Recomendados
Recomendados
Más contenido relacionado
Similar a Reversing banking trojan: an in-depth look into Gataka
Similar a Reversing banking trojan: an in-depth look into Gataka (20)
Reversing banking trojan: an in-depth look into Gataka
- 1. Reversing banking trojan: an in-depth look into Gataka Jean-Ian Boutin ESET
- 2. Outline • Background • Architecture • Overview of plugins • Network Protocol • Webinject • Campaigns
- 3. Background
- 4. Origins • Aliases: Tatanga, Hermes • First publicly discussed in 2011 by S21Sec • Targets mostly European users
- 5. What is it? • Banking trojan • Designed to steal all kind of sensitive information through Man- In-The-Browser scheme • Regionalized • Not very wide spread • Developped in C++ • Modular architecture similar to SpyEye • Very verbose, a lot of debug information are sent to Command and Control Server. • Frequent update with new plugins and plugin versions. • Several advanced features
- 6. Geographic distribution of detection
- 7. Business model • This is not a do-it-yourself kit like SpyEye • It seems that this kit is private or sold only to selected groups • Infection vector • BlackHole • Malicious attachment
- 8. Basics
- 9. DEMO1
- 10. Installation • Infection vector • BlackHole • Malicious attachment • Installation • Injection in all processes • Communications done through IE
- 11. Persistence
- 12. Architecture
- 13. Modular Architecture • HermesCore • Communicate with C&C • Ability to launch downloaded executable
- 14. DEMO2
- 15. Interceptor
- 16. Interceptor • Supported browsers • Firefox • Internet Explorer • Opera • Maxthon • Frequent update to support latest browser versions
- 17. Communication can now be monitored • NextGenFixer • Install filters on particular URLs • Webinject • Inject html/javascript • Record videos/screenshots • HttpTrafficLogger • Log selected communications to/from specific websites • CoreDb • Stores information received from C&C
- 18. DEMO3
- 19. IEXPLORE – certificate patching
- 20. Network Protocol
- 21. Topology Compromised hosts Proxy servers C&C
- 22. Packet Decomposition TCP/IP Header Packet 1 Gataka Header Encrypted Data … Packet n Gataka Header Encrypted Data
- 23. C++ Reversing • Some basic suff • This pointer usually passed in ecx • In object, vtable is at first offset
- 24. DEMO4
- 25. Gataka header 0-7 8-15 16-23 24-31 Magic Number NW Protocol Byte mask • When packets are Use xor key dword1 received from C&C, dword2 dword9 is optional Data size and Bot Id is absent Uncompressed Data Size XOR key dword6 dword7 checksum dword9 Bot Id (64 bytes)
- 26. Send packet - log
- 27. Plugins Storage
- 28. Webinject
- 29. CoreDb
- 30. Webinject
- 31. Self-contained webinject Webinject contained in DB Webinject downloaded from external server Injected content
- 32. Webinject – Gataka platform communications
- 33. DEMO5
- 34. Campaigns
- 35. Germany – statistics from one campaign 0,17% 1,51% 0,25% 0,05% Total Hits: 248,468 • These statistics were obtained from a C&C • Almost 75% of 25,10% Germany Unresolved/Unknown compromised hosts in United States Germany Israel Sweden Canada 72,92%
- 36. Germany – Two factor authentication bypass Image sources: wikipedia.org and postbank.de
- 37. Netherlands
- 38. Conclusion