This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Anti-Malware - Knowledge Base

From OWASP
Revision as of 15:52, 5 January 2012 by Giuseppe Bonfa (talk | contribs)

Jump to: navigation, search

Introduction

A Technical Knowledge Base for Banking Malware Threats

Protecting Banking Resources

Are your resources protected?

Enumerate the interesting targets

Define the path to the targets (Transition graphs)

Apply trust boundaries (security measures)

Define the weaknesses of the security measures adopted

Appendix A: Security Considerations about Authentication Solutions and Malware

Password

TAN (Gridcard, Scratch Card)

OTP (Time Based, Click Based)

CAP (Random Nonce, Challenge Response)

SMS Challenges

Cellphone Caller-ID

Appendix B: Banking Malware Families (Active in 2012)

Spyeye

SpyEye is considered the successor of ZeuS and globally considered as the most advanced Banking Malware kit actually used.

This kit was conceived as botnet easy to manage via a web based control panel.

SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish its task, it provides a custom Encrypted Configuration File where there are:

* Plugins
* Web Injection Code
* Collectors List- where stolen data is sent

SpyEye is capable of HTML code injection in the following browsers:

* FireFox
* Internet Explorer
* Chrome
* Opera

List of commonly used Plugins:

* ccgrabber - used to collect Credit Card numbers by analyzing POST requests.
* ffcertgrabber  used to steal Firefox stored Certificates.
* ftpbc - used to reverse ftp connections to the bot.
* socks5 - allows reverse connections via a proxy server.
* billinghammer - charges Credit Cards by using stolen card data.
* ddos - plugin used to ddos a specified target.
* bugreport - send crash reports to the bot master.
* SpySpread - capability to spread via USB, IM Messages
* rdp - Remote Desktop capability

SpyEye kit, actually reached version 1.3.48

In the second half of 2011 appeared a mobile edition of SpyEye, called SpitMo specifically designed to steal mTAN (mobile TAN) authentication systems. [[1]]

Resources:

Zeus

ZeuS is a Banking Trojan identified for the first time in 2007, designed as HTTP Based Botnet specifically crafted to steal Online Banking Credentials.

Despite the fact that ZeuS Kit is no longer developed, infection statistics that can be checked here [[2]] clearly demonstrates that this trojan has a remarkable diffusion.

The ZeuS Kit functionality is based on MiTB attacks, an encrypted configuration file contains URL Triggers and HTML Code to be Injected.

In the past year appeared also a ZeuS for mobile called ZitMo, developed to bypass mTAN authentication system, more information can be reached here:

* [[3]]
* [trojan for Android defeats two-factor authentication]

2011 was also the year of ZeuS Source Code leak, this essentially lead to a number of new ZeuS Variants, here the most significative:

  • ICE IX
  • ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able to interact with other victims (nodes) and get Updated Binaries and Configurations.

ZeuS P2P References:

* [Gets More Sophisticated Using P2P Techniques]
* [– P2P+DGA variant – mapping out and understanding the threat]

Other References:

* [Tracker]
* [IX – Or Just ZeuS?]
* [when Zeus meets Java]
* [Malware Analysis by SophosLabs]
* [Banking Trojan Report]
* [Memory Analysis: Zeus Encryption Keys]

Carberp

Tatanga

Urlzone

Appendix C: Server Side Security Solutions

Appendix D: Client Side Security Solutions

References