardware keyboards and Virtual Keyboards.

'''How gets defeated'''

Almost All banking malware can automatically log passwords using two components: Keylogging and Form Grabbing. A software Keylogger component can use a number of very different techniques, because operative systems offer many different ways to know which key is pressing a user. Even if this component seems very powerful, it has the disadvantage of not logging the Clipboard. Users may copy and paste passwords for simplicity or security reasons: many password wallets suggest to use this approach (e.g. [http://www.keepassx.org/ KeePassX] ). For this reason Banking Malware Authors prefer to log web based credentials using form grabbing components instead of keyloggers: from Wikipedia “this method intercepts the on submit API in browsers and collects web form data before it passes over the internet.”.
Since FormGrabbing is actually used by any major Banking Malware Family (e.g. Zeus, Spyeye, IceIX etc.) “text field” static password does not represent a secure way of authentication. In addition Malware families can automatically log any password field without using any particular configuration.

''' External References: '''

* http://www.infosectoday.com/Articles/Form_Grabbing/Form_Grabbing.htm

=== Javascript Keyboard ===
'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.

[[File:js_virtual_keyboard.png|thumb|alt=Javascript Keyboard|Javascript Keyboard]]

'''Description'''

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of [http://en.wikipedia.org/wiki/Turing_test "turing test"] that could be understood by human users but not by malicious software agents.

'''How gets defeated'''

Back in year 2002, after a couple of years, Malware Authors realized that they could visually grab images of the clicked key pressed (click area grabbing) or to video record the sequence of key pressed. "Click Grabbing" feature was born and with a minimal configuration was possible to defeat javascript password in a standard and efficient way. This kind of attack simply stores the information remotely for a subsequent interpretation by a human attacker.

'''External References:'''

From Fortiguard (Zeus trojan defeats a Virtual Javascript Keypad)
* http://www.youtube.com/watch?v=b9Vb4zS6ZmE&feature=player_embedded

=== Behavior Based Authentication ===

=== TAN (Gridcard, Scratch Card) ===

=== OTP (Time Based, Click Based) ===

=== CAP (Random Nonce, Challenge Response) ===

=== SMS Challenges ===

=== MSISDN (Caller-ID Authentication) ===

== Appendix B: Banking Malware Families (Active in 2012) ==

Taken as inspiration from Marco Morana's Presentation and from other sources (e.g. slides 26-30 The Bank in the Browser Presentation - G. Fedon ), here is a quick summary of Banking Malware features updated as of 2012.

[[File:Malware_Attack_Vectors2.png|thumb|alt=Malware Attack Vectors Summary]]

Schema summarizes every banking trojan by giving the following informations:

*'''Attack Capabilities'''
*'''Type'''

'''Attack Capabilites''' describes the features of the involved trojan, and immediately below the technique used to implement the given feature.

*'''HTTP Injection'''
*'''Browse Redirect'''
*'''Form Grabbing'''
*'''Credential Theft'''
*'''Keystroke Logging'''
*'''Bypass MFA'''
*'''ScreenCapture / VideoCapture'''
*'''Certificate Theft'''
*'''Install Backdoor'''
*'''Instant Message'''

'''Type''' field describes what kind how the malware operates:

*'''Automatic'''
*'''Manual'''

=== Spyeye ===

SpyEye is considered the successor of ZeuS and globally considered as
the most advanced Banking Malware kit actually used.

This kit was conceived as botnet easy to manage via a web based control panel.

SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish
its task, it provides a custom Encrypted Configuration File where
there are:

* '''Plugins'''
* '''Web Injection Code'''
* '''Collectors List- where stolen data is sent'''

SpyEye is capable of HTML code injection in the following browsers:

* '''FireFox'''
* '''Internet Explorer'''
* '''Chrome'''
* '''Opera'''

List of commonly used Plugins:

* '''ccgrabber''' - used to collect Credit Card numbers by analyzing POST requests.
* '''ffcertgrabber''' - used to steal Firefox stored Certificates.
* '''ftpbc''' - used to reverse ftp connections to the bot.
* '''socks5''' - allows reverse connections via a proxy server.
* '''billinghammer''' - charges Credit Cards by using stolen card data.
* '''ddos''' - plugin used to ddos a specified target.
* '''bugreport''' - send crash reports to the bot master.
* '''SpySpread''' - capability to spread via USB, IM Messages
* '''rdp''' - Remote Desktop capability

SpyEye kit, actually reached version 1.3.48

In the second half of 2011 appeared a mobile edition of SpyEye, called
SpitMo specifically designed to steal mTAN (mobile TAN) authentication
systems. [http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android/ SpitMo]

Recently (Jenuary 2012) appeared a SpyEye Campaign able to [http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/ Hide its Fraud Footprint] also called Post-Transaction Attack

Resources:

* [http://blog.fortinet.com/a-guide-to-spyeye-cc-messages/ A Guide to SpyEye C&C Messages]
* [http://blogs.rsa.com/rsafarl/new-spyeye-gains-zeus-features-a-detailed-analysis-of-spyeye-trojan-v1-3/ New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3]
* [http://cert.lexsi.com/weblog/index.php/2011/02/23/408-ddos-plugin-for-spyeye DDOS plugin for SpyEye]
* [http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html SpyEye steals your data. Even in a limited account]
* [http://blog.trendmicro.com/the-spyeye-interface-part-1-cn-1/ The SpyEye Interface, Part 1: CN 1]
* [http://blog.trendmicro.com/the-spyeye-interface-part-2-syn-1/ The SpyEye Interface Part 2: SYN 1]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 1)]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications-part-2/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)]

Tracking SpyEye:

* [https://spyeyetracker.abuse.ch/ SpyEye Tracker]

=== Zeus ===

ZeuS is a Banking Trojan identified for the first time in 2007, designed
as '''HTTP Based Botnet''' specifically crafted to steal Online Banking Credentials.

Despite the fact that ZeuS Kit is no longer developed, infection statistics
that can be checked here [https://zeustracker.abuse.ch/statistic.php ZeuS Statistics]
clearly demonstrates that this Trojan has a remarkable diffusion.

The ZeuS Kit functionality is based on MiTB attacks, an encrypted
configuration file contains URL Triggers and HTML Code to be Injected.

In the past year appeared also a ZeuS for mobile called ZitMo, developed
to bypass mTAN authentication system, more information can be reached here:

* [http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security The ZitMo Trojan Bypasses Online Banking Security]
* [http://www.virusbtn.com/news/2011/07_11.xml Zitmo Trojan for Android defeats two-factor authentication]

2011 was also the year of ZeuS Source Code leak, this essentially lead to a
number of new ZeuS Variants, here the most significant:

* ICE IX
* ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet
and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able
to interact with other victims (nodes) and get Updated Binaries and
Configurations.

ZeuS P2P References:

* [http://www.abuse.ch/?p=3499 ZeuS Gets More Sophisticated Using P2P Techniques]
* [http://www.cert.pl/news/4711/langswitch_lang/en ZeuS – P2P+DGA variant – mapping out and understanding the threat]

Other References:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]
* [http://www.abuse.ch/?p=3453 Ice IX – Or Just ZeuS?]
* [http://www.inreverse.net/?p=1551 JaZeus: when Zeus meets Java]
* [http://www.coresec.org/2011/05/21/zeus-malware-analysis-by-sophoslabs/ Zeus Malware Analysis by SophosLabs]
* [http://www.secureworks.com/research/threats/zeus/ ZeuS Banking Trojan Report]
* [http://mnin.blogspot.com/2011/09/abstract-memory-analysis-zeus.html Abstract Memory Analysis: Zeus Encryption Keys]

Tracking ZeuS:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]

=== Carberp ===

After ZeuS and SpyEye the third advanced Malware Banking Trojan is '''Carberp''', that during its evolution reached
a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser
Code Injection online Banking Credentials.

Synthesis of Carberp Functionalities [http://www.trustdefender.com/trustdefender-labs-blog-carberp-a-new-trojan-in-the-making.html]:

*'''Ability to run as non-administrator'''
*'''Ability to infect Windows XP , Windows Vista and Windows 7'''
*'''Will not make any changes to the registry (only in memory modifications)'''
*'''Browser Hooking'''
*'''Stolen data is transmitted in real-time to C&C server'''
*'''Kill AntiVirus Software'''
*'''Screenshot Ability'''
*'''Form Grabber'''
*'''Backconnect'''

Carberp makes use of encrypted Configuration Files that contains plugins and web injection code

*'''miniav.psd''' - Kill Competitors Botnets (SpyEye. ZeuS)
*'''vnc.psd''' - Remote VNC Session Capability
*'''passw.psd''' - password grabber for FTP, VNC, E-Mail Clients, Stored Browser Passwords

References:

* www.malwareint.com/docs/inside-carberp-botnet-en.pdf
* [http://blog.eset.com/2011/12/04/carberp-blackhole-growing-fraud-incidents Carberp + BlackHole growing fraud incidents]
* [http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Bootkit Evolution of Win32Carberp: going deeper]
* [http://securityblog.s21sec.com/2011/07/decrypting-carberp-c-communication.html Decrypting Carberp C&C communication]
* [http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity Facebook New Trends in Carberp Activity]

=== Tatanga ===

Tatanga appeared in the first half of 2011 as MiTB based trojan designed to steal Online Banking Credentials and spoof
(Post Transaction Attack) the real balance of the victim.

Like previously seen trojans, also Tatanga makes use of Encrypted Configuration Files (3-DES) to store plugins and
web injection code.

Additionally Tatanga is able to:

*'''Grab E-Mail addresses'''
*'''Remove Competitors Botnets'''
*'''File Infector to increase malware spread'''
*'''Kill Antivirus Software'''

References:

* [http://securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html 2011 Tatanga: a new banking trojan with MitB functions]
* [http://blog.trendmicro.com/more-on-the-tatanga-banking-trojan/ More on the Tatanga Banking Trojan]

=== Urlzone ===

Urlzone is a Banking Trojan appeared in 2009, its main feature is the ability to hide the evidence of the fraud by changing on fly the balance showed to the Victim.

To accomplish money stealing Urlzone uses a classical MiTB Approach, it works on the following browsers

*'''FireFox'''
*'''Internet Explorer 6,7,8'''
*'''Opera'''

References:

* [http://www.wired.com/images_blogs/threatlevel/2009/09/finjan-cyberintel_sept_2009-sf.pdf Finjan CyberIntel Report September 2009]
* [http://news.cnet.com/8301-27080_3-10363836-245.html Banking Trojan steals money from under your nose]
* [http://www.zdnet.com/blog/security/the-case-of-the-fake-money-mules-inside-the-urlzone-trojan-network/4527 The case of the fake money-mules: Inside the URLZone Trojan network ]
* [http://blogs.rsa.com/rsafarl/the-arms-race-between-black-hats-and-white-hats-steps-up-with-urlzone-trojan/ RSA banking Trojan research underscores problem tracking cybercriminals]

=== Gozi ===

Banking trojan Gozi appeared for the first time in 2007 and was characterized by a Low Detection Rate and ability to Steal from SSL Encrypted Sessions.

Features List:

*'''Steals SSL Data'''
*'''Steals Static Information from Banking Website'''
*'''Steals Dynamic Password Schemes like Two Factor Authentication and OTP'''
*'''KeyLogging Capabilities'''
*'''SSL Encrypted Communication with the C&C Server'''
*'''AntiVirus Bypassing Capabilities'''

SSL Stealing Technique is described here [http://isc.sans.edu/diary.html?storyid=2498 Gozi Trojan Steals SSL Encrypted Data for Fun and Profit]

References:

* [http://www.secureworks.com/research/threats/gozi/ Gozi Technical Analysis]
* [http://www.prweb.com/releases/2010/11/prweb4745544.htm Gozi Trojan - King of Evasion Continues to Avoid Sophisticated Detection]

=== Shylock ===

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside explorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.

Features List:
*'''Gathering system information on compromised system and sends it to dropzone'''
*'''Downloading configuration that will be used from defined domain'''
*'''Injects malicious code into browser's code'''
*'''Hides using rootkit functionality'''
*'''Intercepts network traffic and attempts to add malicious code to network trafic'''

References:

* [http://quequero.org/Shylock_via_volatility Shylock Technical Analysis]
* [http://www.symantec.com/security_response/writeup.jsp?docid=2011-092916-1617-99&tabid=2 Symantec report on Shylock]

=== Sunspot ===

Sunspot appeared for the first time in late 2011 as MiTB based trojan designed to steal Online Banking Credentials.

Features:

*'''Browser Code Injection'''
*'''KeyStroke Logger'''
*'''Screenshotting Capabilities'''
*'''Steals Sensitive Personal Information necessary to carry out User Impersonation Attacks'''
*'''Good AntiVirus Bypassing Capabilities'''

Sunspot works on 32bit and 64bit Systems from Windows XP to Windows 7.

References:

* [http://www.theregister.co.uk/2011/05/11/sunspot_banking_trojan/ Sunspot Banking Trojan]
* [http://www.trusteer.com/blog/windows-malware-morphs-financial-fraud-platform Windows Malware Morphs into Financial Fraud Platform]

=== Oddjob ===

Oddjob Financial Trojan has been publicly reported for the first time 22 February 2011, the peculiar characteristic of Oddjob is the ability to keep open Victim's Session even after they Logout, this implies that Criminals will be able to steal money by Impersonating the Victim by tapping the Session ID.

Oddjob works by injecting malicious code into Internet Explorer and Firefox browsers, the code is contained in custom configuration files.

Will follow a quick summary of the Trojan Functionalities:

*'''Intercepts GET and POST requests'''
*'''HTML Code Injection via MiTB Approach'''
*'''Session Hijacking'''

Session hijacking is performed by changing Logout functionality via malicious html/js injected code, victim will inadvertently keep session open and fraudsters will commit the money transaction.

References:

* [http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-open-after-users-%E2%80%9Clogout%E2%80%9D New Financial Trojan Keeps Online Banking Sessions Open after Users “Logout”]

=== Ramnit ===

Ramnit is a prolific malware that show a wide range of morphings during its arc of existence, between these variations there is also the Financial Stealing one.

Ramnit is essentially a Backdoor Trojan with the ability to perform also MiTB Attacks.

List of Features:

*'''MiTB Capabilities'''
*'''Backdoor Capabilities'''
*'''File Infector Office Files, Windows Executables'''
*'''SSL Secured C&C Communication'''
*'''AntiVirus bypassing Capabilities'''
*'''Cookie Grabber'''

References:

* [http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A Win32/Ramnit.A]
* [http://www.trusteer.com/blog/ramnit-evolution-%E2%80%93-worm-financial-malware Ramnit Evolution – From Worm to Financial Malware]

== Appendix C: Server Side Security Solutions ==

== Appendix D: Client Side Security Solutions ==

== References ==

OWASP Anti-Malware - Knowledge Base

2012-02-05T12:17:13Z

Gfedon: /* Appendix B: Banking Malware Families (Active in 2012) */

== Introduction ==
=== A Technical Knowledge Base for Banking Malware Threats ===

== Protecting Banking Resources ==

=== Are your resources protected? ===

=== Enumerate the interesting targets ===
=== Define the path to the targets (Transition graphs) ===
=== Apply trust boundaries (security measures) ===
=== Define the weaknesses of the security measures adopted ===
== Appendix A: Security Considerations about Authentication Solutions and Malware ==

Actually Banking Malware families can bypass the vast majority of the world most secure authentication. How? The answer is simple: by tailoring an appropriate attack on the specific authentication schema with a bit of social engineering. Malware Authors know that the weakest link most of the times is the user himself.

For more information:

* http://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
* http://www.slideshare.net/guestb1956e/csi2008-gunter-ollmann-maninthebrowser-presentation
* https://www.owasp.org/images/e/e4/AppsecEU09_The_Bank_in_The_Browser_Presentation_v1.1.pdf

=== TextField Static Password ===

'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families in their default configuration

[[File:static_password.png|thumb|alt=Static Password|Static Password]]

'''Description'''

A password is a secret word or string of characters that is used for authentication, and is the world most used and simplest way of authenticating a user to a computer. “Static” means that Password does not change over time, unless manually updated. Textbox input field is the HTML element were password is inserted and this element is compatible with HID (Human Input Devices) such as hardware keyboards and Virtual Keyboards.

'''How gets defeated'''

Almost All banking malware can automatically log passwords using two components: Keylogging and Form Grabbing. A software Keylogger component can use a number of very different techniques, because operative systems offer many different ways to know which key is pressing a user. Even if this component seems very powerful, it has the disadvantage of not logging the Clipboard. Users may copy and paste passwords for simplicity or security reasons: many password wallets suggest to use this approach (e.g. [http://www.keepassx.org/ KeePassX] ). For this reason Banking Malware Authors prefer to log web based credentials using form grabbing components instead of keyloggers: from Wikipedia “this method intercepts the on submit API in browsers and collects web form data before it passes over the internet.”.
Since FormGrabbing is actually used by any major Banking Malware Family (e.g. Zeus, Spyeye, IceIX etc.) “text field” static password does not represent a secure way of authentication. In addition Malware families can automatically log any password field without using any particular configuration.

''' External References: '''

* http://www.infosectoday.com/Articles/Form_Grabbing/Form_Grabbing.htm

=== Javascript Keyboard ===
'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.

[[File:js_virtual_keyboard.png|thumb|alt=Javascript Keyboard|Javascript Keyboard]]

'''Description'''

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of [http://en.wikipedia.org/wiki/Turing_test "turing test"] that could be understood by human users but not by malicious software agents.

'''How gets defeated'''

Back in year 2002, after a couple of years, Malware Authors realized that they could visually grab images of the clicked key pressed (click area grabbing) or to video record the sequence of key pressed. "Click Grabbing" feature was born and with a minimal configuration was possible to defeat javascript password in a standard and efficient way. This kind of attack simply stores the information remotely for a subsequent interpretation by a human attacker.

'''External References:'''

From Fortiguard (Zeus trojan defeats a Virtual Javascript Keypad)
* http://www.youtube.com/watch?v=b9Vb4zS6ZmE&feature=player_embedded

=== Behavior Based Authentication ===

=== TAN (Gridcard, Scratch Card) ===

=== OTP (Time Based, Click Based) ===

=== CAP (Random Nonce, Challenge Response) ===

=== SMS Challenges ===

=== MSISDN (Caller-ID Authentication) ===

== Appendix B: Banking Malware Families (Active in 2012) ==

Taken as inspiration from Marco Morana's Presentation and from other sources (e.g. slides 26-30 The Bank in the Browser Presentation - G. Fedon ), here is a quick summary of Banking Malware features updated as of 2012.

[[File:Malware_Attack_Vectors2.png|thumb|alt=Malware Attack Vectors Summary]]

Schema summarizes every banking trojan by giving the following informations:

*'''Attack Capabilities'''
*'''Timing'''
*'''Type'''

'''Attack Capabilites''' describes the features of the involved trojan, and immediately below the technique used to implement the given feature.

*'''HTTP Injection'''
*'''Browse Redirect'''
*'''Form Grabbing'''
*'''Credential Theft'''
*'''Keystroke Logging'''
*'''Bypass MFA'''
*'''ScreenCapture / VideoCapture'''
*'''Certificate Theft'''
*'''Install Backdoor'''
*'''Instant Message'''

'''Type''' field describes what kind how the malware operates:

*'''Automatic'''
*'''Manual'''

=== Spyeye ===

SpyEye is considered the successor of ZeuS and globally considered as
the most advanced Banking Malware kit actually used.

This kit was conceived as botnet easy to manage via a web based control panel.

SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish
its task, it provides a custom Encrypted Configuration File where
there are:

* '''Plugins'''
* '''Web Injection Code'''
* '''Collectors List- where stolen data is sent'''

SpyEye is capable of HTML code injection in the following browsers:

* '''FireFox'''
* '''Internet Explorer'''
* '''Chrome'''
* '''Opera'''

List of commonly used Plugins:

* '''ccgrabber''' - used to collect Credit Card numbers by analyzing POST requests.
* '''ffcertgrabber''' - used to steal Firefox stored Certificates.
* '''ftpbc''' - used to reverse ftp connections to the bot.
* '''socks5''' - allows reverse connections via a proxy server.
* '''billinghammer''' - charges Credit Cards by using stolen card data.
* '''ddos''' - plugin used to ddos a specified target.
* '''bugreport''' - send crash reports to the bot master.
* '''SpySpread''' - capability to spread via USB, IM Messages
* '''rdp''' - Remote Desktop capability

SpyEye kit, actually reached version 1.3.48

In the second half of 2011 appeared a mobile edition of SpyEye, called
SpitMo specifically designed to steal mTAN (mobile TAN) authentication
systems. [http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android/ SpitMo]

Recently (Jenuary 2012) appeared a SpyEye Campaign able to [http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/ Hide its Fraud Footprint] also called Post-Transaction Attack

Resources:

* [http://blog.fortinet.com/a-guide-to-spyeye-cc-messages/ A Guide to SpyEye C&C Messages]
* [http://blogs.rsa.com/rsafarl/new-spyeye-gains-zeus-features-a-detailed-analysis-of-spyeye-trojan-v1-3/ New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3]
* [http://cert.lexsi.com/weblog/index.php/2011/02/23/408-ddos-plugin-for-spyeye DDOS plugin for SpyEye]
* [http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html SpyEye steals your data. Even in a limited account]
* [http://blog.trendmicro.com/the-spyeye-interface-part-1-cn-1/ The SpyEye Interface, Part 1: CN 1]
* [http://blog.trendmicro.com/the-spyeye-interface-part-2-syn-1/ The SpyEye Interface Part 2: SYN 1]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 1)]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications-part-2/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)]

Tracking SpyEye:

* [https://spyeyetracker.abuse.ch/ SpyEye Tracker]

=== Zeus ===

ZeuS is a Banking Trojan identified for the first time in 2007, designed
as '''HTTP Based Botnet''' specifically crafted to steal Online Banking Credentials.

Despite the fact that ZeuS Kit is no longer developed, infection statistics
that can be checked here [https://zeustracker.abuse.ch/statistic.php ZeuS Statistics]
clearly demonstrates that this Trojan has a remarkable diffusion.

The ZeuS Kit functionality is based on MiTB attacks, an encrypted
configuration file contains URL Triggers and HTML Code to be Injected.

In the past year appeared also a ZeuS for mobile called ZitMo, developed
to bypass mTAN authentication system, more information can be reached here:

* [http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security The ZitMo Trojan Bypasses Online Banking Security]
* [http://www.virusbtn.com/news/2011/07_11.xml Zitmo Trojan for Android defeats two-factor authentication]

2011 was also the year of ZeuS Source Code leak, this essentially lead to a
number of new ZeuS Variants, here the most significant:

* ICE IX
* ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet
and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able
to interact with other victims (nodes) and get Updated Binaries and
Configurations.

ZeuS P2P References:

* [http://www.abuse.ch/?p=3499 ZeuS Gets More Sophisticated Using P2P Techniques]
* [http://www.cert.pl/news/4711/langswitch_lang/en ZeuS – P2P+DGA variant – mapping out and understanding the threat]

Other References:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]
* [http://www.abuse.ch/?p=3453 Ice IX – Or Just ZeuS?]
* [http://www.inreverse.net/?p=1551 JaZeus: when Zeus meets Java]
* [http://www.coresec.org/2011/05/21/zeus-malware-analysis-by-sophoslabs/ Zeus Malware Analysis by SophosLabs]
* [http://www.secureworks.com/research/threats/zeus/ ZeuS Banking Trojan Report]
* [http://mnin.blogspot.com/2011/09/abstract-memory-analysis-zeus.html Abstract Memory Analysis: Zeus Encryption Keys]

Tracking ZeuS:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]

=== Carberp ===

After ZeuS and SpyEye the third advanced Malware Banking Trojan is '''Carberp''', that during its evolution reached
a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser
Code Injection online Banking Credentials.

Synthesis of Carberp Functionalities [http://www.trustdefender.com/trustdefender-labs-blog-carberp-a-new-trojan-in-the-making.html]:

*'''Ability to run as non-administrator'''
*'''Ability to infect Windows XP , Windows Vista and Windows 7'''
*'''Will not make any changes to the registry (only in memory modifications)'''
*'''Browser Hooking'''
*'''Stolen data is transmitted in real-time to C&C server'''
*'''Kill AntiVirus Software'''
*'''Screenshot Ability'''
*'''Form Grabber'''
*'''Backconnect'''

Carberp makes use of encrypted Configuration Files that contains plugins and web injection code

*'''miniav.psd''' - Kill Competitors Botnets (SpyEye. ZeuS)
*'''vnc.psd''' - Remote VNC Session Capability
*'''passw.psd''' - password grabber for FTP, VNC, E-Mail Clients, Stored Browser Passwords

References:

* www.malwareint.com/docs/inside-carberp-botnet-en.pdf
* [http://blog.eset.com/2011/12/04/carberp-blackhole-growing-fraud-incidents Carberp + BlackHole growing fraud incidents]
* [http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Bootkit Evolution of Win32Carberp: going deeper]
* [http://securityblog.s21sec.com/2011/07/decrypting-carberp-c-communication.html Decrypting Carberp C&C communication]
* [http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity Facebook New Trends in Carberp Activity]

=== Tatanga ===

Tatanga appeared in the first half of 2011 as MiTB based trojan designed to steal Online Banking Credentials and spoof
(Post Transaction Attack) the real balance of the victim.

Like previously seen trojans, also Tatanga makes use of Encrypted Configuration Files (3-DES) to store plugins and
web injection code.

Additionally Tatanga is able to:

*'''Grab E-Mail addresses'''
*'''Remove Competitors Botnets'''
*'''File Infector to increase malware spread'''
*'''Kill Antivirus Software'''

References:

* [http://securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html 2011 Tatanga: a new banking trojan with MitB functions]
* [http://blog.trendmicro.com/more-on-the-tatanga-banking-trojan/ More on the Tatanga Banking Trojan]

=== Urlzone ===

Urlzone is a Banking Trojan appeared in 2009, its main feature is the ability to hide the evidence of the fraud by changing on fly the balance showed to the Victim.

To accomplish money stealing Urlzone uses a classical MiTB Approach, it works on the following browsers

*'''FireFox'''
*'''Internet Explorer 6,7,8'''
*'''Opera'''

References:

* [http://www.wired.com/images_blogs/threatlevel/2009/09/finjan-cyberintel_sept_2009-sf.pdf Finjan CyberIntel Report September 2009]
* [http://news.cnet.com/8301-27080_3-10363836-245.html Banking Trojan steals money from under your nose]
* [http://www.zdnet.com/blog/security/the-case-of-the-fake-money-mules-inside-the-urlzone-trojan-network/4527 The case of the fake money-mules: Inside the URLZone Trojan network ]
* [http://blogs.rsa.com/rsafarl/the-arms-race-between-black-hats-and-white-hats-steps-up-with-urlzone-trojan/ RSA banking Trojan research underscores problem tracking cybercriminals]

=== Gozi ===

Banking trojan Gozi appeared for the first time in 2007 and was characterized by a Low Detection Rate and ability to Steal from SSL Encrypted Sessions.

Features List:

*'''Steals SSL Data'''
*'''Steals Static Information from Banking Website'''
*'''Steals Dynamic Password Schemes like Two Factor Authentication and OTP'''
*'''KeyLogging Capabilities'''
*'''SSL Encrypted Communication with the C&C Server'''
*'''AntiVirus Bypassing Capabilities'''

SSL Stealing Technique is described here [http://isc.sans.edu/diary.html?storyid=2498 Gozi Trojan Steals SSL Encrypted Data for Fun and Profit]

References:

* [http://www.secureworks.com/research/threats/gozi/ Gozi Technical Analysis]
* [http://www.prweb.com/releases/2010/11/prweb4745544.htm Gozi Trojan - King of Evasion Continues to Avoid Sophisticated Detection]

=== Shylock ===

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside explorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.

Features List:
*'''Gathering system information on compromised system and sends it to dropzone'''
*'''Downloading configuration that will be used from defined domain'''
*'''Injects malicious code into browser's code'''
*'''Hides using rootkit functionality'''
*'''Intercepts network traffic and attempts to add malicious code to network trafic'''

References:

* [http://quequero.org/Shylock_via_volatility Shylock Technical Analysis]
* [http://www.symantec.com/security_response/writeup.jsp?docid=2011-092916-1617-99&tabid=2 Symantec report on Shylock]

=== Sunspot ===

Sunspot appeared for the first time in late 2011 as MiTB based trojan designed to steal Online Banking Credentials.

Features:

*'''Browser Code Injection'''
*'''KeyStroke Logger'''
*'''Screenshotting Capabilities'''
*'''Steals Sensitive Personal Information necessary to carry out User Impersonation Attacks'''
*'''Good AntiVirus Bypassing Capabilities'''

Sunspot works on 32bit and 64bit Systems from Windows XP to Windows 7.

References:

* [http://www.theregister.co.uk/2011/05/11/sunspot_banking_trojan/ Sunspot Banking Trojan]
* [http://www.trusteer.com/blog/windows-malware-morphs-financial-fraud-platform Windows Malware Morphs into Financial Fraud Platform]

=== Oddjob ===

Oddjob Financial Trojan has been publicly reported for the first time 22 February 2011, the peculiar characteristic of Oddjob is the ability to keep open Victim's Session even after they Logout, this implies that Criminals will be able to steal money by Impersonating the Victim by tapping the Session ID.

Oddjob works by injecting malicious code into Internet Explorer and Firefox browsers, the code is contained in custom configuration files.

Will follow a quick summary of the Trojan Functionalities:

*'''Intercepts GET and POST requests'''
*'''HTML Code Injection via MiTB Approach'''
*'''Session Hijacking'''

Session hijacking is performed by changing Logout functionality via malicious html/js injected code, victim will inadvertently keep session open and fraudsters will commit the money transaction.

References:

* [http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-open-after-users-%E2%80%9Clogout%E2%80%9D New Financial Trojan Keeps Online Banking Sessions Open after Users “Logout”]

=== Ramnit ===

Ramnit is a prolific malware that show a wide range of morphings during its arc of existence, between these variations there is also the Financial Stealing one.

Ramnit is essentially a Backdoor Trojan with the ability to perform also MiTB Attacks.

List of Features:

*'''MiTB Capabilities'''
*'''Backdoor Capabilities'''
*'''File Infector Office Files, Windows Executables'''
*'''SSL Secured C&C Communication'''
*'''AntiVirus bypassing Capabilities'''
*'''Cookie Grabber'''

References:

* [http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A Win32/Ramnit.A]
* [http://www.trusteer.com/blog/ramnit-evolution-%E2%80%93-worm-financial-malware Ramnit Evolution – From Worm to Financial Malware]

== Appendix C: Server Side Security Solutions ==

== Appendix D: Client Side Security Solutions ==

== References ==

OWASP Anti-Malware - Knowledge Base

2012-02-05T12:14:38Z

Gfedon: /* Appendix B: Banking Malware Families (Active in 2012) */

== Introduction ==
=== A Technical Knowledge Base for Banking Malware Threats ===

== Protecting Banking Resources ==

=== Are your resources protected? ===

=== Enumerate the interesting targets ===
=== Define the path to the targets (Transition graphs) ===
=== Apply trust boundaries (security measures) ===
=== Define the weaknesses of the security measures adopted ===
== Appendix A: Security Considerations about Authentication Solutions and Malware ==

Actually Banking Malware families can bypass the vast majority of the world most secure authentication. How? The answer is simple: by tailoring an appropriate attack on the specific authentication schema with a bit of social engineering. Malware Authors know that the weakest link most of the times is the user himself.

For more information:

* http://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
* http://www.slideshare.net/guestb1956e/csi2008-gunter-ollmann-maninthebrowser-presentation
* https://www.owasp.org/images/e/e4/AppsecEU09_The_Bank_in_The_Browser_Presentation_v1.1.pdf

=== TextField Static Password ===

'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families in their default configuration

[[File:static_password.png|thumb|alt=Static Password|Static Password]]

'''Description'''

A password is a secret word or string of characters that is used for authentication, and is the world most used and simplest way of authenticating a user to a computer. “Static” means that Password does not change over time, unless manually updated. Textbox input field is the HTML element were password is inserted and this element is compatible with HID (Human Input Devices) such as hardware keyboards and Virtual Keyboards.

'''How gets defeated'''

Almost All banking malware can automatically log passwords using two components: Keylogging and Form Grabbing. A software Keylogger component can use a number of very different techniques, because operative systems offer many different ways to know which key is pressing a user. Even if this component seems very powerful, it has the disadvantage of not logging the Clipboard. Users may copy and paste passwords for simplicity or security reasons: many password wallets suggest to use this approach (e.g. [http://www.keepassx.org/ KeePassX] ). For this reason Banking Malware Authors prefer to log web based credentials using form grabbing components instead of keyloggers: from Wikipedia “this method intercepts the on submit API in browsers and collects web form data before it passes over the internet.”.
Since FormGrabbing is actually used by any major Banking Malware Family (e.g. Zeus, Spyeye, IceIX etc.) “text field” static password does not represent a secure way of authentication. In addition Malware families can automatically log any password field without using any particular configuration.

''' External References: '''

* http://www.infosectoday.com/Articles/Form_Grabbing/Form_Grabbing.htm

=== Javascript Keyboard ===
'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.

[[File:js_virtual_keyboard.png|thumb|alt=Javascript Keyboard|Javascript Keyboard]]

'''Description'''

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of [http://en.wikipedia.org/wiki/Turing_test "turing test"] that could be understood by human users but not by malicious software agents.

'''How gets defeated'''

Back in year 2002, after a couple of years, Malware Authors realized that they could visually grab images of the clicked key pressed (click area grabbing) or to video record the sequence of key pressed. "Click Grabbing" feature was born and with a minimal configuration was possible to defeat javascript password in a standard and efficient way. This kind of attack simply stores the information remotely for a subsequent interpretation by a human attacker.

'''External References:'''

From Fortiguard (Zeus trojan defeats a Virtual Javascript Keypad)
* http://www.youtube.com/watch?v=b9Vb4zS6ZmE&feature=player_embedded

=== Behavior Based Authentication ===

=== TAN (Gridcard, Scratch Card) ===

=== OTP (Time Based, Click Based) ===

=== CAP (Random Nonce, Challenge Response) ===

=== SMS Challenges ===

=== MSISDN (Caller-ID Authentication) ===

== Appendix B: Banking Malware Families (Active in 2012) ==

Taken as inspiration from Marco Morana's Presentation and from other sources, here is a quick summary of Banking Malware features updated as of 2012.

[[File:Malware_Attack_Vectors2.png|thumb|alt=Malware Attack Vectors Summary]]

Schema summarizes every banking trojan by giving the following informations:

*'''Attack Capabilities'''
*'''Timing'''
*'''Type'''

'''Attack Capabilites''' describes the features of the involved trojan, and immediately below the technique used to implement the given feature.

*'''HTTP Injection'''
*'''Browse Redirect'''
*'''Form Grabbing'''
*'''Credential Theft'''
*'''Keystroke Logging'''
*'''Bypass MFA'''
*'''ScreenCapture / VideoCapture'''
*'''Certificate Theft'''
*'''Install Backdoor'''
*'''Instant Message'''

'''Type''' field describes what kind how the malware operates:

*'''Automatic'''
*'''Manual'''

=== Spyeye ===

SpyEye is considered the successor of ZeuS and globally considered as
the most advanced Banking Malware kit actually used.

This kit was conceived as botnet easy to manage via a web based control panel.

SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish
its task, it provides a custom Encrypted Configuration File where
there are:

* '''Plugins'''
* '''Web Injection Code'''
* '''Collectors List- where stolen data is sent'''

SpyEye is capable of HTML code injection in the following browsers:

* '''FireFox'''
* '''Internet Explorer'''
* '''Chrome'''
* '''Opera'''

List of commonly used Plugins:

* '''ccgrabber''' - used to collect Credit Card numbers by analyzing POST requests.
* '''ffcertgrabber''' - used to steal Firefox stored Certificates.
* '''ftpbc''' - used to reverse ftp connections to the bot.
* '''socks5''' - allows reverse connections via a proxy server.
* '''billinghammer''' - charges Credit Cards by using stolen card data.
* '''ddos''' - plugin used to ddos a specified target.
* '''bugreport''' - send crash reports to the bot master.
* '''SpySpread''' - capability to spread via USB, IM Messages
* '''rdp''' - Remote Desktop capability

SpyEye kit, actually reached version 1.3.48

In the second half of 2011 appeared a mobile edition of SpyEye, called
SpitMo specifically designed to steal mTAN (mobile TAN) authentication
systems. [http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android/ SpitMo]

Recently (Jenuary 2012) appeared a SpyEye Campaign able to [http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/ Hide its Fraud Footprint] also called Post-Transaction Attack

Resources:

* [http://blog.fortinet.com/a-guide-to-spyeye-cc-messages/ A Guide to SpyEye C&C Messages]
* [http://blogs.rsa.com/rsafarl/new-spyeye-gains-zeus-features-a-detailed-analysis-of-spyeye-trojan-v1-3/ New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3]
* [http://cert.lexsi.com/weblog/index.php/2011/02/23/408-ddos-plugin-for-spyeye DDOS plugin for SpyEye]
* [http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html SpyEye steals your data. Even in a limited account]
* [http://blog.trendmicro.com/the-spyeye-interface-part-1-cn-1/ The SpyEye Interface, Part 1: CN 1]
* [http://blog.trendmicro.com/the-spyeye-interface-part-2-syn-1/ The SpyEye Interface Part 2: SYN 1]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 1)]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications-part-2/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)]

Tracking SpyEye:

* [https://spyeyetracker.abuse.ch/ SpyEye Tracker]

=== Zeus ===

ZeuS is a Banking Trojan identified for the first time in 2007, designed
as '''HTTP Based Botnet''' specifically crafted to steal Online Banking Credentials.

Despite the fact that ZeuS Kit is no longer developed, infection statistics
that can be checked here [https://zeustracker.abuse.ch/statistic.php ZeuS Statistics]
clearly demonstrates that this Trojan has a remarkable diffusion.

The ZeuS Kit functionality is based on MiTB attacks, an encrypted
configuration file contains URL Triggers and HTML Code to be Injected.

In the past year appeared also a ZeuS for mobile called ZitMo, developed
to bypass mTAN authentication system, more information can be reached here:

* [http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security The ZitMo Trojan Bypasses Online Banking Security]
* [http://www.virusbtn.com/news/2011/07_11.xml Zitmo Trojan for Android defeats two-factor authentication]

2011 was also the year of ZeuS Source Code leak, this essentially lead to a
number of new ZeuS Variants, here the most significant:

* ICE IX
* ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet
and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able
to interact with other victims (nodes) and get Updated Binaries and
Configurations.

ZeuS P2P References:

* [http://www.abuse.ch/?p=3499 ZeuS Gets More Sophisticated Using P2P Techniques]
* [http://www.cert.pl/news/4711/langswitch_lang/en ZeuS – P2P+DGA variant – mapping out and understanding the threat]

Other References:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]
* [http://www.abuse.ch/?p=3453 Ice IX – Or Just ZeuS?]
* [http://www.inreverse.net/?p=1551 JaZeus: when Zeus meets Java]
* [http://www.coresec.org/2011/05/21/zeus-malware-analysis-by-sophoslabs/ Zeus Malware Analysis by SophosLabs]
* [http://www.secureworks.com/research/threats/zeus/ ZeuS Banking Trojan Report]
* [http://mnin.blogspot.com/2011/09/abstract-memory-analysis-zeus.html Abstract Memory Analysis: Zeus Encryption Keys]

Tracking ZeuS:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]

=== Carberp ===

After ZeuS and SpyEye the third advanced Malware Banking Trojan is '''Carberp''', that during its evolution reached
a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser
Code Injection online Banking Credentials.

Synthesis of Carberp Functionalities [http://www.trustdefender.com/trustdefender-labs-blog-carberp-a-new-trojan-in-the-making.html]:

*'''Ability to run as non-administrator'''
*'''Ability to infect Windows XP , Windows Vista and Windows 7'''
*'''Will not make any changes to the registry (only in memory modifications)'''
*'''Browser Hooking'''
*'''Stolen data is transmitted in real-time to C&C server'''
*'''Kill AntiVirus Software'''
*'''Screenshot Ability'''
*'''Form Grabber'''
*'''Backconnect'''

Carberp makes use of encrypted Configuration Files that contains plugins and web injection code

*'''miniav.psd''' - Kill Competitors Botnets (SpyEye. ZeuS)
*'''vnc.psd''' - Remote VNC Session Capability
*'''passw.psd''' - password grabber for FTP, VNC, E-Mail Clients, Stored Browser Passwords

References:

* www.malwareint.com/docs/inside-carberp-botnet-en.pdf
* [http://blog.eset.com/2011/12/04/carberp-blackhole-growing-fraud-incidents Carberp + BlackHole growing fraud incidents]
* [http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Bootkit Evolution of Win32Carberp: going deeper]
* [http://securityblog.s21sec.com/2011/07/decrypting-carberp-c-communication.html Decrypting Carberp C&C communication]
* [http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity Facebook New Trends in Carberp Activity]

=== Tatanga ===

Tatanga appeared in the first half of 2011 as MiTB based trojan designed to steal Online Banking Credentials and spoof
(Post Transaction Attack) the real balance of the victim.

Like previously seen trojans, also Tatanga makes use of Encrypted Configuration Files (3-DES) to store plugins and
web injection code.

Additionally Tatanga is able to:

*'''Grab E-Mail addresses'''
*'''Remove Competitors Botnets'''
*'''File Infector to increase malware spread'''
*'''Kill Antivirus Software'''

References:

* [http://securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html 2011 Tatanga: a new banking trojan with MitB functions]
* [http://blog.trendmicro.com/more-on-the-tatanga-banking-trojan/ More on the Tatanga Banking Trojan]

=== Urlzone ===

Urlzone is a Banking Trojan appeared in 2009, its main feature is the ability to hide the evidence of the fraud by changing on fly the balance showed to the Victim.

To accomplish money stealing Urlzone uses a classical MiTB Approach, it works on the following browsers

*'''FireFox'''
*'''Internet Explorer 6,7,8'''
*'''Opera'''

References:

* [http://www.wired.com/images_blogs/threatlevel/2009/09/finjan-cyberintel_sept_2009-sf.pdf Finjan CyberIntel Report September 2009]
* [http://news.cnet.com/8301-27080_3-10363836-245.html Banking Trojan steals money from under your nose]
* [http://www.zdnet.com/blog/security/the-case-of-the-fake-money-mules-inside-the-urlzone-trojan-network/4527 The case of the fake money-mules: Inside the URLZone Trojan network ]
* [http://blogs.rsa.com/rsafarl/the-arms-race-between-black-hats-and-white-hats-steps-up-with-urlzone-trojan/ RSA banking Trojan research underscores problem tracking cybercriminals]

=== Gozi ===

Banking trojan Gozi appeared for the first time in 2007 and was characterized by a Low Detection Rate and ability to Steal from SSL Encrypted Sessions.

Features List:

*'''Steals SSL Data'''
*'''Steals Static Information from Banking Website'''
*'''Steals Dynamic Password Schemes like Two Factor Authentication and OTP'''
*'''KeyLogging Capabilities'''
*'''SSL Encrypted Communication with the C&C Server'''
*'''AntiVirus Bypassing Capabilities'''

SSL Stealing Technique is described here [http://isc.sans.edu/diary.html?storyid=2498 Gozi Trojan Steals SSL Encrypted Data for Fun and Profit]

References:

* [http://www.secureworks.com/research/threats/gozi/ Gozi Technical Analysis]
* [http://www.prweb.com/releases/2010/11/prweb4745544.htm Gozi Trojan - King of Evasion Continues to Avoid Sophisticated Detection]

=== Shylock ===

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside explorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.

Features List:
*'''Gathering system information on compromised system and sends it to dropzone'''
*'''Downloading configuration that will be used from defined domain'''
*'''Injects malicious code into browser's code'''
*'''Hides using rootkit functionality'''
*'''Intercepts network traffic and attempts to add malicious code to network trafic'''

References:

* [http://quequero.org/Shylock_via_volatility Shylock Technical Analysis]
* [http://www.symantec.com/security_response/writeup.jsp?docid=2011-092916-1617-99&tabid=2 Symantec report on Shylock]

=== Sunspot ===

Sunspot appeared for the first time in late 2011 as MiTB based trojan designed to steal Online Banking Credentials.

Features:

*'''Browser Code Injection'''
*'''KeyStroke Logger'''
*'''Screenshotting Capabilities'''
*'''Steals Sensitive Personal Information necessary to carry out User Impersonation Attacks'''
*'''Good AntiVirus Bypassing Capabilities'''

Sunspot works on 32bit and 64bit Systems from Windows XP to Windows 7.

References:

* [http://www.theregister.co.uk/2011/05/11/sunspot_banking_trojan/ Sunspot Banking Trojan]
* [http://www.trusteer.com/blog/windows-malware-morphs-financial-fraud-platform Windows Malware Morphs into Financial Fraud Platform]

=== Oddjob ===

Oddjob Financial Trojan has been publicly reported for the first time 22 February 2011, the peculiar characteristic of Oddjob is the ability to keep open Victim's Session even after they Logout, this implies that Criminals will be able to steal money by Impersonating the Victim by tapping the Session ID.

Oddjob works by injecting malicious code into Internet Explorer and Firefox browsers, the code is contained in custom configuration files.

Will follow a quick summary of the Trojan Functionalities:

*'''Intercepts GET and POST requests'''
*'''HTML Code Injection via MiTB Approach'''
*'''Session Hijacking'''

Session hijacking is performed by changing Logout functionality via malicious html/js injected code, victim will inadvertently keep session open and fraudsters will commit the money transaction.

References:

* [http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-open-after-users-%E2%80%9Clogout%E2%80%9D New Financial Trojan Keeps Online Banking Sessions Open after Users “Logout”]

=== Ramnit ===

Ramnit is a prolific malware that show a wide range of morphings during its arc of existence, between these variations there is also the Financial Stealing one.

Ramnit is essentially a Backdoor Trojan with the ability to perform also MiTB Attacks.

List of Features:

*'''MiTB Capabilities'''
*'''Backdoor Capabilities'''
*'''File Infector Office Files, Windows Executables'''
*'''SSL Secured C&C Communication'''
*'''AntiVirus bypassing Capabilities'''
*'''Cookie Grabber'''

References:

* [http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A Win32/Ramnit.A]
* [http://www.trusteer.com/blog/ramnit-evolution-%E2%80%93-worm-financial-malware Ramnit Evolution – From Worm to Financial Malware]

== Appendix C: Server Side Security Solutions ==

== Appendix D: Client Side Security Solutions ==

== References ==

File:Malware Attack Vectors2.png

2012-02-05T12:13:26Z

Gfedon:

OWASP Anti-Malware - Knowledge Base

2012-02-05T12:12:35Z

Gfedon: /* Appendix B: Banking Malware Families (Active in 2012) */

== Introduction ==
=== A Technical Knowledge Base for Banking Malware Threats ===

== Protecting Banking Resources ==

=== Are your resources protected? ===

=== Enumerate the interesting targets ===
=== Define the path to the targets (Transition graphs) ===
=== Apply trust boundaries (security measures) ===
=== Define the weaknesses of the security measures adopted ===
== Appendix A: Security Considerations about Authentication Solutions and Malware ==

Actually Banking Malware families can bypass the vast majority of the world most secure authentication. How? The answer is simple: by tailoring an appropriate attack on the specific authentication schema with a bit of social engineering. Malware Authors know that the weakest link most of the times is the user himself.

For more information:

* http://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
* http://www.slideshare.net/guestb1956e/csi2008-gunter-ollmann-maninthebrowser-presentation
* https://www.owasp.org/images/e/e4/AppsecEU09_The_Bank_in_The_Browser_Presentation_v1.1.pdf

=== TextField Static Password ===

'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families in their default configuration

[[File:static_password.png|thumb|alt=Static Password|Static Password]]

'''Description'''

A password is a secret word or string of characters that is used for authentication, and is the world most used and simplest way of authenticating a user to a computer. “Static” means that Password does not change over time, unless manually updated. Textbox input field is the HTML element were password is inserted and this element is compatible with HID (Human Input Devices) such as hardware keyboards and Virtual Keyboards.

'''How gets defeated'''

Almost All banking malware can automatically log passwords using two components: Keylogging and Form Grabbing. A software Keylogger component can use a number of very different techniques, because operative systems offer many different ways to know which key is pressing a user. Even if this component seems very powerful, it has the disadvantage of not logging the Clipboard. Users may copy and paste passwords for simplicity or security reasons: many password wallets suggest to use this approach (e.g. [http://www.keepassx.org/ KeePassX] ). For this reason Banking Malware Authors prefer to log web based credentials using form grabbing components instead of keyloggers: from Wikipedia “this method intercepts the on submit API in browsers and collects web form data before it passes over the internet.”.
Since FormGrabbing is actually used by any major Banking Malware Family (e.g. Zeus, Spyeye, IceIX etc.) “text field” static password does not represent a secure way of authentication. In addition Malware families can automatically log any password field without using any particular configuration.

''' External References: '''

* http://www.infosectoday.com/Articles/Form_Grabbing/Form_Grabbing.htm

=== Javascript Keyboard ===
'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.

[[File:js_virtual_keyboard.png|thumb|alt=Javascript Keyboard|Javascript Keyboard]]

'''Description'''

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of [http://en.wikipedia.org/wiki/Turing_test "turing test"] that could be understood by human users but not by malicious software agents.

'''How gets defeated'''

Back in year 2002, after a couple of years, Malware Authors realized that they could visually grab images of the clicked key pressed (click area grabbing) or to video record the sequence of key pressed. "Click Grabbing" feature was born and with a minimal configuration was possible to defeat javascript password in a standard and efficient way. This kind of attack simply stores the information remotely for a subsequent interpretation by a human attacker.

'''External References:'''

From Fortiguard (Zeus trojan defeats a Virtual Javascript Keypad)
* http://www.youtube.com/watch?v=b9Vb4zS6ZmE&feature=player_embedded

=== Behavior Based Authentication ===

=== TAN (Gridcard, Scratch Card) ===

=== OTP (Time Based, Click Based) ===

=== CAP (Random Nonce, Challenge Response) ===

=== SMS Challenges ===

=== MSISDN (Caller-ID Authentication) ===

== Appendix B: Banking Malware Families (Active in 2012) ==

Taken as inspiration from Marco Morana's Presentation and from other sources, here is a quick summary of Banking Malware features updated

[[File:Malware_Attack_Vectors2.png|thumb|alt=Malware Attack Vectors Summary]]

Schema summarizes every banking trojan by giving the following informations:

*'''Attack Capabilities'''
*'''Timing'''
*'''Type'''

'''Attack Capabilites''' describes the features of the involved trojan, and immediately below the technique used to implement the given feature.

*'''HTTP Injection'''
*'''Browse Redirect'''
*'''Form Grabbing'''
*'''Credential Theft'''
*'''Keystroke Logging'''
*'''Bypass MFA'''
*'''ScreenCapture / VideoCapture'''
*'''Certificate Theft'''
*'''Install Backdoor'''
*'''Instant Message'''

'''Type''' field describes what kind how the malware operates:

*'''Automatic'''
*'''Manual'''

=== Spyeye ===

SpyEye is considered the successor of ZeuS and globally considered as
the most advanced Banking Malware kit actually used.

This kit was conceived as botnet easy to manage via a web based control panel.

SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish
its task, it provides a custom Encrypted Configuration File where
there are:

* '''Plugins'''
* '''Web Injection Code'''
* '''Collectors List- where stolen data is sent'''

SpyEye is capable of HTML code injection in the following browsers:

* '''FireFox'''
* '''Internet Explorer'''
* '''Chrome'''
* '''Opera'''

List of commonly used Plugins:

* '''ccgrabber''' - used to collect Credit Card numbers by analyzing POST requests.
* '''ffcertgrabber''' - used to steal Firefox stored Certificates.
* '''ftpbc''' - used to reverse ftp connections to the bot.
* '''socks5''' - allows reverse connections via a proxy server.
* '''billinghammer''' - charges Credit Cards by using stolen card data.
* '''ddos''' - plugin used to ddos a specified target.
* '''bugreport''' - send crash reports to the bot master.
* '''SpySpread''' - capability to spread via USB, IM Messages
* '''rdp''' - Remote Desktop capability

SpyEye kit, actually reached version 1.3.48

In the second half of 2011 appeared a mobile edition of SpyEye, called
SpitMo specifically designed to steal mTAN (mobile TAN) authentication
systems. [http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android/ SpitMo]

Recently (Jenuary 2012) appeared a SpyEye Campaign able to [http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/ Hide its Fraud Footprint] also called Post-Transaction Attack

Resources:

* [http://blog.fortinet.com/a-guide-to-spyeye-cc-messages/ A Guide to SpyEye C&C Messages]
* [http://blogs.rsa.com/rsafarl/new-spyeye-gains-zeus-features-a-detailed-analysis-of-spyeye-trojan-v1-3/ New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3]
* [http://cert.lexsi.com/weblog/index.php/2011/02/23/408-ddos-plugin-for-spyeye DDOS plugin for SpyEye]
* [http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html SpyEye steals your data. Even in a limited account]
* [http://blog.trendmicro.com/the-spyeye-interface-part-1-cn-1/ The SpyEye Interface, Part 1: CN 1]
* [http://blog.trendmicro.com/the-spyeye-interface-part-2-syn-1/ The SpyEye Interface Part 2: SYN 1]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 1)]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications-part-2/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)]

Tracking SpyEye:

* [https://spyeyetracker.abuse.ch/ SpyEye Tracker]

=== Zeus ===

ZeuS is a Banking Trojan identified for the first time in 2007, designed
as '''HTTP Based Botnet''' specifically crafted to steal Online Banking Credentials.

Despite the fact that ZeuS Kit is no longer developed, infection statistics
that can be checked here [https://zeustracker.abuse.ch/statistic.php ZeuS Statistics]
clearly demonstrates that this Trojan has a remarkable diffusion.

The ZeuS Kit functionality is based on MiTB attacks, an encrypted
configuration file contains URL Triggers and HTML Code to be Injected.

In the past year appeared also a ZeuS for mobile called ZitMo, developed
to bypass mTAN authentication system, more information can be reached here:

* [http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security The ZitMo Trojan Bypasses Online Banking Security]
* [http://www.virusbtn.com/news/2011/07_11.xml Zitmo Trojan for Android defeats two-factor authentication]

2011 was also the year of ZeuS Source Code leak, this essentially lead to a
number of new ZeuS Variants, here the most significant:

* ICE IX
* ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet
and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able
to interact with other victims (nodes) and get Updated Binaries and
Configurations.

ZeuS P2P References:

* [http://www.abuse.ch/?p=3499 ZeuS Gets More Sophisticated Using P2P Techniques]
* [http://www.cert.pl/news/4711/langswitch_lang/en ZeuS – P2P+DGA variant – mapping out and understanding the threat]

Other References:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]
* [http://www.abuse.ch/?p=3453 Ice IX – Or Just ZeuS?]
* [http://www.inreverse.net/?p=1551 JaZeus: when Zeus meets Java]
* [http://www.coresec.org/2011/05/21/zeus-malware-analysis-by-sophoslabs/ Zeus Malware Analysis by SophosLabs]
* [http://www.secureworks.com/research/threats/zeus/ ZeuS Banking Trojan Report]
* [http://mnin.blogspot.com/2011/09/abstract-memory-analysis-zeus.html Abstract Memory Analysis: Zeus Encryption Keys]

Tracking ZeuS:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]

=== Carberp ===

After ZeuS and SpyEye the third advanced Malware Banking Trojan is '''Carberp''', that during its evolution reached
a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser
Code Injection online Banking Credentials.

Synthesis of Carberp Functionalities [http://www.trustdefender.com/trustdefender-labs-blog-carberp-a-new-trojan-in-the-making.html]:

*'''Ability to run as non-administrator'''
*'''Ability to infect Windows XP , Windows Vista and Windows 7'''
*'''Will not make any changes to the registry (only in memory modifications)'''
*'''Browser Hooking'''
*'''Stolen data is transmitted in real-time to C&C server'''
*'''Kill AntiVirus Software'''
*'''Screenshot Ability'''
*'''Form Grabber'''
*'''Backconnect'''

Carberp makes use of encrypted Configuration Files that contains plugins and web injection code

*'''miniav.psd''' - Kill Competitors Botnets (SpyEye. ZeuS)
*'''vnc.psd''' - Remote VNC Session Capability
*'''passw.psd''' - password grabber for FTP, VNC, E-Mail Clients, Stored Browser Passwords

References:

* www.malwareint.com/docs/inside-carberp-botnet-en.pdf
* [http://blog.eset.com/2011/12/04/carberp-blackhole-growing-fraud-incidents Carberp + BlackHole growing fraud incidents]
* [http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Bootkit Evolution of Win32Carberp: going deeper]
* [http://securityblog.s21sec.com/2011/07/decrypting-carberp-c-communication.html Decrypting Carberp C&C communication]
* [http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity Facebook New Trends in Carberp Activity]

=== Tatanga ===

Tatanga appeared in the first half of 2011 as MiTB based trojan designed to steal Online Banking Credentials and spoof
(Post Transaction Attack) the real balance of the victim.

Like previously seen trojans, also Tatanga makes use of Encrypted Configuration Files (3-DES) to store plugins and
web injection code.

Additionally Tatanga is able to:

*'''Grab E-Mail addresses'''
*'''Remove Competitors Botnets'''
*'''File Infector to increase malware spread'''
*'''Kill Antivirus Software'''

References:

* [http://securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html 2011 Tatanga: a new banking trojan with MitB functions]
* [http://blog.trendmicro.com/more-on-the-tatanga-banking-trojan/ More on the Tatanga Banking Trojan]

=== Urlzone ===

Urlzone is a Banking Trojan appeared in 2009, its main feature is the ability to hide the evidence of the fraud by changing on fly the balance showed to the Victim.

To accomplish money stealing Urlzone uses a classical MiTB Approach, it works on the following browsers

*'''FireFox'''
*'''Internet Explorer 6,7,8'''
*'''Opera'''

References:

* [http://www.wired.com/images_blogs/threatlevel/2009/09/finjan-cyberintel_sept_2009-sf.pdf Finjan CyberIntel Report September 2009]
* [http://news.cnet.com/8301-27080_3-10363836-245.html Banking Trojan steals money from under your nose]
* [http://www.zdnet.com/blog/security/the-case-of-the-fake-money-mules-inside-the-urlzone-trojan-network/4527 The case of the fake money-mules: Inside the URLZone Trojan network ]
* [http://blogs.rsa.com/rsafarl/the-arms-race-between-black-hats-and-white-hats-steps-up-with-urlzone-trojan/ RSA banking Trojan research underscores problem tracking cybercriminals]

=== Gozi ===

Banking trojan Gozi appeared for the first time in 2007 and was characterized by a Low Detection Rate and ability to Steal from SSL Encrypted Sessions.

Features List:

*'''Steals SSL Data'''
*'''Steals Static Information from Banking Website'''
*'''Steals Dynamic Password Schemes like Two Factor Authentication and OTP'''
*'''KeyLogging Capabilities'''
*'''SSL Encrypted Communication with the C&C Server'''
*'''AntiVirus Bypassing Capabilities'''

SSL Stealing Technique is described here [http://isc.sans.edu/diary.html?storyid=2498 Gozi Trojan Steals SSL Encrypted Data for Fun and Profit]

References:

* [http://www.secureworks.com/research/threats/gozi/ Gozi Technical Analysis]
* [http://www.prweb.com/releases/2010/11/prweb4745544.htm Gozi Trojan - King of Evasion Continues to Avoid Sophisticated Detection]

=== Shylock ===

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside explorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.

Features List:
*'''Gathering system information on compromised system and sends it to dropzone'''
*'''Downloading configuration that will be used from defined domain'''
*'''Injects malicious code into browser's code'''
*'''Hides using rootkit functionality'''
*'''Intercepts network traffic and attempts to add malicious code to network trafic'''

References:

* [http://quequero.org/Shylock_via_volatility Shylock Technical Analysis]
* [http://www.symantec.com/security_response/writeup.jsp?docid=2011-092916-1617-99&tabid=2 Symantec report on Shylock]

=== Sunspot ===

Sunspot appeared for the first time in late 2011 as MiTB based trojan designed to steal Online Banking Credentials.

Features:

*'''Browser Code Injection'''
*'''KeyStroke Logger'''
*'''Screenshotting Capabilities'''
*'''Steals Sensitive Personal Information necessary to carry out User Impersonation Attacks'''
*'''Good AntiVirus Bypassing Capabilities'''

Sunspot works on 32bit and 64bit Systems from Windows XP to Windows 7.

References:

* [http://www.theregister.co.uk/2011/05/11/sunspot_banking_trojan/ Sunspot Banking Trojan]
* [http://www.trusteer.com/blog/windows-malware-morphs-financial-fraud-platform Windows Malware Morphs into Financial Fraud Platform]

=== Oddjob ===

Oddjob Financial Trojan has been publicly reported for the first time 22 February 2011, the peculiar characteristic of Oddjob is the ability to keep open Victim's Session even after they Logout, this implies that Criminals will be able to steal money by Impersonating the Victim by tapping the Session ID.

Oddjob works by injecting malicious code into Internet Explorer and Firefox browsers, the code is contained in custom configuration files.

Will follow a quick summary of the Trojan Functionalities:

*'''Intercepts GET and POST requests'''
*'''HTML Code Injection via MiTB Approach'''
*'''Session Hijacking'''

Session hijacking is performed by changing Logout functionality via malicious html/js injected code, victim will inadvertently keep session open and fraudsters will commit the money transaction.

References:

* [http://www.trusteer.com/blog/new-financial-trojan-keeps-online-banking-sessions-open-after-users-%E2%80%9Clogout%E2%80%9D New Financial Trojan Keeps Online Banking Sessions Open after Users “Logout”]

=== Ramnit ===

Ramnit is a prolific malware that show a wide range of morphings during its arc of existence, between these variations there is also the Financial Stealing one.

Ramnit is essentially a Backdoor Trojan with the ability to perform also MiTB Attacks.

List of Features:

*'''MiTB Capabilities'''
*'''Backdoor Capabilities'''
*'''File Infector Office Files, Windows Executables'''
*'''SSL Secured C&C Communication'''
*'''AntiVirus bypassing Capabilities'''
*'''Cookie Grabber'''

References:

* [http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A Win32/Ramnit.A]
* [http://www.trusteer.com/blog/ramnit-evolution-%E2%80%93-worm-financial-malware Ramnit Evolution – From Worm to Financial Malware]

== Appendix C: Server Side Security Solutions ==

== Appendix D: Client Side Security Solutions ==

== References ==

OWASP Anti-Malware Project - Awareness Program

2012-02-02T00:22:17Z

Gfedon: /* From user infection to cash out */

== Introduction ==
=== What is Banking Malware ===
=== What is Banking Malware Awarness Program ===

=== How Banking malware deals with Web Application Security ===

== Banking Malware Attack Process ==
The process involving Malware attack require the subsequent verification of each of the following steps to be successful. We consider an attack to be successful if the attacker obtain a financial gain from the initial client attack. The very steps (e.g. Infection of clients) usually do not involve the Banking infrastrucure, while others are tightly connected to it. Attackers absolutely need the functionalities offered by the hacked online bank accounts to do cash outs.

=== From user infection to cash out ===
(Image is missing)

This is a chain of required steps. Attackers need to perform successfully each of these for turning the attack into a monetary gain. For this reason the process can be reasonably stopped at any level. As in other cases a defense in depth approach is suggested to be effective against the weakest link of each part of the attack.

Interesting Resources for further reading:
* [http://www.youtube.com/watch?v=_2K8kRSlJXw '''MULTIDISCIPLINARY BANK ATTACKS, Gunter Ollman''']

==== Infection of clients and pcs ====
* Exploitation of client side vulnerabilities (during internet browsing)
* Spam (Infection delivered via Email)

==== Hiding The Infection and creating the Permanent threat ====
* Packers
* Modded Builds
* Rootkit (and Bootkit)

==== Stealing of Auth credentials ====
* KeyLogging and Form Grabbing
* Video Grabbing
* WebInjects

==== Storing of Auth credentials ====
* Standard Dropzone
* Fast Flux Based
* Instant Messaging and P2P network

==== Hiding The Operations ====
* Data Tunnelling
* Modification of Contact Details
* User Interface Restoring

==== Cashing Out ====
* Money Transfer
* Mobile Phone Charge
* Pump and Dump

== Countermeasures ==

=== General strategy ===
* Narrowing the attack surface
* Identification
* Blocking
* Recovering

=== Actions to take for mitigating the Malware Attack Process ===
==== Containing the number of infected customers ====
* Awareness (e.g. Remember to the users about Antivirus programs)
* Check for software updates and potentially exposed customers (e.g. Plugin Update)
* Guerrilla Awarness
Es. http://phishme.com/

==== Unhide the Infection ====
* Tell to your customers about the infections
* Use systems for detecting compromised customers
* Have in place a Malware response process

==== Counterfeat the Stealing of Auth credentials ====
* Resilient Authentication
* Invest in user Informative (e.g. SMS with Token and Transaction details)
* Multi factor and Multi channel authentication

==== Against the Remote Storaging of Auth Credentials ====
* Identification and Alerting about Dropzones
* Browser Sand boxing
* Dropzone security response

==== Reveal Malicious Operations ====
* Track transaction anomalies (Protocols, Geo Location, Bot –Like Requests)
* Establish a protected user informative (e.g. protecting phone numb. details update)
* Detect UI modification

==== Against Cashing Out ====
* Mule accounts monitoring
* Get money back from other banks
* Monitor and correlate sources for any disposal operation

== Evaluate your organization ==
Your organization can be evaluated along the adoption of the countereasures described above and on the effort to mitigate each malware attack step

OWASP Anti-Malware - Knowledge Base

2012-01-31T13:54:48Z

Gfedon: /* Appendix A: Security Considerations about Authentication Solutions and Malware */

== Introduction ==
=== A Technical Knowledge Base for Banking Malware Threats ===

== Protecting Banking Resources ==

=== Are your resources protected? ===

=== Enumerate the interesting targets ===
=== Define the path to the targets (Transition graphs) ===
=== Apply trust boundaries (security measures) ===
=== Define the weaknesses of the security measures adopted ===
== Appendix A: Security Considerations about Authentication Solutions and Malware ==

Actually Banking Malware families can bypass the vast majority of the world most secure authentication. How? The answer is simple: by tailoring an appropriate attack on the specific authentication schema with a bit of social engineering. Malware Authors know that the weakest link most of the times is the user himself.

For more information:

* http://www.slideshare.net/marco_morana/owasp-app-seceu2011version1
* http://www.slideshare.net/guestb1956e/csi2008-gunter-ollmann-maninthebrowser-presentation
* https://www.owasp.org/images/e/e4/AppsecEU09_The_Bank_in_The_Browser_Presentation_v1.1.pdf

=== TextField Static Password ===

'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families in their default configuration

[[File:static_password.png|thumb|alt=Static Password|Static Password]]

'''Description'''

A password is a secret word or string of characters that is used for authentication, and is the world most used and simplest way of authenticating a user to a computer. “Static” means that Password does not change over time, unless manually updated. Textbox input field is the HTML element were password is inserted and this element is compatible with HID (Human Input Devices) such as hardware keyboards and Virtual Keyboards.

'''How gets defeated'''

Almost All banking malware can automatically log passwords using two components: Keylogging and Form Grabbing. A software Keylogger component can use a number of very different techniques, because operative systems offer many different ways to know which key is pressing a user. Even if this component seems very powerful, it has the disadvantage of not logging the Clipboard. Users may copy and paste passwords for simplicity or security reasons: many password wallets suggest to use this approach (e.g. [http://www.keepassx.org/ KeePassX] ). For this reason Banking Malware Authors prefer to log web based credentials using form grabbing components instead of keyloggers: from Wikipedia “this method intercepts the on submit API in browsers and collects web form data before it passes over the internet.”.
Since FormGrabbing is actually used by any major Banking Malware Family (e.g. Zeus, Spyeye, IceIX etc.) “text field” static password does not represent a secure way of authentication. In addition Malware families can automatically log any password field without using any particular configuration.

''' External References: '''

* http://www.infosectoday.com/Articles/Form_Grabbing/Form_Grabbing.htm

=== Javascript Keyboard ===
'''Risk Evaluation:'''

Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.

[[File:js_virtual_keyboard.png|thumb|alt=Javascript Keyboard|Javascript Keyboard]]

'''Description'''

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of [http://en.wikipedia.org/wiki/Turing_test "turing test"] that could be understood by human users but not by malicious software agents.

'''How gets defeated'''

Back in year 2002, after a couple of years, Malware Authors realized that they could visually grab images of the clicked key pressed (click area grabbing) or to video record the sequence of key pressed. "Click Grabbing" feature was born and with a minimal configuration was possible to defeat javascript password in a standard and efficient way. This kind of attack simply stores the information remotely for a subsequent interpretation by a human attacker.

'''External References:'''

From Fortiguard (Zeus trojan defeats a Virtual Javascript Keypad)
* http://www.youtube.com/watch?v=b9Vb4zS6ZmE&feature=player_embedded

=== Behavior Based Authentication ===

=== TAN (Gridcard, Scratch Card) ===

=== OTP (Time Based, Click Based) ===

=== CAP (Random Nonce, Challenge Response) ===

=== SMS Challenges ===

=== MSISDN (Caller-ID Authentication) ===

== Appendix B: Banking Malware Families (Active in 2012) ==
=== Spyeye ===

SpyEye is considered the successor of ZeuS and globally considered as
the most advanced Banking Malware kit actually used.

This kit was conceived as botnet easy to manage via a web based control panel.

SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish
its task, it provides a custom Encrypted Configuration File where
there are:

* '''Plugins'''
* '''Web Injection Code'''
* '''Collectors List- where stolen data is sent'''

SpyEye is capable of HTML code injection in the following browsers:

* '''FireFox'''
* '''Internet Explorer'''
* '''Chrome'''
* '''Opera'''

List of commonly used Plugins:

* '''ccgrabber''' - used to collect Credit Card numbers by analyzing POST requests.
* '''ffcertgrabber''' - used to steal Firefox stored Certificates.
* '''ftpbc''' - used to reverse ftp connections to the bot.
* '''socks5''' - allows reverse connections via a proxy server.
* '''billinghammer''' - charges Credit Cards by using stolen card data.
* '''ddos''' - plugin used to ddos a specified target.
* '''bugreport''' - send crash reports to the bot master.
* '''SpySpread''' - capability to spread via USB, IM Messages
* '''rdp''' - Remote Desktop capability

SpyEye kit, actually reached version 1.3.48

In the second half of 2011 appeared a mobile edition of SpyEye, called
SpitMo specifically designed to steal mTAN (mobile TAN) authentication
systems. [http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android/ SpitMo]

Recently (Jenuary 2012) appeared a SpyEye Campaign able to [http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/ Hide its Fraud Footprint] also called Post-Transaction Attack

Resources:

* [http://blog.fortinet.com/a-guide-to-spyeye-cc-messages/ A Guide to SpyEye C&C Messages]
* [http://blogs.rsa.com/rsafarl/new-spyeye-gains-zeus-features-a-detailed-analysis-of-spyeye-trojan-v1-3/ New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3]
* [http://cert.lexsi.com/weblog/index.php/2011/02/23/408-ddos-plugin-for-spyeye DDOS plugin for SpyEye]
* [http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html SpyEye steals your data. Even in a limited account]
* [http://blog.trendmicro.com/the-spyeye-interface-part-1-cn-1/ The SpyEye Interface, Part 1: CN 1]
* [http://blog.trendmicro.com/the-spyeye-interface-part-2-syn-1/ The SpyEye Interface Part 2: SYN 1]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 1)]
* [http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications-part-2/ SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)]

=== Zeus ===

ZeuS is a Banking Trojan identified for the first time in 2007, designed
as '''HTTP Based Botnet''' specifically crafted to steal Online Banking Credentials.

Despite the fact that ZeuS Kit is no longer developed, infection statistics
that can be checked here [https://zeustracker.abuse.ch/statistic.php ZeuS Statistics]
clearly demonstrates that this trojan has a remarkable diffusion.

The ZeuS Kit functionality is based on MiTB attacks, an encrypted
configuration file contains URL Triggers and HTML Code to be Injected.

In the past year appeared also a ZeuS for mobile called ZitMo, developed
to bypass mTAN authentication system, more information can be reached here:

* [http://www.kaspersky.com/about/news/virus/2011/Teamwork_How_the_ZitMo_Trojan_Bypasses_Online_Banking_Security The ZitMo Trojan Bypasses Online Banking Security]
* [http://www.virusbtn.com/news/2011/07_11.xml Zitmo Trojan for Android defeats two-factor authentication]

2011 was also the year of ZeuS Source Code leak, this essentially lead to a
number of new ZeuS Variants, here the most significative:

* ICE IX
* ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet
and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able
to interact with other victims (nodes) and get Updated Binaries and
Configurations.

ZeuS P2P References:

* [http://www.abuse.ch/?p=3499 ZeuS Gets More Sophisticated Using P2P Techniques]
* [http://www.cert.pl/news/4711/langswitch_lang/en ZeuS – P2P+DGA variant – mapping out and understanding the threat]

Other References:

* [https://zeustracker.abuse.ch/ ZeuS Tracker]
* [http://www.abuse.ch/?p=3453 Ice IX – Or Just ZeuS?]
* [http://www.inreverse.net/?p=1551 JaZeus: when Zeus meets Java]
* [http://www.coresec.org/2011/05/21/zeus-malware-analysis-by-sophoslabs/ Zeus Malware Analysis by SophosLabs]
* [http://www.secureworks.com/research/threats/zeus/ ZeuS Banking Trojan Report]
* [http://mnin.blogspot.com/2011/09/abstract-memory-analysis-zeus.html Abstract Memory Analysis: Zeus Encryption Keys]

=== Carberp ===

After ZeuS and SpyEye the third advanced Malware Banking Trojan is '''Carberp''', that during its evolution reached
a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser
Code Injection online Banking Credentials.

Synthesis of Carberp Functionalities [http://www.trustdefender.com/trustdefender-labs-blog-carberp-a-new-trojan-in-the-making.html]:

*'''Ability to run as non-administrator'''
*'''Ability to infect Windows XP , Windows Vista and Windows 7'''
*'''Will not make any changes to the registry (only in memory modifications)'''
*'''Browser Hooking'''
*'''Stolen data is transmitted in real-time to C&C server'''
*'''Kill AntiVirus Software'''
*'''Screenshot Ability'''
*'''Form Grabber'''
*'''Backconnect'''

Carberp makes use of encrypted Configuration Files that contains plugins and web injection code

*'''miniav.psd''' - Kill Competitors Botnets (SpyEye. ZeuS)
*'''vnc.psd''' - Remote VNC Session Capability
*'''passw.psd''' - password grabber for FTP, VNC, E-Mail Clients, Stored Browser Passwords

References:

* www.malwareint.com/docs/inside-carberp-botnet-en.pdf
* [http://blog.eset.com/2011/12/04/carberp-blackhole-growing-fraud-incidents Carberp + BlackHole growing fraud incidents]
* [http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Bootkit Evolution of Win32Carberp: going deeper]
* [http://securityblog.s21sec.com/2011/07/decrypting-carberp-c-communication.html Decrypting Carberp C&C communication ]

=== Tatanga ===

Tatanga appeared in the first half of 2011 as MiTB based trojan designed to steal Online Banking Credentials and spoof
(Post Transaction Attack) the real balance of the victim.

Like previously seen trojans, also Tatanga makes use of Encrypted Configuration Files (3-DES) to store plugins and
web injection code.

Additionally Tatanga is able to:

*'''Grab E-Mail addresses'''
*'''Remove Competitors Botnets'''
*'''File Infector to increase malware spread'''
*'''Kill Antivirus Software'''

References:

* [http://securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html 2011 Tatanga: a new banking trojan with MitB functions]
* [http://blog.trendmicro.com/more-on-the-tatanga-banking-trojan/ More on the Tatanga Banking Trojan]

=== Urlzone ===

Urlzone is a Banking Trojan appeared in 2009, its main feature is the ability to hide the evidence of the fraud by changing on fly the balance showed to the Victim.

To accomplish money stealing Urlzone uses a classical MiTB Approach, it works on the following browsers

*'''FireFox'''
*'''Internet Explorer 6,7,8'''
*'''Opera'''

References:

* [http://www.wired.com/images_blogs/threatlevel/2009/09/finjan-cyberintel_sept_2009-sf.pdf Finjan CyberIntel Report September 2009]
* [http://news.cnet.com/8301-27080_3-10363836-245.html Banking Trojan steals money from under your nose]
* [http://www.zdnet.com/blog/security/the-case-of-the-fake-money-mules-inside-the-urlzone-trojan-network/4527 The case of the fake money-mules: Inside the URLZone Trojan network ]
* [http://blogs.rsa.com/rsafarl/the-arms-race-between-black-hats-and-white-hats-steps-up-with-urlzone-trojan/ RSA banking Trojan research underscores problem tracking cybercriminals]

=== Gozi ===

Banking trojan Gozi appeared for the first time in 2007 and was characterized by a Low Detection Rate and ability to Steal from SSL Encrypted Sessions.

Features List:

*'''Steals SSL Data'''
*'''Steals Static Information from Banking Website'''
*'''Steals Dynamic Password Schemes like Two Factor Authentication and OTP'''
*'''KeyLogging Capabilities'''
*'''SSL Encrypted Communication with the C&C Server'''
*'''AntiVirus Bypassing Capabilities'''

SSL Stealing Technique is described here [http://isc.sans.edu/diary.html?storyid=2498 Gozi Trojan Steals SSL Encrypted Data for Fun and Profit]

References:

* [http://www.secureworks.com/research/threats/gozi/ Gozi Technical Analysis]
* [http://www.prweb.com/releases/2010/11/prweb4745544.htm Gozi Trojan - King of Evasion Continues to Avoid Sophisticated Detection]

=== Shylock ===

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside expolorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.

Features List:
*'''Gathering system information on compromised system and sends it to dropzone'''
*'''Downloading configuration that will be used from defined domain'''
*'''Injects malicious code into browser's code'''
*'''Hides using rootkit functionality'''
*'''Intercepts network trafic and atteps to add malicious code to network trafic'''

References:

* [http://quequero.org/Shylock_via_volatility Shylock Technical Analysis]
* [http://www.symantec.com/security_response/writeup.jsp?docid=2011-092916-1617-99&tabid=2 Symantec report on Shylock]

=== Sunspot ===

=== Ramnit ===

== Appendix C: Server Side Security Solutions ==
== Appendix D: Client Side Security Solutions ==

== References ==

Project Information:template Anti-Malware Project

2012-01-31T10:59:07Z

Gfedon:

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''PROJECT INFORMATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''OWASP Anti-Malware Project''' Defending Web Infrastructures Against Malware
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
“Malware is nowadays more than a single enemy: online crime has unified the forces for targeting any online banking customer. Banking Malware is ubiquitous because it’s constantly updated via country-specific configuration files and with modular plugins to fit any banking web application. In addition it can defeat the most sophisticated security protections actually implemented.”

This project is about describing common flaws in security designs that have been adopted for protecting banking websites against malware, as well as a series of best practices that should be considered for evaluating and building better anti-malware solutions.
The project will be constantly updated with information taken from Owasp Community, Malware Analysis, Forensic Activities, as well as from any other validated source.

The project delivery will be divided into Two parts. The first part will be a document containing guidelines directed to Banking Web Infrastructures owners. This document will be kept intentionally as short as possible and will have the main goal to raise the awareness on Malware threats and to precisely name a series of checklists that should be taken into consideration to significantly improve website security against malware.

The second part will be a technical study dynamically updated in wiki-style format. The technical study will be the reference for the guidelines contained in the previous document. This study will try to analyze the most sophisticated Malware Techniques used in the 3 most spread Banking Malware families, as well as discuss the effectiveness of different security protections that are thought to be useful against Malware.

The Technical Study will be made up of two teams: MRE (Malware Reverse Engineering Team) and AMTS (Anti-Malware Technology Solutions Team). MRE team will be in charge of studying the malware samples and to inoculate the techniques used against banking Websites; AMTS team will harvest the internet for any Web Infrastructural solution that claims to be Malware Proof for identifying its strengths and weaknesses.
|-
| style="width:15%; background:#7B8ABD" align="center"|
'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center"|
Project Leader [[User:Gfedon|'''Giorgio Fedon''']]
| style="width:15%; background:#cccccc" align="center"|
Project Contibutors [[User:Vicente.aguilera|'''Vicente Aguilera''']] [[User:Giuseppe_Bonfa|'''Giuseppe Bonfa''']] [[User:Nikola_Milosevic|'''Nikola Milosevic''']]
| style="width:10%; background:#cccccc" align="center"|
Mailing List [https://lists.owasp.org/mailman/listinfo/owasp-anti-malware '''Subscribe here'''] [mailto:owasp-anti-malware@lists.owasp.org '''Use here''']
| style="width:17%; background:#cccccc" align="center"|
License [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']
| style="width:14%; background:#cccccc" align="center"|
Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Document''']]
| style="width:15%; background:#cccccc" align="center"|
Sponsors [http://www.mindedsecurity.com '''Minded Security''']
|}
{| style="width:100%" border="0" align="center"
! align="center" style="background:#7B8ABD; color:white"|'''Release Status'''
! align="center" style="background:#7B8ABD; color:white"|'''Main Links'''
! align="center" style="background:#7B8ABD; color:white"|'''Related Projects'''
|-
| style="width:29%; background:#cccccc" align="center"|
Provisory '''[[:Category:OWASP Project Assessment#Alpha Quality Documentation Criteria|Apha Quality]]''' (under review) [[:OWASP Anti-Malware Project - Assessment Frame|Please see here for complete information.]]
| style="width:42%; background:#cccccc" align="center"|
[[:OWASP Anti-Malware Project - Awareness Program|Anti-malware Awareness Program]] [[:OWASP Anti-Malware - Knowledge Base|Anti-malware - Knowledge Base]]
| style="width:29%; background:#cccccc" align="center"|
if any, add link(s)
|}
----

OWASP Anti-Malware Project - Awareness Program

2012-01-30T13:48:03Z

Gfedon: /* Containing the number of infected customers */

== Introduction ==
=== What is Banking Malware ===
=== What is Banking Malware Awarness Program ===

=== How Banking malware deals with Web Application Security ===

== Banking Malware Attack Process ==
The process involving Malware attack require the subsequent verification of each of the following steps to be successful. We consider an attack to be successful if the attacker obtain a financial gain from the initial client attack. The very steps (e.g. Infection of clients) usually do not involve the Banking infrastrucure, while others are tightly connected to it. Attackers absolutely need the functionalities offered by the hacked online bank accounts to do cash outs.

=== From user infection to cash out ===
(Image is missing)

This is a chain of required steps. Attackers need to perform successfully each of these for turning the attack into a monetary gain. For this reason the process can be reasonably stopped at any level. As in other cases a defense in depth approach is suggested to be effective against the weakest link of each part of the attack.

==== Infection of clients and pcs ====
* Exploitation of client side vulnerabilities (during internet browsing)
* Spam (Infection delivered via Email)

==== Hiding The Infection and creating the Permanent threat ====
* Packers
* Modded Builds
* Rootkit (and Bootkit)

==== Stealing of Auth credentials ====
* KeyLogging and Form Grabbing
* Video Grabbing
* WebInjects

==== Storing of Auth credentials ====
* Standard Dropzone
* Fast Flux Based
* Instant Messaging and P2P network

==== Hiding The Operations ====
* Data Tunnelling
* Modification of Contact Details
* User Interface Restoring

==== Cashing Out ====
* Money Transfer
* Mobile Phone Charge
* Pump and Dump

== Countermeasures ==

=== General strategy ===
* Narrowing the attack surface
* Identification
* Blocking
* Recovering

=== Actions to take for mitigating the Malware Attack Process ===
==== Containing the number of infected customers ====
* Awareness (e.g. Remember to the users about Antivirus programs)
* Check for software updates and potentially exposed customers (e.g. Plugin Update)
* Guerrilla Awarness
Es. http://phishme.com/

==== Unhide the Infection ====
* Tell to your customers about the infections
* Use systems for detecting compromised customers
* Have in place a Malware response process

==== Counterfeat the Stealing of Auth credentials ====
* Resilient Authentication
* Invest in user Informative (e.g. SMS with Token and Transaction details)
* Multi factor and Multi channel authentication

==== Against the Remote Storaging of Auth Credentials ====
* Identification and Alerting about Dropzones
* Browser Sand boxing
* Dropzone security response

==== Reveal Malicious Operations ====
* Track transaction anomalies (Protocols, Geo Location, Bot –Like Requests)
* Establish a protected user informative (e.g. protecting phone numb. details update)
* Detect UI modification

==== Against Cashing Out ====
* Mule accounts monitoring
* Get money back from other banks
* Monitor and correlate sources for any disposal operation

== Evaluate your organization ==
Your organization can be evaluated along the adoption of the countereasures described above and on the effort to mitigate each malware attack step

OWASP Anti-Malware Project - Awareness Program

2012-01-30T08:54:53Z

Gfedon: /* Unhide the Infection */

== Introduction ==
=== What is Banking Malware ===
=== What is Banking Malware Awarness Program ===

=== How Banking malware deals with Web Application Security ===

== Banking Malware Attack Process ==
The process involving Malware attack require the subsequent verification of each of the following steps to be successful. We consider an attack to be successful if the attacker obtain a financial gain from the initial client attack. The very steps (e.g. Infection of clients) usually do not involve the Banking infrastrucure, while others are tightly connected to it. Attackers absolutely need the functionalities offered by the hacked online bank accounts to do cash outs.

=== From user infection to cash out ===
(Image is missing)

This is a chain of required steps. Attackers need to perform successfully each of these for turning the attack into a monetary gain. For this reason the process can be reasonably stopped at any level. As in other cases a defense in depth approach is suggested to be effective against the weakest link of each part of the attack.

==== Infection of clients and pcs ====
* Exploitation of client side vulnerabilities (during internet browsing)
* Spam (Infection delivered via Email)

==== Hiding The Infection and creating the Permanent threat ====
* Packers
* Modded Builds
* Rootkit (and Bootkit)

==== Stealing of Auth credentials ====
* KeyLogging and Form Grabbing
* Video Grabbing
* WebInjects

==== Storing of Auth credentials ====
* Standard Dropzone
* Fast Flux Based
* Instant Messaging and P2P network

==== Hiding The Operations ====
* Data Tunnelling
* Modification of Contact Details
* User Interface Restoring

==== Cashing Out ====
* Money Transfer
* Mobile Phone Charge
* Pump and Dump

== Countermeasures ==

=== General strategy ===
* Narrowing the attack surface
* Identification
* Blocking
* Recovering

=== Actions to take for mitigating the Malware Attack Process ===
==== Containing the number of infected customers ====
* Awareness (e.g. Remember to the users about Antivirus programs)
* Check for software updates and potentially exposed customers (e.g. Plugin Update)

==== Unhide the Infection ====
* Tell to your customers about the infections
* Use systems for detecting compromised customers
* Have in place a Malware response process

==== Counterfeat the Stealing of Auth credentials ====
* Resilient Authentication
* Invest in user Informative (e.g. SMS with Token and Transaction details)
* Multi factor and Multi channel authentication

==== Against the Remote Storaging of Auth Credentials ====
* Identification and Alerting about Dropzones
* Browser Sand boxing
* Dropzone security response

==== Reveal Malicious Operations ====
* Track transaction anomalies (Protocols, Geo Location, Bot –Like Requests)
* Establish a protected user informative (e.g. protecting phone numb. details update)
* Detect UI modification

==== Against Cashing Out ====
* Mule accounts monitoring
* Get money back from other banks
* Monitor and correlate sources for any disposal operation

== Evaluate your organization ==
Your organization can be evaluated along the adoption of the countereasures described above and on the effort to mitigate each malware attack step

OWASP Anti-Malware Project - Awareness Program

2012-01-30T08:17:31Z

Gfedon: /* Against Cashing Out */

== Introduction ==
=== What is Banking Malware ===
=== What is Banking Malware Awarness Program ===

=== How Banking malware deals with Web Application Security ===

== Banking Malware Attack Process ==
The process involving Malware attack require the subsequent verification of each of the following steps to be successful. We consider an attack to be successful if the attacker obtain a financial gain from the initial client attack. The very steps (e.g. Infection of clients) usually do not involve the Banking infrastrucure, while others are tightly connected to it. Attackers absolutely need the functionalities offered by the hacked online bank accounts to do cash outs.

=== From user infection to cash out ===
(Image is missing)

This is a chain of required steps. Attackers need to perform successfully each of these for turning the attack into a monetary gain. For this reason the process can be reasonably stopped at any level. As in other cases a defense in depth approach is suggested to be effective against the weakest link of each part of the attack.

==== Infection of clients and pcs ====
* Exploitation of client side vulnerabilities (during internet browsing)
* Spam (Infection delivered via Email)

==== Hiding The Infection and creating the Permanent threat ====
* Packers
* Modded Builds
* Rootkit (and Bootkit)

==== Stealing of Auth credentials ====
* KeyLogging and Form Grabbing
* Video Grabbing
* WebInjects

==== Storing of Auth credentials ====
* Standard Dropzone
* Fast Flux Based
* Instant Messaging and P2P network

==== Hiding The Operations ====
* Data Tunnelling
* Modification of Contact Details
* User Interface Restoring

==== Cashing Out ====
* Money Transfer
* Mobile Phone Charge
* Pump and Dump

== Countermeasures ==

=== General strategy ===
* Narrowing the attack surface
* Identification
* Blocking
* Recovering

=== Actions to take for mitigating the Malware Attack Process ===
==== Containing the number of infected customers ====
* Awareness (e.g. Remember to the users about Antivirus programs)
* Check for software updates and potentially exposed customers (e.g. Plugin Update)

==== Unhide the Infection ====
* Tell to your customers about the infections
* Use systems for detecting compromised customers
* Have in place a security response process

==== Counterfeat the Stealing of Auth credentials ====
* Resilient Authentication
* Invest in user Informative (e.g. SMS with Token and Transaction details)
* Multi factor and Multi channel authentication

==== Against the Remote Storaging of Auth Credentials ====
* Identification and Alerting about Dropzones
* Browser Sand boxing
* Dropzone security response

==== Reveal Malicious Operations ====
* Track transaction anomalies (Protocols, Geo Location, Bot –Like Requests)
* Establish a protected user informative (e.g. protecting phone numb. details update)
* Detect UI modification

==== Against Cashing Out ====
* Mule accounts monitoring
* Get money back from other banks
* Monitor and correlate sources for any disposal operation

== Evaluate your organization ==
Your organization can be evaluated along the adoption of the countereasures described above and on the effort to mitigate each malware attack step

OWASP Anti-Malware - Knowledge Base

2012-01-29T19:01:08Z

Gfedon: /* Javascript Keyboard */

OWASP Anti-Malware - Knowledge Base

2012-01-29T19:00:17Z

Gfedon: /* Javascript Keyboard */

OWASP Anti-Malware - Knowledge Base

2012-01-29T17:00:29Z

Gfedon: /* Javascript Keyboard */

OWASP Anti-Malware - Knowledge Base

2012-01-29T17:00:10Z

Gfedon: /* Javascript Keyboard */

OWASP Anti-Malware - Knowledge Base

2012-01-29T16:59:40Z

Gfedon: /* Javascript Keyboard */

OWASP Anti-Malware - Knowledge Base

2012-01-29T16:58:02Z

Gfedon: /* Javascript Keyboard */

OWASP Anti-Malware - Knowledge Base

2012-01-29T16:57:06Z

Gfedon: /* Javascript Keyboard */

OWASP Anti-Malware - Knowledge Base

2012-01-29T16:52:30Z

Gfedon: /* Javascript Keyboard */

OWASP Anti-Malware - Knowledge Base

2012-01-29T16:51:38Z

Gfedon: /* Javascript Keyboard */

OWASP Anti-Malware - Knowledge Base

2012-01-29T16:50:49Z

Gfedon: /* TextField Static Password */

File:Js virtual keyboard.png

2012-01-29T16:49:55Z

Gfedon:

OWASP Anti-Malware - Knowledge Base

2012-01-29T16:49:37Z

Gfedon: /* Javascript Keyboard */

OWASP Anti-Malware - Knowledge Base

2012-01-29T16:48:45Z

Gfedon: /* Javascript Keyboard */

OWASP Anti-Malware - Knowledge Base

2012-01-29T16:48:31Z

Gfedon: /* Javascript Keyboard */

OWASP Anti-Malware - Knowledge Base

2012-01-29T16:47:04Z

Gfedon: /* TextField Static Password */

OWASP Anti-Malware - Knowledge Base

2012-01-29T16:42:51Z

Gfedon: /* Appendix A: Security Considerations about Authentication Solutions and Malware */

File:Static password.png

2012-01-29T16:42:24Z

Gfedon:

OWASP Anti-Malware - Knowledge Base

2012-01-29T16:42:06Z

Gfedon: /* Appendix A: Security Considerations about Authentication Solutions and Malware */

Project Information:template Anti-Malware Project

2012-01-29T16:34:54Z

Gfedon:

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''PROJECT INFORMATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''OWASP Anti-Malware Project''' Defending Web Infrastructures Against Malware
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
“Malware is nowadays more than a single enemy: online crime has unified the forces for targeting any online banking customer. Banking Malware is ubiquitous because it’s constantly updated via country-specific configuration files and with modular plugins to fit any banking web application. In addition it can defeat the most sophisticated security protections actually implemented.”

This project is about describing common flaws in security designs that have been adopted for protecting banking websites against malware, as well as a series of best practices that should be considered for evaluating and building better anti-malware solutions.
The project will be constantly updated with information taken from Owasp Community, Malware Analysis, Forensic Activities, as well as from any other validated source.

The project delivery will be divided into Two parts. The first part will be a document containing guidelines directed to Banking Web Infrastructures owners. This document will be kept intentionally as short as possible and will have the main goal to raise the awareness on Malware threats and to precisely name a series of checklists that should be taken into consideration to significantly improve website security against malware.

The second part will be a technical study dynamically updated in wiki-style format. The technical study will be the reference for the guidelines contained in the previous document. This study will try to analyze the most sophisticated Malware Techniques used in the 3 most spread Banking Malware families, as well as discuss the effectiveness of different security protections that are thought to be useful against Malware.

The Technical Study will be made up of two teams: MRE (Malware Reverse Engineering Team) and AMTS (Anti-Malware Technology Solutions Team). MRE team will be in charge of studying the malware samples and to inoculate the techniques used against banking Websites; AMTS team will harvest the internet for any Web Infrastructural solution that claims to be Malware Proof for identifying its strengths and weaknesses.
|-
| style="width:15%; background:#7B8ABD" align="center"|
'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center"|
Project Leader [[User:Gfedon|'''Giorgio Fedon''']]
| style="width:15%; background:#cccccc" align="center"|
Project Contibutors [[User:Vicente.aguilera|'''Vicente Aguilera''']] [[User:Giuseppe_Bonfa|'''Giuseppe Bonfa''']]
| style="width:10%; background:#cccccc" align="center"|
Mailing List [https://lists.owasp.org/mailman/listinfo/owasp-anti-malware '''Subscribe here'''] [mailto:owasp-anti-malware@lists.owasp.org '''Use here''']
| style="width:17%; background:#cccccc" align="center"|
License [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']
| style="width:14%; background:#cccccc" align="center"|
Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Document''']]
| style="width:15%; background:#cccccc" align="center"|
Sponsors [http://www.mindedsecurity.com '''Minded Security''']
|}
{| style="width:100%" border="0" align="center"
! align="center" style="background:#7B8ABD; color:white"|'''Release Status'''
! align="center" style="background:#7B8ABD; color:white"|'''Main Links'''
! align="center" style="background:#7B8ABD; color:white"|'''Related Projects'''
|-
| style="width:29%; background:#cccccc" align="center"|
Provisory '''[[:Category:OWASP Project Assessment#Alpha Quality Documentation Criteria|Apha Quality]]''' (under review) [[:OWASP Anti-Malware Project - Assessment Frame|Please see here for complete information.]]
| style="width:42%; background:#cccccc" align="center"|
[[:OWASP Anti-Malware Project - Awareness Program|Anti-malware Awareness Program]] [[:OWASP Anti-Malware - Knowledge Base|Anti-malware - Knowledge Base]]
| style="width:29%; background:#cccccc" align="center"|
if any, add link(s)
|}
----

OWASP Anti-Malware Project - Awareness Program

2012-01-27T14:54:40Z

Gfedon: /* Actions to take for mitigating the Malware Attack Process */

== Introduction ==
=== What is Banking Malware ===
=== What is Banking Malware Awarness Program ===

=== How Banking malware deals with Web Application Security ===

== Banking Malware Attack Process ==
The process involving Malware attack require the subsequent verification of each of the following steps to be successful. We consider an attack to be successful if the attacker obtain a financial gain from the initial client attack. The very steps (e.g. Infection of clients) usually do not involve the Banking infrastrucure, while others are tightly connected to it. Attackers absolutely need the functionalities offered by the hacked online bank accounts to do cash outs.

=== From user infection to cash out ===
(Image is missing)

This is a chain of required steps. Attackers need to perform successfully each of these for turning the attack into a monetary gain. For this reason the process can be reasonably stopped at any level. As in other cases a defense in depth approach is suggested to be effective against the weakest link of each part of the attack.

==== Infection of clients and pcs ====
* Exploitation of client side vulnerabilities (during internet browsing)
* Spam (Infection delivered via Email)

==== Hiding The Infection and creating the Permanent threat ====
* Packers
* Modded Builds
* Rootkit (and Bootkit)

==== Stealing of Auth credentials ====
* KeyLogging and Form Grabbing
* Video Grabbing
* WebInjects

==== Storing of Auth credentials ====
* Standard Dropzone
* Fast Flux Based
* Instant Messaging and P2P network

==== Hiding The Operations ====
* Data Tunnelling
* Modification of Contact Details
* User Interface Restoring

==== Cashing Out ====
* Money Transfer
* Mobile Phone Charge
* Pump and Dump

== Countermeasures ==

=== General strategy ===
* Narrowing the attack surface
* Identification
* Blocking
* Recovering

=== Actions to take for mitigating the Malware Attack Process ===
==== Containing the number of infected customers ====
* Awareness (e.g. Remember to the users about Antivirus programs)
* Check for software updates and potentially exposed customers (e.g. Plugin Update)

==== Unhide the Infection ====
* Tell to your customers about the infections
* Use systems for detecting compromised customers
* Have in place a security response process

==== Counterfeat the Stealing of Auth credentials ====
* Resilient Authentication
* Invest in user Informative (e.g. SMS with Token and Transaction details)
* Multi factor and Multi channel authentication

==== Against the Remote Storaging of Auth Credentials ====
* Identification and Alerting about Dropzones
* Browser Sand boxing
* Dropzone security response

==== Reveal Malicious Operations ====
* Track transaction anomalies (Protocols, Geo Location, Bot –Like Requests)
* Establish a protected user informative (e.g. protecting phone numb. details update)
* Detect UI modification

==== Against Cashing Out ====
* Mule accounts monitoring
* Monitor and correlate sources for any disposal operation

== Evaluate your organization ==
Your organization can be evaluated along the adoption of the countereasures described above and on the effort to mitigate each malware attack step

OWASP Anti-Malware Project - Awareness Program

2012-01-27T14:52:39Z

Gfedon: /* Actions to take for mitigating the Malware Attack Process */

== Introduction ==
=== What is Banking Malware ===
=== What is Banking Malware Awarness Program ===

=== How Banking malware deals with Web Application Security ===

== Banking Malware Attack Process ==
The process involving Malware attack require the subsequent verification of each of the following steps to be successful. We consider an attack to be successful if the attacker obtain a financial gain from the initial client attack. The very steps (e.g. Infection of clients) usually do not involve the Banking infrastrucure, while others are tightly connected to it. Attackers absolutely need the functionalities offered by the hacked online bank accounts to do cash outs.

=== From user infection to cash out ===
(Image is missing)

This is a chain of required steps. Attackers need to perform successfully each of these for turning the attack into a monetary gain. For this reason the process can be reasonably stopped at any level. As in other cases a defense in depth approach is suggested to be effective against the weakest link of each part of the attack.

==== Infection of clients and pcs ====
* Exploitation of client side vulnerabilities (during internet browsing)
* Spam (Infection delivered via Email)

==== Hiding The Infection and creating the Permanent threat ====
* Packers
* Modded Builds
* Rootkit (and Bootkit)

==== Stealing of Auth credentials ====
* KeyLogging and Form Grabbing
* Video Grabbing
* WebInjects

==== Storing of Auth credentials ====
* Standard Dropzone
* Fast Flux Based
* Instant Messaging and P2P network

==== Hiding The Operations ====
* Data Tunnelling
* Modification of Contact Details
* User Interface Restoring

==== Cashing Out ====
* Money Transfer
* Mobile Phone Charge
* Pump and Dump

== Countermeasures ==

=== General strategy ===
* Narrowing the attack surface
* Identification
* Blocking
* Recovering

=== Actions to take for mitigating the Malware Attack Process ===
==== Containing the number of infected customers ====
* Awareness (e.g. Remember to the users about Antivirus programs)
* Check for software updates and potentially exposed customers
* Monitoring for Anomalies

==== Unhide the Infection ====
* Tell to your customers about the infections
* Use systems for detecting compromised clients
* Have in place a security response process to assist customers

==== Counterfeat the Stealing of Auth credentials ====
* Resilient Authentication
* Inform the user about their own operations (e.g. SMS with Token and Transaction details)
* Multi factor and Multi channel

==== Against the Remote Storaging of Auth Credentials ====
* Identification and Alerting about Dropzones
* Browser Sand boxing
* Dropzone security response

==== Reveal Malicious Operations ====
* Track transaction anomalies (Protocols, Geo Location, Bot –Like Requests)
* Establish a protected user informative (e.g. protecting phone numb. details update)
* Detect UI modification

==== Against Cashing Out ====
* Mule accounts monitoring
* Monitor and correlate sources for any disposal operation

== Evaluate your organization ==
Your organization can be evaluated along the adoption of the countereasures described above and on the effort to mitigate each malware attack step

OWASP Anti-Malware - Knowledge Base

2012-01-27T14:37:56Z

Gfedon: /* Behaviour Based Authentication */

OWASP Anti-Malware - Knowledge Base

2012-01-27T14:37:29Z

Gfedon:

Project Information:template Anti-Malware Project

2012-01-05T08:45:58Z

Gfedon:

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''PROJECT INFORMATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''OWASP Anti-Malware Project''' Defending Web Infrastructures Against Malware
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
“Malware is nowadays more than a single enemy: online crime has unified the forces for targeting any online banking customer. Banking Malware is ubiquitous because it’s constantly updated via country-specific configuration files and with modular plugins to fit any banking web application. In addition it can defeat the most sophisticated security protections actually implemented.”

This project is about describing common flaws in security designs that have been adopted for protecting banking websites against malware, as well as a series of best practices that should be considered for evaluating and building better anti-malware solutions.
The project will be constantly updated with information taken from Owasp Community, Malware Analysis, Forensic Activities, as well as from any other validated source.

The project delivery will be divided into Two parts. The first part will be a document containing guidelines directed to Banking Web Infrastructures owners. This document will be kept intentionally as short as possible and will have the main goal to raise the awareness on Malware threats and to precisely name a series of checklists that should be taken into consideration to significantly improve website security against malware.

The second part will be a technical study dynamically updated in wiki-style format. The technical study will be the reference for the guidelines contained in the previous document. This study will try to analyze the most sophisticated Malware Techniques used in the 3 most spread Banking Malware families, as well as discuss the effectiveness of different security protections that are thought to be useful against Malware.

The Technical Study will be made up of two teams: MRE (Malware Reverse Engineering Team) and AMTS (Anti-Malware Technology Solutions Team). MRE team will be in charge of studying the malware samples and to inoculate the techniques used against banking Websites; AMTS team will harvest the internet for any Web Infrastructural solution that claims to be Malware Proof for identifying its strengths and weaknesses.
|-
| style="width:15%; background:#7B8ABD" align="center"|
'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center"|
Project Leader [[User:Gfedon|'''Giorgio Fedon''']]
| style="width:15%; background:#cccccc" align="center"|
Project Contibutors [[User:Vicente.aguilera|'''Vicente Aguilera''']] '''Giuseppe Bonfa'''
| style="width:10%; background:#cccccc" align="center"|
Mailing List [https://lists.owasp.org/mailman/listinfo/owasp-anti-malware '''Subscribe here'''] [mailto:owasp-anti-malware@lists.owasp.org '''Use here''']
| style="width:17%; background:#cccccc" align="center"|
License [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']
| style="width:14%; background:#cccccc" align="center"|
Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Document''']]
| style="width:15%; background:#cccccc" align="center"|
Sponsors [http://www.mindedsecurity.com '''Minded Security''']
|}
{| style="width:100%" border="0" align="center"
! align="center" style="background:#7B8ABD; color:white"|'''Release Status'''
! align="center" style="background:#7B8ABD; color:white"|'''Main Links'''
! align="center" style="background:#7B8ABD; color:white"|'''Related Projects'''
|-
| style="width:29%; background:#cccccc" align="center"|
Provisory '''[[:Category:OWASP Project Assessment#Alpha Quality Documentation Criteria|Apha Quality]]''' (under review) [[:OWASP Anti-Malware Project - Assessment Frame|Please see here for complete information.]]
| style="width:42%; background:#cccccc" align="center"|
[[:OWASP Anti-Malware Project - Awareness Program|Anti-malware Awareness Program]] [[:OWASP Anti-Malware - Knowledge Base|Anti-malware - Knowledge Base]]
| style="width:29%; background:#cccccc" align="center"|
if any, add link(s)
|}
----