[cb16] background story of "operation neutralizing banking malware" and highly developed...

Behind “Operation Banking Malware Takedown”and the Progression of Malware Sophistication

2016.10.20 - 21CODE BLUE 2016

SecureBrain CorporationKazuki Takada

Profile

• Kazuki Takada

• SecureBrain Corporation

• Software Engineer My regular work is software development. Sometimes security researcher (sometime this is

main work…)

Background

Question

What’s this number?

3073000000

Answer

Amount of fraudulent Internet banking money transfer in Japan for 2015

\3,073,000,000

https://www.npa.go.jp/cyber/pdf/H280303_banking.pdf

$30 million

Internet Banking Fraud in Japan

2013年 2014年 2015年

$29 million$30 million

$14 million

IPA Top Security Threat List

• Top 10 Security Threats for 2016.

Overview of “Operation Banking Malware Takedown”

Operation Banking Malware Takedown

9http://www.keishicho.metro.tokyo.jp/haiteku/haiteku/haiteku504.htm

Victim PC

C&C ServerMPD

Distribution

Bank web server Threat Disabled

MPD : Metropolitan Police Department

The target is

“VAWTRAK”

11https://www.flickr.com/photos/arenamontanus/2125942630

*Other name Neverquest, Snifula

VAWTRAK

What’s VAWTRAK

• VAWTRAK has been around in Japan since 2014.• Rewrites MITB communication content

– Browser injection process. (IE, Firefox, Chrome)• Executes the following during Internet Banking

– Falsifies banking credential information– Semi-automatic fraudulent money transfer

What’s MITB ?

Man In The Browser

Browser

VAWTRAK

Victim PC

Injection Rewrite HTMLDummy Screen…etc.

Web server

What’s happened?

VAWTRAK

User PC

Registry

infection

Configuration data

C&C server Manipulationserver

BankWeb server

What’s happened?

VAWTRAK

User PC

<title>Internet Banking</title>

Request

Injection<script src=“….”>

Original content

BankWeb server

What’s happened?

VAWTRAK

User PC Request malicious JavaScript

Download and execute malicious JavaScript

<title>Internet Banking</title><script src=“….”>

BankWeb server

What’s happened?

VAWTRAK

User PC

Code number

送信

User accountinginformation

*******

BankWeb server

A chance for collaboration

Semi-automatic remittance fraud

ABCダイレクト　メインメニュー

　　お客様番号

　　ワンタイムパスワード

Fraudulent money transfer procedure is executed from victim PC while users are waiting for progress bar to finish.

Request flow

Victim PC

Bank Manipulation server

Login credential info.

Login processLogin screen

Account info screen

Tap balance info Balance info.

Money transfer info & amount of transfer

Money Transfer process

Progress B

Display some input

screen if necessary

http://www.slideshare.net/MasataNishida/avtokyo2014-obsevation-of-vawtrakja

Tried to send to the same request as malicious JavaScript

Beneficiary Information

Amount of Transfer (Upper limit / lower limit)

Collaboration with Metropolitan Police Department (MPD)

• Share beneficiary account information with the Metropolitan Police Department (MPD), which SecureBrain collected by researching the Manipulation server

• MPD prevented illegal money transfer by utilizing beneficiary account information.

Metropolitan Police Dept. and SecureBrain made a cooperative agreement

Collaboration with Metropolitan Police Department (MPD)

• MPD has a domain of C&C server.• The domain name was obtained using regular procedure.• They watched the communication between VAWTRAK and

the C&C server.• They identified 82,000 victim clients worldwide, with 44,000

clients located in Japan.

MPD considered distributing a new “Configuration data” for the takedown.

Technical overview

Victim PC

C&C ServerMPD

Distribution

BankWeb server

No longer under threat

Provide neutralization data generation tool.

Get domain and

put under control

Who is in charge of each technology...

Metropolitan Police Department• Obtain control of the C&C server and construct data

distribution server.• Testing

SecureBrain• Development of “Command” and “Configuration data”

generation tool. It uses a decryption technique for VAWTRAK.

• Investigate the type of data required to neutralize VAWTRAK.

Development of neutralization technique

Feature available for a takedown of VAWTRAK(BOT)

C&C Server

Victim PC

Poll the server every minute

When there is an effective communication, it does not

communicate with other C&C servers

Command

Identify the 20 commands.• Configure data• Download and execute file• Shutdown, reboot• Steal Cookie• Steal CertStore• Start and Stop Socks server• Start and Stop VNC server• Update• Registry operations ...etc...

Configuration data

Replace data for communicate manipulation server

Decrypted Configuration data

Target URL

Malicious code for injection

Component of Configuration data

Name Meaning

inject type Type of injection

browser Target browser

pattern match Pattern type to match URL

URL Target URL

string2 Target string

string3 Replace string

string4 Insert string

inject type

Identify the 18 commands.• Close connection• Screen capture• Insert before• Insert after• Replace URL• Replace host• Replace string...etc...

browser / pattern

Browser

Internet Explorer

Firefox

Chrome

browser

Type Meaning

strstr strstr function

strcmp strcmp function

regexp Regular expression

pattern

Try to check the “Configuration data“ again.

Configuration data

Type Meaning

inject type insert before

browser IE, Firefox, chrome

URL Target URL(Regular expression)

string3 -

string4 JavaScript for Injection

Configuration data

種別意味inject type replace URL

browser IE, Firefox, chrome

URL Target URL

string3 URL for replace

string4 -

About generation tool

• Execution check environment– Linux OS– Python 2.7.x

• Tool generates the binary data which VAWTRAK can read as input in Command and Configuration

• Because the output data is delivered by the C&C server and read by VAWTRAK, its configuration is renewed.

Generating flow of Configuration data

Encryption process (XOR)

Raw configure data (JSON format)

CRC32 from raw configure data

Compression process (aPLib)

Encrypted configure data (Binary)

• Control of VAWTRAK

Experiment sandbox environment

DummyC&C Server

Mac OSX

VM Ware

Victim PC

Internet

Host machine Mac OSX 10.10

Dummy C&C Ruby 2.0 + Sinatra

Victim PC Various Windows(After XP)

Browser Internet ExplorerChromeFirefox

The body of neutralization data

Effect of the takedown operation

Discussion

• Damage by VAWTRAK increased from mid-2013, but decreased after the operation.

• Because the police carried out the operation, it might have had a psychological effect to technically influence the attacker.

• There are some problems. For example, there is the need to obtain the domain beforehand.

The Progression of Malware Sophistication

Major malware in 2016

ROVNIX

URLZONE

VAWTRAK (New)

URSNIF

Other name Cidox

Other name Shiotob, Beblohbd

Other name Neverquest ,Snifula

Other name Gozi

http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 47=Malicious JavaScript

ROVNIX

target 30

Group A Group B=Malicious JavaScript

URLZONEVAWTRAK(New)

target 30

The attack method of MITB is almost the same.

What changes ?

• Prevent rewriting malware communication with C&C server– Private key for “Serpent” is encrypted by public key encryption system

RSA-2048.– RONIX sign contents of communication by RSA-2048.

• Malware is updated frequently– Detection by pattern matching becomes more difficult– It can inject even in the latest browsers.

• Various communication methods– Both HTTP and UDP P2P communications are used to get

Configuration data.

• Sophistication of malicious JavaScript

不正 JavaScriptの高機能化 (1)

Request flow

Victim PC

Bank Manipulation server

Login credential info.

Login process

Login Screen

Remittance process

Request of Settlement info.

my screen of

security software

Settlement info

Display some input screen an necessary

Discussion

Prevent rewriting communication.Multiplex of communication channel.Concealed information is processed on the server.

Security for attack activity maintenance is strengthened

Conclusions

• It is very important that the police takes the lead in a takedown operation.

• The reaction of the attacker is very quick. We always have to think about new prevention techniques.

• It is difficult to simply apply the ways of this operation to sophisticated malware.

Effective takedown operation…

https://www.flickr.com/photos/hackaday/4658391708

It is essential for the government, the police, the judiciary, and

the company to cooperate together.

[cb16] background story of "operation neutralizing banking malware" and highly developed...

Technology

intrusion detection and malware analysis - malware...

wltp-e-lab sub group test procedure kazuki kobayashi ntsel...

kuramoto kazuki

perfil mercado miel abejas cb16

noise study 6/may/’13 kazuki motohashi - tokyo tech

[cb16]...

[cb16]...

o etela kazuki yamanaka unitedsouiÄreunion 2016.2.14 tel

scientia amazonia, v. 7, n.2, cb1-cb16, 2018 revista on...

thesis proposal research book by kazuki daimo

kazuki takamatsu

kuramoto kazuki - ti-dakuramoto kazuki title...

malware and anti-malware (fun with trojans) - z....

[cb16] esoteric web application vulnerabilities by andrés...

kazuki daimo portfolio

affinity selection and sequence-activity relationships of...

kazuki hasebe

coffe art kazuki yamamoto

[cb16] who put the backdoor in my modem? by ewerson...

nyu school of photography and graphic arts by kazuki daimo