This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Anti-Malware - Knowledge Base"
From OWASP
(→A Technical Knowledge Base for Banking Malware) |
|||
| Line 26: | Line 26: | ||
== Appendix B: Banking Malware Families (Active in 2012) == | == Appendix B: Banking Malware Families (Active in 2012) == | ||
=== Spyeye === | === Spyeye === | ||
| + | |||
| + | SpyEye is considered the successor of ZeuS and globally considered as | ||
| + | the most advanced Banking Malware kit actually used. | ||
| + | |||
| + | This kit was conceived as botnet easy to manage via a web based control panel. | ||
| + | |||
| + | SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish | ||
| + | its task, it provides a custom Encrypted Configuration File where | ||
| + | there are: | ||
| + | |||
| + | * Plugins | ||
| + | * Web Injection Code | ||
| + | * Collectors List- where stolen data is sent | ||
| + | |||
| + | SpyEye is capable of HTML code injection in the following browsers: | ||
| + | |||
| + | * FireFox | ||
| + | * Internet Explorer | ||
| + | * Chrome | ||
| + | * Opera | ||
| + | |||
| + | List of commonly used Plugins: | ||
| + | |||
| + | * ccgrabber - used to collect Credit Card numbers by analyzing POST requests. | ||
| + | * ffcertgrabber used to steal Firefox stored Certificates. | ||
| + | * ftpbc - used to reverse ftp connections to the bot. | ||
| + | * socks5 - allows reverse connections via a proxy server. | ||
| + | * billinghammer - charges Credit Cards by using stolen card data. | ||
| + | * ddos - plugin used to ddos a specified target. | ||
| + | * bugreport - send crash reports to the bot master. | ||
| + | * SpySpread - capability to spread via USB, IM Messages | ||
| + | * rdp - Remote Desktop capability | ||
| + | |||
| + | SpyEye kit, actually reached version 1.3.48 | ||
| + | |||
| + | In the second half of 2011 appeared a mobile edition of SpyEye, called | ||
| + | SpitMo specifically designed to steal mTAN (mobile TAN) authentication | ||
| + | systems. [[http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android]] | ||
| + | |||
| + | Resources: | ||
| + | |||
| + | * [[http://blog.fortinet.com/a-guide-to-spyeye-cc-messages/|A Guide to SpyEye C&C Messages]] | ||
| + | * [[http://blogs.rsa.com/rsafarl/new-spyeye-gains-zeus-features-a-detailed-analysis-of-spyeye-trojan-v1-3/|New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3]] | ||
| + | * [[http://cert.lexsi.com/weblog/index.php/2011/02/23/408-ddos-plugin-for-spyeye|DDOS plugin for SpyEye]] | ||
| + | * [[http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html|SpyEye steals your data. Even in a limited account]] | ||
| + | * [[http://blog.trendmicro.com/the-spyeye-interface-part-1-cn-1/|The SpyEye Interface, Part 1: CN 1]] | ||
| + | * [[http://blog.trendmicro.com/the-spyeye-interface-part-2-syn-1/|The SpyEye Interface Part 2: SYN 1]] | ||
| + | * [[http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications/|SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 1)]] | ||
| + | * [[http://blog.trendmicro.com/spyeye-1-3-4-x-comes-with-noteworthy-modifications-part-2/|SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)]] | ||
| + | |||
=== Zeus === | === Zeus === | ||
=== Carberp === | === Carberp === | ||
Revision as of 15:13, 5 January 2012
Introduction
A Technical Knowledge Base for Banking Malware Threats
Protecting Banking Resources
Are your resources protected?
Enumerate the interesting targets
Define the path to the targets (Transition graphs)
Apply trust boundaries (security measures)
Define the weaknesses of the security measures adopted
Appendix A: Security Considerations about Authentication Solutions and Malware
Password
TAN (Gridcard, Scratch Card)
OTP (Time Based, Click Based)
CAP (Random Nonce, Challenge Response)
SMS Challenges
Cellphone Caller-ID
Appendix B: Banking Malware Families (Active in 2012)
Spyeye
SpyEye is considered the successor of ZeuS and globally considered as the most advanced Banking Malware kit actually used.
This kit was conceived as botnet easy to manage via a web based control panel.
SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish its task, it provides a custom Encrypted Configuration File where there are:
* Plugins * Web Injection Code * Collectors List- where stolen data is sent
SpyEye is capable of HTML code injection in the following browsers:
* FireFox * Internet Explorer * Chrome * Opera
List of commonly used Plugins:
* ccgrabber - used to collect Credit Card numbers by analyzing POST requests. * ffcertgrabber used to steal Firefox stored Certificates. * ftpbc - used to reverse ftp connections to the bot. * socks5 - allows reverse connections via a proxy server. * billinghammer - charges Credit Cards by using stolen card data. * ddos - plugin used to ddos a specified target. * bugreport - send crash reports to the bot master. * SpySpread - capability to spread via USB, IM Messages * rdp - Remote Desktop capability
SpyEye kit, actually reached version 1.3.48
In the second half of 2011 appeared a mobile edition of SpyEye, called SpitMo specifically designed to steal mTAN (mobile TAN) authentication systems. [[1]]
Resources:
- [Guide to SpyEye C&C Messages]
- [SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3]
- [plugin for SpyEye]
- [steals your data. Even in a limited account]
- [SpyEye Interface, Part 1: CN 1]
- [SpyEye Interface Part 2: SYN 1]
- [1.3.4.x Comes with Noteworthy Modifications (Part 1)]
- [1.3.4.x Comes with Noteworthy Modifications (Part 2)]
