defeating mtans for profit
play

Defeating mTANs for profit Axelle Apvrille , Kyle Yang ShmooCon, - PowerPoint PPT Presentation

Mar 10, 2024 •122 likes •363 views

Defeating mTANs for profit Axelle Apvrille , Kyle Yang ShmooCon, January 2011 Summary Overview of Zitmo Why is Zitmo important? Zeus background info The attack - in a nutshell Similarities with SMS Monitor Reverse engineering Conclusion

  1. Defeating mTANs for profit Axelle Apvrille , Kyle Yang ShmooCon, January 2011

  2. Summary Overview of Zitmo Why is Zitmo important? Zeus background info The attack - in a nutshell Similarities with SMS Monitor Reverse engineering Conclusion Defeating mTANs for profit - A. Apvrille, K. Yang 2/23

  3. Zitmo? ... what the fuss?! • first case of use by organized criminals In brief • Z eus I n T he MO bile • Malware for Symbian phones (OS > 9.0) • Intercepts mTANs = one-time passwords sent by SMS • Targetting Spanish online banks • Propagated on PC by Zeus botnet Defeating mTANs for profit - A. Apvrille, K. Yang 3/23

  4. Zeus (aka Zbot): background • It’s a crimeware kit, sold in the underground market • Designed to steal banking information • There are several Zeus botnets, not only one What’s new for Zitmo’s propagation? • Not ’much’, because fully configurable • Uses a different RC4 key to decrypt the configuration file • Targets Spanish banks, injects Javascript into those URLs Defeating mTANs for profit - A. Apvrille, K. Yang 4/23

  5. Zitmo in a nutshell Bank ZeuS botnet Infecting 4 victim's 3 mobile phone SMS interception Browser injection 2 1 Infected Victim Defeating mTANs for profit - A. Apvrille, K. Yang 5/23

  6. Similarities with SMS Monitor • SMS Monitor : ” The main purpose of this application is parental controls and security audit. ” • Two papers in Russian Xa k ep magazine, with code: re-used by Zeus gang? Zitmo compared Exact match of code Exact match of strings with ... same assembly case-sensitive match SMS Monitor Lite 60% 89% SMS Monitor 59% 90% SymbOS/- 13% 2% Trapsms.A!tr.spy SymbOS/- 16% 30% Fwdsms.D!tr.spy Defeating mTANs for profit - A. Apvrille, K. Yang 6/23

  7. Summary Overview of Zitmo Reverse engineering Developer’s Overview Read SMS Actions: release, forward, drop Commands Techniques: spoof admin, hidden window Conclusion Defeating mTANs for profit - A. Apvrille, K. Yang 7/23

  8. [A Malware] Developer’s Overview Actors “Administrator” Others (e.g bank, friends...) Victim SMS SMS SMS SMS NokiaUpdate.exe SMS Processing Engine Init Read SMS Process Command Settings SQL file c:\20022B8E\firststart.dat database c:\20022B8E\Numbers.db c:\20022B8E\settings2.dat Defeating mTANs for profit - A. Apvrille, K. Yang 8/23

  9. Silently intercept all SMS Assembly code taken from Zitmo ; Open socket RSocket::Open(RSocketServ &,uint,uint,uint) BL _ZN7RSocket4OpenER11RSocketServjjj STR R0, [R11,#errcode] ; store the return code LDR R3, [R11,#errcode] CMP R3, #0 ; if return code != KErrNone BNE loc_7C90DAF8 ; jump to this location if error SUB R0, R11, #0x54 BL _ZN8TSmsAddrC1Ev ; TSmsAddr::TSmsAddr(void) SUB R0, R11, #0x54 MOV R1, #4 ; ESmsAddrMatchText ; set socket family (SetSmsAddrFamily) to ESmsAddrMatchText NL _ZN8TSmsAddr16SetSmsAddrFamilyE14TSmsAddrFamily SUB R0, R11, #0x54 SUB R3, R11, #0x24 MOV R1, R3 ; text to match: _L8("") BL _ZN8TSmsAddr12SetTextMatchERK6TDesC8 Defeating mTANs for profit - A. Apvrille, K. Yang 9/23

  10. Processing incoming SMS ( listen - new stuff here ;) Does SMS come from Actions admin? no yes • Drop SMS : nobody will Are we Parse ever see this SMS. monitoring no commands this sender? • Forward SMS : the SMS yes Do command, is sent to the update settings administrator. Not Does SMS body size <= 8 Is this a displayed on the victim’s characters? SET ADMIN command? yes phone. yes Change no • Release SMS : the SMS admin Is this a is displayed in the victim’s no SET ADMIN command? no inbox. Release SMS to inbox yes • Commands : modifies the Forward SMS Drop it trojan’s behaviour. to admin Defeating mTANs for profit - A. Apvrille, K. Yang 10/23

  11. Releasing SMS - those not to spy ( listen - new stuff here) Switch to phone’s inbox LDR R0, [R3,#0x34] MOV R1, 0x1002 ; KMsvGlobalInboxIndexEntryIdValue BL _ZN8CBaseMtm19SwitchCurrentEntryLEl Copy generic information (subject, date) to TMsvEntry object. Mark the change (CommitL) BL _ZN5TTime8HomeTimeEv ; TTime::HomeTime(void) SUB R3, R11, #0x74 ADD R0, R3, #0x48 LDR R1, [R11,#var_1C] BL NokiaUpdate_copyTextIfNotNull ... ; CMsvEntry::ChangeL(TMsvEntry const&) BL _ZN9CMsvEntry7ChangeLERK9TMsvEntry Defeating mTANs for profit - A. Apvrille, K. Yang 11/23

  12. Releasing SMS (cont’d) • Copy message-type specific data (=headers and body) in CMsvStore object. • Set as ESmsDeliver = displayed as coming from sender (not to ) • Commit. ; CSmsHeader::NewL(CSmsPDU::TSmsPDUType,CEditableText &) MOV R0, #0 ; ESmsDeliver LDR R1, [R11,#var_80] BL _ZN10CSmsHeader4NewLEN7CSmsPDU11TSmsPDUType... ... LDR R0, [R11,#cmsvstore] BL _ZN9CMsvStore7CommitLEv ; CMsvStore::CommitL(void) NB. If listed in the phone’s address book, display contact name (”Axelle”) and not phone number (”+336...”) Defeating mTANs for profit - A. Apvrille, K. Yang 12/23

  13. Forward SMS to administrator (spy) - ( not ’new’, but still listen ;)) Append Fr: to SMS body ; Copy original body in TDes16 Append sender’s phone LDR R3, [R11,#var_18] ADD R0, R3, #0xC0 number LDR R1, [R11,#incomingsmstext] LDR R3, [R11,#var_18] BL _ZN6TDes164CopyERK7TDesC16 ADD R0, R3, #0xC0 ; Create TPtrC (pointer) to " Fr:" ; phone number in #0x6C SUB R0, R11, #0x84 SUB R3, R11, #0x6C ; LDR R1, =aFr ; " Fr:" MOV R1, R3 BL _ZN7TPtrC16C1EPKt BL _ZN6TDes166AppendERK7TDesC16 ; Append " Fr:" to body SUB R2, R11, #0x84 • Create SMS in the Drafts LDR R3, [R11,#var_18] ADD R0, R3, #0xC0 box. MOV R1, R2 BL _ZN6TDes166AppendERK7TDesC16 Defeating mTANs for profit - A. Apvrille, K. Yang 13/23

  14. Dropping an SMS • Do nothing :) ... or nearly: • Mark SMS PDU as successfully processed (or message re-appears at next boot) ; RSocket::Ioctl(uint,TRequestStatus &,TDes8 *,uint) MOV R1, #0x304 ; KIoctlReadMessageSucceeded MOV R3, R12 BL _ZN7RSocket5IoctlEjR14TRequestStatusP5TDes8j Defeating mTANs for profit - A. Apvrille, K. Yang 14/23

  15. Zitmo Commands ( listen - new stuff here! ) • ON / OFF Count nb of spaces In SMS body >2 0 Invalid • SET ADMIN xx code=10 1 2 Is cmd Is cmd • ADD SENDER xx, xx / Is cmd BLOCK SET ON? ON? no no no ADMIN? ALL yes yes yes no Code = 0 Code = 8 Code = 2 • REM SENDER xx, xx / Is cmd Is cmd ADD ALL BLOCK Is cmd yes no SENDER? OFF? OFF? yes yes • SET SENDER xx Code = 1 Code = 9 ADD no SENDER no yes ALL? • BLOCK ON / BLOCK Count commas Code = 3 Is cmd Add each REM OFF yes phone # to DB SENDER? Code = 4 no REM If ALL numbers (except no Count commas SENDER Is cmd ALL? Remove each yes SET admin) are monitored, SQL no phone # to DB SENDER? Code = 5 Code = 6 Code = 7 yes tables are not used. Write settings2.dat BLOCK ON blocks incoming Print to hidden debug window Return code calls (not used) Defeating mTANs for profit - A. Apvrille, K. Yang 15/23

  16. Zitmo settings file ( listen - new stuff here! ) • byte 0: state of the trojan: 0 if it is off, 1 if it is on (enabled). • byte 1: monitoring case: 0 to monitor phone numbers specified in the table, and 1 to monitor any numbers ( ADD SENDER ALL case). • byte 2: blocking state: 0 if calls must not be blocked and 1 if they must be blocked ( BLOCK ON/OFF ) • byte 3-n: externalized 16-bit Unicode string object ( TDesC16 ) for the administrator’s phone number. settings2.dat: disabled trojan (OFF), monitor all mode (ADD SENDER ALL), receive incoming calls (BLOCK OFF), admin is +44778148xxxx 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 00000000 00 01 00 34 2b 34 34 37 37 38 31 34 38 x x x 00000010 x Defeating mTANs for profit - A. Apvrille, K. Yang 16/23

  17. Spoof administrator ( listen - new stuff here! ) Protocol flaw: anybody can claim to be the administrator! How 0wn the adm1n :D Install Zitmo on lab phone 1 Bonus: make sure it can’t send SMS (offline, Faraday cage...) 1. Method 1. Send SET ADMIN command by SMS with phone number of lab phone 2. 2. Method 2. Craft a settings2.dat file with admin phone number = lab phone 2 Defeating mTANs for profit - A. Apvrille, K. Yang 17/23

  18. Remote debugging Symbian phones Defeating mTANs for profit - A. Apvrille, K. Yang 18/23

  19. Zitmo’s Hidden Debug Window ( listen - new stuff here! ) Un-hide text editor window CApaWindowGroupName::SetHidden( EFalse ) Modify ETrue=1 to EFalse=0 . Bring window in front position RWindowTreeNode::SetOrdinalPosition( ECoeWinPriorityAlwaysAtFront ) Modify ECoeWinPriorityNeverAtFrom=-1000 or ECoeWinPriorityNormal=0 to ECoeWinPriorityAlwaysAtFront=+1000 =0x3e8 Defeating mTANs for profit - A. Apvrille, K. Yang 19/23

  20. Summary Overview of Zitmo Reverse engineering Conclusion Zitmo is difficult to spot Defeating two-factor authentication on demand Thank You ! Defeating mTANs for profit - A. Apvrille, K. Yang 20/23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ENDNOTES 14.84 E3d 734 (5th Cir. 1996). against nationwide class where 1. Gen.Tel. Co. Falcon,

ENDNOTES 14.84 E3d 734 (5th Cir. 1996). against nationwide class where 1. Gen.Tel. Co. Falcon,

Consumer Cases Brought under Rule 23(b)(3) STRATEGIES FOR DEFEATING CLASS CERTIFICATION By Thomas A. Dye and Dean A. Morande A lawsuit founded defeating succeed in class tainable. consumer A class definition fails if it is on to ever even

502 views • 4 slides
NON NON- -PROFIT SUPPORT PROFIT SUPPORT NON NON - - PROFIT SUPPORT PROFIT SUPPORT FOR

NON NON- -PROFIT SUPPORT PROFIT SUPPORT NON NON - - PROFIT SUPPORT PROFIT SUPPORT FOR

NON NON- -PROFIT SUPPORT PROFIT SUPPORT NON NON - - PROFIT SUPPORT PROFIT SUPPORT FOR RESEARCH FOR RESEARCH FOR RESEARCH FOR RESEARCH Daniel L. Goroff Alfred P. Sloan Foundation Vice President &amp; Program Director Views expressed

627 views • 52 slides
Defeating Phantom Exclusions in D&amp;O and E&amp;O Coverage: Guidance for Policyholders Overcoming

Defeating Phantom Exclusions in D&amp;O and E&amp;O Coverage: Guidance for Policyholders Overcoming

Presenting a live 90 minute webinar with interactive Q&amp;A Defeating Phantom Exclusions in D&amp;O and E&amp;O Coverage: Guidance for Policyholders Overcoming Denials of Coverage Based on Restitution and Disgorgement After U.S. Bank N.A. v.

781 views • 39 slides
? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr

Todays Story: How I got my first Death Threat ? AdVersarial: Defeating Perceptual Ad Blocking with Adversarial Examples Florian Tramr October 8 th 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The

415 views • 29 slides
Employment Litigation: Pursuing and Employment Litigation: Pursuing and Defeating Pre Trial

Employment Litigation: Pursuing and Employment Litigation: Pursuing and Defeating Pre Trial

Presenting a live 90 minute webinar with interactive Q&amp;A Employment Litigation: Pursuing and Employment Litigation: Pursuing and Defeating Pre Trial Motions to Dismiss Leveraging Iqbal Pleadings Requirements and Summary Judgment

578 views • 46 slides
Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to

Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to

DAISY D ata A nalysis and I nformation S ecurit Y Lab Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to Audio-based Adversarial Attacks Yingying (Jennifer) Chen Professor, Electrical and Computer

1.05k views • 46 slides
Defeating Extrusion Detection About matasano An Indie Product and Services Security Firm:

Defeating Extrusion Detection About matasano An Indie Product and Services Security Firm:

Defeating Extrusion Detection About matasano An Indie Product and Services Security Firm: Founded Q105, Chicago and NYC. Research: Hardware Virtualized Root-Kits Endpoint Agent vulnerabilities Windows Vista (on contract to

559 views • 38 slides
Misleading and Defeating Importance- Scanning Malware Propagation Guofei Gu 1 , Zesheng Chen 1 ,

Misleading and Defeating Importance- Scanning Malware Propagation Guofei Gu 1 , Zesheng Chen 1 ,

Misleading and Defeating Importance- Scanning Malware Propagation Guofei Gu 1 , Zesheng Chen 1 , Phillip Porras 2 , Wenke Lee 1 1 Georgia Institute of Technology 2 SRI International Outline Background White Hole: Design &amp; Operation

238 views • 20 slides
Defending Wage and Hour Class Actions: Defeating Certification and Winning Decertification

Defending Wage and Hour Class Actions: Defeating Certification and Winning Decertification

Presenting a live 90-minute webinar with interactive Q&amp;A Defending Wage and Hour Class Actions: Defeating Certification and Winning Decertification Leveraging Lessons From Dukes, Comcast and Duran to Challenge Evidence on Liability and

1.1k views • 57 slides
Defeating Class Claims by Attacking the Pleadings and Leveraging Other Early Dispositive Motions

Defeating Class Claims by Attacking the Pleadings and Leveraging Other Early Dispositive Motions

Presenting a live 90-minute webinar with interactive Q&amp;A Defeating Class Claims by Attacking the Pleadings and Leveraging Other Early Dispositive Motions TUESDAY, MARCH 29, 2016 1pm Eastern | 12pm Central | 11am Mountain |

532 views • 51 slides
Defending Wage and Hour Class Actions: Defeating Certification and Winning Decertification

Defending Wage and Hour Class Actions: Defeating Certification and Winning Decertification

Presenting a live 90-minute webinar with interactive Q&amp;A Defending Wage and Hour Class Actions: Defeating Certification and Winning Decertification Leveraging Lessons From Dukes, Comcast and Duran to Challenge Evidence on Liability and

363 views • 33 slides
An Efficient Black-box Technique for Defeating Web Application Attacks R. Sekar S tony Brook

An Efficient Black-box Technique for Defeating Web Application Attacks R. Sekar S tony Brook

An Efficient Black-box Technique for Defeating Web Application Attacks R. Sekar S tony Brook University (Research supported by DARPA, NS F and ONR) 2/9/2009 Example: SquirrelMail Command Injection Attack: use maliciously Incom ing

747 views • 21 slides
Anna Satsiou, CERTH AIM PROFIT Playground Technology Advancements of PROFIT

Anna Satsiou, CERTH AIM PROFIT Playground Technology Advancements of PROFIT

Anna Satsiou, CERTH AIM PROFIT Playground Technology Advancements of PROFIT PROFIT Use Scheme PROFIT Target Users COLLECTIVE COMMUNITY AWARENESS Subscribe to our newsletter PROFIT Team 1st Int.

455 views • 13 slides
Virtual U: Defeating Face Liveness Detection by Building Virtual Models From Your Public Photos

Virtual U: Defeating Face Liveness Detection by Building Virtual Models From Your Public Photos

Virtual U: Defeating Face Liveness Detection by Building Virtual Models From Your Public Photos Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security

1.02k views • 62 slides
Alpha Presentation Defeating Malware Payload Obfuscation The Capstone Experience Team Proofpoint

Alpha Presentation Defeating Malware Payload Obfuscation The Capstone Experience Team Proofpoint

Alpha Presentation Defeating Malware Payload Obfuscation The Capstone Experience Team Proofpoint Adam Johanknecht Nick Lojewski Vivian Qian Derek Renusch Dan Somary Department of Computer Science and Engineering Michigan State University

140 views • 9 slides
Defeating IMSI Catchers Fabian van den Broek et al. CCS 2015 By Ren-Jay Wang CS598 - COMPUTER

Defeating IMSI Catchers Fabian van den Broek et al. CCS 2015 By Ren-Jay Wang CS598 - COMPUTER

Defeating IMSI Catchers Fabian van den Broek et al. CCS 2015 By Ren-Jay Wang CS598 - COMPUTER SECURITY IN THE PHYSICAL Background 3GPP 3GPP 3 rd Generation Partnership Project Encompasses: GSM and related 2G standards UMTS

408 views • 14 slides
Speaking at Tech Events for Beginners Julie Pagano &lt;Slide About Hosting Group&gt; Why are

Speaking at Tech Events for Beginners Julie Pagano &lt;Slide About Hosting Group&gt; Why are

Speaking at Tech Events for Beginners Julie Pagano &lt;Slide About Hosting Group&gt; Why are you here? Learn how to speak at tech events! Learn how to speak at tech events! I am here to help! My Credentials Speaking for ~2 years

2.07k views • 179 slides
Summary LGRB progenitor (fairly) certain several cases with clear Type Ib/c SNe

Summary LGRB progenitor (fairly) certain several cases with clear Type Ib/c SNe

Summary LGRB progenitor (fairly) certain several cases with clear Type Ib/c SNe association (hypernovae) but most of these are associated with under-luminous GRBs) May be a large population of only-just-relativistic events Swift

414 views • 6 slides
CSCI 420: Computer Graphics Fall 2014 Hao Li http://cs420.hao-li.com 1 http://hao.li/

CSCI 420: Computer Graphics Fall 2014 Hao Li http://cs420.hao-li.com 1 http://hao.li/

CSCI 420: Computer Graphics Fall 2014 Hao Li http://cs420.hao-li.com 1 http://hao.li/ Geometric Capture [Lab] 2 About Me Industrial Light &amp; Magic USC Graphics http://gfx.usc.edu 5 Science, Engineering, &amp; Art High Tech &amp;

804 views • 77 slides
EU FP6 LOBSTER European Infrastructure for accurate network monitoring An IST Project

EU FP6 LOBSTER European Infrastructure for accurate network monitoring An IST Project

EU FP6 LOBSTER European Infrastructure for accurate network monitoring An IST Project http://www.ist-lobster.org/ personal view on the future of ero-day Worm Containment Herbert Bos Vrije Universiteit Amsterdam herbertb _AT_ cs.vu.nl

661 views • 30 slides
Creating Custom Work Queue Applications Nicholas Hazekamp

Creating Custom Work Queue Applications Nicholas Hazekamp

Creating Custom Work Queue Applications Nicholas Hazekamp Nanoreactor MD Simulations Scalable Assembler at Notre Dame Lobster HEP ForceBalance Adaptive Weighted Ensemble Replica

414 views • 29 slides
Center for Teaching Excellences Course Design Institute &amp; Ignite Programs Michael Palmer,

Center for Teaching Excellences Course Design Institute &amp; Ignite Programs Michael Palmer,

Center for Teaching Excellences Course Design Institute &amp; Ignite Programs Michael Palmer, Director, Center for Teaching Excellence 2 3 4 5 6 7 Course Design Institute 8 In n thr hree to o five years, what hat will will your

759 views • 24 slides
VIRTUAL CONFERENCE ictcm.com | #ICTCM 32 nd International Conference on Technology in Collegiate

VIRTUAL CONFERENCE ictcm.com | #ICTCM 32 nd International Conference on Technology in Collegiate

32 nd International Conference on Technology in Collegiate Mathematics VIRTUAL CONFERENCE ictcm.com | #ICTCM 32 nd International Conference on Technology in Collegiate Mathematics VIRTUAL CONFERENCE #ICTCM BY NADEEM ASLAM INSTRUCTOR OF

714 views • 32 slides
JRA5: Roaming and Authorisation Jrgen Rauschenbach, DFN-Verein 7 th TF-EMC2 Meeting, Malaga 16

JRA5: Roaming and Authorisation Jrgen Rauschenbach, DFN-Verein 7 th TF-EMC2 Meeting, Malaga 16

Connect. Communicate. Collaborate JRA5: Roaming and Authorisation Jrgen Rauschenbach, DFN-Verein 7 th TF-EMC2 Meeting, Malaga 16 17 October 2006 Introduction Connect. Communicate. Collaborate JRA5 will build a European Roaming

368 views • 14 slides

More recommend