OWASP Anti-Malware - Knowledge Base - Revision history

Johanna Curiel at 13:30, 31 July 2016

2016-07-31T13:30:38Z

Giuseppe Bonfa at 11:05, 3 August 2012

2012-08-03T11:05:38Z

Giuseppe Bonfa at 11:02, 3 August 2012

2012-08-03T11:02:19Z

Giuseppe Bonfa at 11:01, 3 August 2012

2012-08-03T11:01:21Z

Giuseppe Bonfa at 10:58, 3 August 2012

2012-08-03T10:58:58Z

Giuseppe Bonfa at 10:58, 3 August 2012

2012-08-03T10:58:25Z

Giuseppe Bonfa at 09:21, 3 August 2012

2012-08-03T09:21:39Z

Giuseppe Bonfa at 08:47, 3 August 2012

2012-08-03T08:47:46Z

Mariano Graziano at 15:09, 30 March 2012

2012-03-30T15:09:17Z

Mariano Graziano at 15:08, 30 March 2012

2012-03-30T15:08:36Z

← Older revision		Revision as of 13:30, 31 July 2016
Line 1:		Line 1:
		+	{{taggedDocument}}
	== Introduction ==		== Introduction ==
	=== A Technical Knowledge Base for Banking Malware Threats ===		=== A Technical Knowledge Base for Banking Malware Threats ===

@@ Line 505: / Line 505: @@
 From an architectural point of view, like SpyEye, plugins are downloaded from the C&C server and are inivocally identified by an ID. Follows a summary of identified plugin (information is taken from ESET article - check references for additional details):
-* '''HermesCore''': This plugin is automatically included in all versions of Gataka and has a fundamental function, it's responsible of communication activities. The addresses of the servers are encoded in Base64. HermesCore can finally run arbitrary executables sent by the botmaster.
+*'''HermesCore''': This plugin is automatically included in all versions of Gataka and has a fundamental function, it's responsible of communication activities. The addresses of the servers are encoded in Base64. HermesCore can finally run arbitrary executables sent by the botmaster.
-* '''Interceptor''': As the name suggests, this plugin takes care of the interception of traffic network by hooking API connect() getpeername() closesocket(). The plugin acts essentially as proxy that monitors inbound/outbound traffic, and in case of encrypted communications (HTTPS) Interceptor is able to use a fake certificates to perform a MiTM attack. It's also important to highlight the fact
+*'''Interceptor''': As the name suggests, this plugin takes care of the interception of traffic network by hooking API connect() getpeername() closesocket(). The plugin acts essentially as proxy that monitors inbound/outbound traffic, and in case of encrypted communications (HTTPS) Interceptor is able to use a fake certificates to perform a MiTM attack. Interceptor is able to change at run-time the certificate control functions of several browser in such a way to make the entire process even more invisible to the victim.
-that Interceptor is able to change at run-time the certificate control functions of several browser in such a way to make the entire process even more invisible to the victim.
+*'''NextGenFixer''': This plugin acts as a URL filter able to perform certain functions when a specific address is typed by the user.
-* '''NextGenFixer''': This plugin acts as a URL filter able to perform certain functions when a specific address is typed by the user.
+*'''WebInject''': This plugin takes care of injecting malicious HTML/JS code into the target page, as well able to make a video of the browsing session. WebInject uses NextGenFixer to determine the URL typed by the victim.
-* '''WebInject''': This plugin takes care of injecting malicious HTML/JS code into the target page, as well able to make a video of the browsing session. WebInject uses NextGenFixer to determine the URL typed by the victim.
+*'''HttpTrafficLogger''': Make a log of browsing the victim.
-* '''HttpTrafficLogger''': Make a log of browsing the victim.
+*'''SocksTunnel''': Implements a SOCKS server such a way to exploit the infected machine for anonymous browsing activities.
-* '''SocksTunnel''': Implements a SOCKS server such a way to exploit the infected machine for anonymous browsing activities.
+*'''TrafficGrabber''': Network traffic sniffer, with functionality of packet dumper.
-* '''TrafficGrabber''': Network traffic sniffer, with functionality of packet dumper.
+*'''CoreDb''': Contains the configuration encrypted with 3DES algorithm.

@@ Line 506: / Line 506: @@
 * '''HermesCore''': This plugin is automatically included in all versions of Gataka and has a fundamental function, it's responsible of communication activities. The addresses of the servers are encoded in Base64. HermesCore can finally run arbitrary executables sent by the botmaster.
-* '''Interceptor''': As the name suggests, this plugin takes care of the interception of traffic network by hooking API connect() getpeername() closesocket(). The plugin acts essentially as proxy that monitors inbound/outbound traffic, and in case of encrypted communications (HTTPS) Interceptor is able to use a fake certificates to perform a MiTM attack. It's also important to highlight the fact that
+* '''Interceptor''': As the name suggests, this plugin takes care of the interception of traffic network by hooking API connect() getpeername() closesocket(). The plugin acts essentially as proxy that monitors inbound/outbound traffic, and in case of encrypted communications (HTTPS) Interceptor is able to use a fake certificates to perform a MiTM attack. It's also important to highlight the fact
-Interceptor is able to change at run-time the certificate control functions of several browser in such a way to make the entire process even more invisible to the victim.
+that Interceptor is able to change at run-time the certificate control functions of several browser in such a way to make the entire process even more invisible to the victim.
 * '''NextGenFixer''': This plugin acts as a URL filter able to perform certain functions when a specific address is typed by the user.
 * '''WebInject''': This plugin takes care of injecting malicious HTML/JS code into the target page, as well able to make a video of the browsing session. WebInject uses NextGenFixer to determine the URL typed by the victim.

@@ Line 505: / Line 505: @@
 From an architectural point of view, like SpyEye, plugins are downloaded from the C&C server and are inivocally identified by an ID. Follows a summary of identified plugin (information is taken from ESET article - check references for additional details):
-* HermesCore: This plugin is automatically included in all versions of Gataka and has a fundamental function, it's responsible of communication activities. The addresses of the servers are encoded in Base64. HermesCore can finally run arbitrary executables
+* '''HermesCore''': This plugin is automatically included in all versions of Gataka and has a fundamental function, it's responsible of communication activities. The addresses of the servers are encoded in Base64. HermesCore can finally run arbitrary executables sent by the botmaster.
-sent by the botmaster.
+* '''Interceptor''': As the name suggests, this plugin takes care of the interception of traffic network by hooking API connect() getpeername() closesocket(). The plugin acts essentially as proxy that monitors inbound/outbound traffic, and in case of encrypted communications (HTTPS) Interceptor is able to use a fake certificates to perform a MiTM attack. It's also important to highlight the fact that
 Interceptor is able to change at run-time the certificate control functions of several browser in such a way to make the entire process even more invisible to the victim.
-* NextGenFixer: This plugin acts as a URL filter able to perform certain functions when a specific address is typed by the user.
+* '''NextGenFixer''': This plugin acts as a URL filter able to perform certain functions when a specific address is typed by the user.
-* WebInject: This plugin takes care of injecting malicious HTML/JS code into the target page, as well able to make a video of the browsing session. WebInject uses NextGenFixer to determine the URL typed by the victim.
+* '''WebInject''': This plugin takes care of injecting malicious HTML/JS code into the target page, as well able to make a video of the browsing session. WebInject uses NextGenFixer to determine the URL typed by the victim.
-* HttpTrafficLogger: Make a log of browsing the victim.
+* '''HttpTrafficLogger''': Make a log of browsing the victim.
-* SocksTunnel: Implements a SOCKS server such a way to exploit the infected machine for anonymous browsing activities.
+* '''SocksTunnel''': Implements a SOCKS server such a way to exploit the infected machine for anonymous browsing activities.
-* TrafficGrabber: Network traffic sniffer, with functionality of packet dumper.
+* '''TrafficGrabber''': Network traffic sniffer, with functionality of packet dumper.
-* CoreDb: Contains the configuration encrypted with 3DES algorithm.
+* '''CoreDb''': Contains the configuration encrypted with 3DES algorithm.
 References

@@ Line 516: / Line 516: @@
 * TrafficGrabber: Network traffic sniffer, with functionality of packet dumper.
 * CoreDb: Contains the configuration encrypted with 3DES algorithm.
 * [http://blog.eset.com/2012/06/28/win32gataka-a-banking-trojan-ready-to-take-off Win32/Gataka: a banking Trojan ready to take off?]

@@ Line 496: / Line 496: @@
 * [http://threatpost.com/en_us/blogs/tiny-new-tinba-banker-trojan-found-stealing-financial-data-053112 Tiny New Tinba Banker Trojan Found Stealing Financial Data]
 * [http://www.theregister.co.uk/2012/06/04/small_banking_trojan/ Small banking Trojan poses major risk]
 == Appendix C: Server Side Security Solutions ==

@@ Line 474: / Line 474: @@
 * [http://labs.m86security.com/2012/03/the-cridex-trojan-targets-137-financial-organizations-in-one-go/ The Cridex Trojan Targets 137 Financial Organizations in One Go]
 * [http://sempersecurus.blogspot.it/2012/08/cridex-analysis-using-volatility.html Cridex Analysis using Volatility]
 == Appendix C: Server Side Security Solutions ==

@@ Line 298: / Line 298: @@
 * '''LOGGEREXT—Aids in stealing online credentials for Web sites with enhanced security.'''
 * '''SPREAD—Spreads Clampi to machines in the network with open network shares.'''
-* '''ACCOUNTS—Steals locally saved credentials for a variety of applications such as Instant Messaging and FTP
+* '''ACCOUNTS—Steals locally saved credentials for a variety of applications such as Instant Messaging and FTP clients.'''
 * '''INFO—Gathers and sends general system information.'''

← Older revision		Revision as of 15:08, 30 March 2012
Line 285:		Line 285:
	* [http://securityblog.s21sec.com/2011/07/decrypting-carberp-c-communication.html Decrypting Carberp C&C communication]		* [http://securityblog.s21sec.com/2011/07/decrypting-carberp-c-communication.html Decrypting Carberp C&C communication]
	* [http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity Facebook New Trends in Carberp Activity]		* [http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity Facebook New Trends in Carberp Activity]
		+
		+
		+	=== Clampi ===
		+	Clampi (also known as Ligats, Ilomo or Rscan) is a Trojan designed to steal credentials from infected systems.
		+	Its main purpose is to steal online banking credentials to conduct the unauthorized transfer of funds from hacked accounts to
		+	groups likely in Eastern Europe or Russia.
		+
		+	It has seven modules:
		+	* '''SOCKS—A socks proxy.'''
		+	* '''PROT—Steals PSTORE credentials, which typically contains credentials saved when using a Web browser.'''
		+	* '''LOGGER—Steals online credentials.'''
		+	* '''LOGGEREXT—Aids in stealing online credentials for Web sites with enhanced security.'''
		+	* '''SPREAD—Spreads Clampi to machines in the network with open network shares.'''
		+	* '''ACCOUNTS—Steals locally saved credentials for a variety of applications such as Instant Messaging and FTP
		+	clients.'''
		+	* '''INFO—Gathers and sends general system information.'''
		+
		+	References:
		+	* http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/inside_trojan_clampi.pdf
		+	* http://www.symantec.com/connect/blogs/inside-jaws-trojanclampi
		+	* http://mnin.blogspot.fr/2008/11/locating-hidden-clampi-dlls-vad-style.html
		+	* http://www.secureworks.com/research/threats/clampi-trojan/