Smartcard vulnerabilities in modern banking malware

Aleksandr MatrosovEugene Rodionov

Agenda

Evolution of Carberp distribution scheme drive by downloads detection statistics

Carberp modifications the story of BK-LOADER antiRE tricks

Banks attacking algorithms Smartcard attacks

Evolution drive by downloads: Carberp case

Exploit kits used in distribution scheme

Impact since 2010 (probivaites.in)• Java/Exploit.CVE-2010-0840• Java/Exploit.CVE-2010-0842• Java/TrojanDownloader.OpenConnection

Blackhole since 2011 (lifenews-sport.org)• JS/Exploit.JavaDepKit (CVE-2010-0886)• Java/Exploit.CVE-2011-3544• Java/Exploit.CVE-2012-0507• Java/Agent

Nuclear Pack since 2012 (nod32-matrosov-pideri.org)• Java/Exploit.CVE-2012-0507

Blackhole drive by download scheme

searchvuln

legitimate site

exploitation stage/getJavaInfo.jar/content/obe.jar/content/rino.jar

dropper execution/w.php?f=17&e=2

TRUE FALSE

Exploit kit migration reasons

1• most popular = most detected

2• frequently leaked exploit kit• most popular exploit kit for research

3• auto detections by AV-crawlers• non-detection period is less than two hours

Blackhole migration to Nuclear Pack

Nuclear pack drive by download scheme

searchvuln

legitimate site

exploitation stage//images/274e0118278c38ab7f4ef5f98b71d9dc.jar

dropper execution/server_privileges.php?<gate_id>=<exp_id>

TRUE FALSE

check real user

BlackSEO & Nuclear Pack

Carberp detection statistics

Carberp detection statistics by countryCloud data from Live Grid

RussiaUkraineBelarusKazakhstanTurkeyUnited KingdomSpainUnited StatesItalyRest of the world

Carberp detections over time in RussiaCloud data from Live Grid

Jan-10

Feb-10

Mar-1

0

Apr-10

May-10

Jun-10

Jul-1

0

Aug-10

Sep-10

Oct-10

Nov-10

Dec-10

Jan-11

Feb-11

Mar-1

1

Apr-11

May-11

Jun-11

Jul-1

1

Aug-11

Sep-11

Oct-11

Nov-11

Dec-11

Jan-12

Feb-12

Mar-1

2

Apr-12

0

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18

Evolution of Carberp modifications

Different groups, different bots, different C&C’s

Origami

D*****v

G***o

functionality Gizmo Dudorov OrigamiDedicated dropper Win32/HodprotJava patcher Bootkit based on RovnixRDP backconnect Win32/RDPdoor Win32/RDPdoorTV backconnect Win32/Sheldor Win32/Sheldor Win32/SheldorHTML injections IE, Firefox, Opera IE, Firefox, Opera,

ChromeIE, Firefox, Opera,

ChromeAutoloads Unique plugins minav.plug

passw.plugkillav.plug

sbtest.plugcyberplat.plug

sber.plugddos.plug

commands Gizmo Dudorov Origami Descriptionddos download DDoS plugin and start attack

updatehosts modify hosts file on infected system

alert show message box on infected system

update download new version of Carberp

updateconfig download new version of config file

download download and execute PE-file

loaddll download plugin and load into memory

bootkit download and install bootkit

grabber grab HTML form data and send to C&C

killos modify boot code and delete system files

killuser delete user Windows account

killbot delete all files and registry keys

updatepatch download and modify java runtime

deletepatch delete java runtime modifications

The Story of BK-LOADERfrom Rovnix.A to Carberp

Interesting Carberp sample (October 2011)

≈3000 tested bots

Interesting strings inside Carberp with bootkit

Carberp bootkit functionality

Bootkitbootstrap code

Inject user-mode payload

Load unsigned driver injector

Callgraph of bootkit installation routine

functionality Rovnix.A Carberp with bootkit Rovnix.BVBR modification polymorphic VBR Malware driver storage

Driver encryption algorithm

custom(ROR + XOR)

custom(ROR + XOR)

custom(ROR + XOR)

Hidden file system FAT16 modification

FAT16 modification

File system encryption algorithm RC6

modificationRC6

modification

Rovnix kit hidden file systems comparison

Comparison of Carberp file system with Rovnix.B

AntiRE tricks

Removing AV hooks before installation

Calling WinAPI functions by hash

Plugin encryption algorithm

Communication protocol encryption algorithm

Banks attacking algorithms

Bank attacking algorithm Gizmo Dudorov OrigamiHTML injections autoload 2010 2011 (Sep)dedicated plugins for major banks

intercepting client-banks activity patching java webmoney/cyberplat

stealing money from private persons

Smartcard attacks

Applications used by smartcards

User interface Access provider

Call reader device driver

Specific reader device driver

Specific reader device driver

Reader device Reader device

Smartcard Smartcard

Smartcard resource manager

…

…

…

User Application

Smartcard Subsystem

Hardware Support

Win32/Spy.Ranbyus

Win32/RDPdoor v4.x

<VendorId>:<ProductId>:<Revision>:

<InfoRetreivedFromDevice>:<DeviceNameOrDescription>

FabulaTech USB for Remote Desktop Server

http://crackme.esetnod32.ru

References

Exploit Kit plays with smart redirection http://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection

Dr. Zeus: the Bot in the Hathttp://blog.eset.com/2010/11/05/dr-zeus-the-bot-in-the-hat

Blackhole, CVE-2012-0507 and Carberphttp://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp

Evolution of Win32/Carberp: going deeperhttp://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper

Hodprot: Hot to Bothttp://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf

Carberp Gang Evolution: CARO 2012 presentationhttp://blog.eset.com/2012/05/24/carberp-gang-evolution-at-caro-2012

Thank you for your attention!

Aleksandr Matrosovmatrosov@eset.sk@matrosovamatrosov.blogspot.com

Eugene Rodionovrodionov@eset.sk@vxradius