how we hacked online banking malware
play

How we hacked Online Banking Malware Sebastian Bachmann & Tibor - PowerPoint PPT Presentation

Mar 13, 2023 •26 likes •576 views

How we hacked Online Banking Malware Sebastian Bachmann & Tibor Eli as 22. November 2014 B-Sides Vienna Sebastian Bachmann & Tibor Eli as How we hacked Online Banking Malware 22. November 2014 1 / 55 About Us About:

  1. How we hacked Online Banking Malware Sebastian Bachmann & Tibor ´ Eli´ as 22. November 2014 B-Sides Vienna Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 1 / 55

  2. About Us About: Sebastian Bachmann & Tibor ´ Eli´ as Mobile Malware Analyst at IKARUS since 2012 / 2013 Studying at TU Vienna / FH Technikum Vienna Analyse Android Malware Research Create PoCs Analysis of Incidents Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 2 / 55

  3. About this talk What is this all about? Customer Incident: Online Banking Fraud 1 How we totally messed up analysis 2 How we recovered 3 ... and of course: what we learned! 4 Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 3 / 55

  4. First Analysis The incident April 2014 Online Banking Trojan detected on PC Suspicion of mobile component used Samsung Galaxy Nexus (i9250), Android 4.1 Friday afternoon Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 4 / 55

  5. First Analysis Start the Analysis + ADB not enabled + Device is not rooted � No suspicious App icons shown – Unknown sources enabled – App lists shows a suspicious app – We already knew that the device was compromised + speak against malware � no rating – malware indicator Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 5 / 55

  6. First Analysis Next steps Enable ADB Pull all installed APKs from device for app in $ (adb shell pm list packages -f | cut - → d ’:’ -f 2 | cut -d ’=’ -f 1); do ֒ DIR= $ (dirname $ app | tr ’/’ ’_’); [[ ! -d $ DIR ]] && mkdir $ DIR; adb pull $ app $ DIR /; done found suspicious com.certificate-1.apk Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 6 / 55

  7. First Analysis com.certificate-1.apk MD5: a10fae2ad515b4b76ad950ea5ef76f72 Package Name: com.certificate Two Activities One Service Three Receivers 15+ positive results on VirusTotal Already known as ,,Hesperbot” 1 1 PC Component Analysis: http://www.welivesecurity.com/wp-content/ uploads/2013/09/Hesperbot_Whitepaper.pdf Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 7 / 55

  8. First Analysis com.certificate-1.apk com.certificate-1.apk META-INF CERT.SF MANIFEST.MF CERT.RSA resources.asrc classes.dex ......................... Dalvik Executeable AndroidManifest.xml assets spy.db.............................. SQLite Database res xml device admin policies.xml layout main.xml.............. Layout File for MainActivity drawable icon.png Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 8 / 55

  9. First Analysis com.certificate-1.apk android.permission.SEND SMS android.permission.INTERNET android.permission.RECEIVE WAP PUSH android.permission.WRITE SMS android.permission.PROCESS OUTGOING CALLS android.permission.GET TASKS android.permission.RECEIVE SMS android.permission.READ CONTACTS android.permission.RECEIVE MMS android.permission.WRITE EXTERNAL STORAGE android.permission.READ SMS android.permission.READ LOGS android.permission.RECEIVE BOOT COMPLETED android.permission.KILL BACKGROUND PROCESSES Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 9 / 55

  10. Malware found... Image (CC BY 2.0) from: https://flic.kr/p/cuZZUY

  11. How we f*d up Meanwhile... sebastian: Okay, weekend starts soon so I better remove that thing from the device so we can send it back... tibor: I will start analysis of the sample then and write the report. sebastian: Do you need anything from the device before I remove the malware? tibor: I don’t think so... Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 11 / 55

  12. How we f*d up Removal... Video Time Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 12 / 55

  13. Shock! Meanwhile... sebastian: Ahh what? tibor: What was that? sebastian: I don’t know... What was the device PIN again? [ tries the PIN... ] tibor: Looks like you just locked the device! sebastian: Uh oh... Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 13 / 55

  15. Revere Engineering A closer look at the Malware What’s happening on DeviceAdmin onDisableRequest? if (com.certificate.Cache.getInstance (). → isContainsSetting ("rCode")) { ֒ String v14 = com.certificate.Util.EncodeThis(" → uninstall").replace("�", ""); ֒ v13 = v14.substring (0, (v14.length () - 1)); } Object v3 = p9. getSystemService ("device_policy"); if ((com.certificate. ModuleAdminReceiver . → IS_SELF_DEACTIVATION ) && (v13.length () > 0)) { ֒ v3.resetPassword (v13 , 0); com.certificate. ModuleAdminReceiver . IS_UNINSTALLING → = 1; ֒ v3.lockNow (); } Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 15 / 55

  16. Revere Engineering A closer look at the Malware EncodeThis uses RC5 Blocksize 32bit, Cipher Length 64bit and 12 Rounds The Cipher is initialised from rCode rCode (=Response Code) is set on Malware Activation Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 16 / 55

  17. Revere Engineering A closer look at the Malware Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 17 / 55

  18. Revere Engineering Response Code Generation Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 18 / 55

  19. Revere Engineering Activiation Code is unknown... ... and there is no chance to get it from anywhere Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 19 / 55

  20. We need to go deeper Image (CC-PD) from: http://goo.gl/WxHtjp

  21. Revere Engineering Open Questions How was the DeviceAdmin enabled on the device? Was or is there any communication with the Botmaster? Can we get the Response Code out of the device? Is there a way to bruteforce the key? Is there another trap? Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 21 / 55

  22. Revere Engineering Bruteforce the Key? Only 10k different rCode s Every uninstall code is 25 chars 30s lock after 5 wrong logins 5s to enter 5 codes + 30s pause: 48h in average + the time to generate all codes first Answer : probably not Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 22 / 55

  23. Revere Engineering Can we get the Response Code out of the device? cert.db is in the Apps userdata storage These files are not RW for shell/adb user No Root Access on the Device Root the Device by Bootloader would delete all data (Bootloader was still locked) Answer : No, we can not Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 23 / 55

  24. Revere Engineering How was the DeviceAdmin enabled? After starting MainActivity start a Service Service invokes Activity for DeviceAdmin Request Service checks if Admin is set DeviceAdmin Activity calls Utility Class Utility Class creates a timer and shows the Request every 3s Answer : The User clicked in Panic on the Activate Button Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 24 / 55

  25. Revere Engineering DeviceAdmin Request java.util.Timer v32 = new java.util.Timer (); android.content.Intent v38 = new android.content. → Intent("android.app.action. ADD_DEVICE_ADMIN "); ֒ v38.putExtra("android.app.extra.DEVICE_ADMIN", v30); v38.putExtra("android.app.extra. ADD_EXPLANATION ", " → Allow�to�protect� uninstallation�of�app"); ֒ v32. scheduleAtFixedRate (new com.certificate.Util $ 3(v1 , v30 , v32 , p15 , v38), (( long) v12), 3000.0); ֒ → Timer Creation and DeviceAdmin Request Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 25 / 55

  26. Revere Engineering Communication with the Botnet? Two different approaches Disassembly of whole App + SMALI Code is available + SMALI to Java worked quite good + No ELF Files used + Not much Obfuscation - Not much time to rebuild all algorithms - Malware extensively use own libs Run in our own Emulator Environment + No Anti Emulator + Log Output enabled Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 26 / 55

  27. Revere Engineering How was the malware activated? Telephone number was entered in faked online banking page Activation Code can be linked to telephone number First SMS with +<Telnumber> is registered as admin Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 27 / 55

  28. Revere Engineering Botnet Activation Sequence Sebastian Bachmann & Tibor ´ Eli´ as How we hacked Online Banking Malware 22. November 2014 28 / 55

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides
How we hacked How we hacked and what happened next and how you can be safe Ruben van Vreeland

How we hacked How we hacked and what happened next and how you can be safe Ruben van Vreeland

How we hacked How we hacked and what happened next and how you can be safe Ruben van Vreeland Fixed Fixed https://www.owasp.org/index.php/Top_10_2013-Top_10 &lt;script&gt;alert(1)&lt;/script&gt; User Data Change Data XSS Bootstrap

1.06k views • 59 slides
Welcome to NEOnets Cyber Security Executive Briefing If you havent yet been hacked, you

Welcome to NEOnets Cyber Security Executive Briefing If you havent yet been hacked, you

Welcome to NEOnets Cyber Security Executive Briefing If you havent yet been hacked, you will be. In fact, you already may have been hacked, but dont know it yet. Stu Davis, Chief Information Officer, Ohio Department of

600 views • 45 slides
CSE 484 / CSE M 584 Computer Security: Malware and Online Ecosystem Studies TA: Thomas Crosley

CSE 484 / CSE M 584 Computer Security: Malware and Online Ecosystem Studies TA: Thomas Crosley

CSE 484 / CSE M 584 Computer Security: Malware and Online Ecosystem Studies TA: Thomas Crosley tcrosley@cs With material from Franzi, Adrian Sham, and various sources Reminders Homework #3, due May 23th, 8pm (Tomorrow!) Lab #3 due

638 views • 40 slides
How we hacked and how you can be safe and what happened next Ruben van Vreeland Ruben van

How we hacked and how you can be safe and what happened next Ruben van Vreeland Ruben van

How we hacked How we hacked and how you can be safe and what happened next Ruben van Vreeland Ruben van Vreeland Web Application Security Web hosting / infrastructure Web applications / platforms VB6, C#, PHP, (Spring) Java

569 views • 29 slides
Your web server has been hacked now what? Archzilon Eshun-Davies (@laudarch)_ CISO/CEO Tactical

Your web server has been hacked now what? Archzilon Eshun-Davies (@laudarch)_ CISO/CEO Tactical

Your web server has been hacked now what? Archzilon Eshun-Davies (@laudarch)_ CISO/CEO Tactical Intelligence Security OWASP Ghana 2019 Who is this talk for? - Individuals, developers and sys admins. Are you sure youve been hacked? Q1:

247 views • 11 slides
Online Banking Presentation for Financial Agents ONLINE FINANCIAL PLATFORM 85 regions 1100

Online Banking Presentation for Financial Agents ONLINE FINANCIAL PLATFORM 85 regions 1100

Online Banking Presentation for Financial Agents ONLINE FINANCIAL PLATFORM 85 regions 1100 cities and towns Otkritie Bank B&amp;N bank Promsvyazbank Metallinvestbank Alfa-bank Baikalinvestbank Absolut Bank SME bank Sberbank Raifazzen

343 views • 7 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van

Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van

Security and Usability Gap in Online Banking NSPW Presentation - Sep 19, 2007 Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van Oorschot Carleton University Mohammad Mannan Sep 19, 2007 1 Security

544 views • 22 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
RP2 Online Banking: Attacks &amp; Defences Dominic van den Ende, Tom Hendrickx University of

RP2 Online Banking: Attacks &amp; Defences Dominic van den Ende, Tom Hendrickx University of

Outline Introduction Research Analysis Questions Conclusion RP2 Online Banking: Attacks &amp; Defences Dominic van den Ende, Tom Hendrickx University of Amsterdam Master of Science in System and Network Engineering Class of 2008-2009

440 views • 23 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Databases Services at CERN Databases Services at CERN for the Physics Community Luca Canali,

Databases Services at CERN Databases Services at CERN for the Physics Community Luca Canali,

Databases Services at CERN Databases Services at CERN for the Physics Community Luca Canali, CERN Orcan Conference, Stockholm, May 2010 y Outline Overview of CERN and computing for LHC Database services at CERN DB service

565 views • 53 slides
: :

: :

: : http://mehr.sharif.edu/~shahriari 1 http://www.fata.ir

494 views • 17 slides
Introduction to Metasploit and tools Michal Novotn Malware Researcher &amp; Security Analyst

Introduction to Metasploit and tools Michal Novotn Malware Researcher &amp; Security Analyst

Introduction to Metasploit and tools Michal Novotn Malware Researcher &amp; Security Analyst Introduction Michal Novotn Malware Researcher &amp; Security Analyst at &amp; Co-founder and member of E-mail: michal.novotny@greycortex.com

454 views • 21 slides
High-Speed Implementation of bcrypt Password Search using Special-Purpose Hardware 10. December

High-Speed Implementation of bcrypt Password Search using Special-Purpose Hardware 10. December

RUHR-UNIVERSITT BOCHUM High-Speed Implementation of bcrypt Password Search using Special-Purpose Hardware 10. December 2014 Horst Grtz Institute for IT-Security Ruhr University Bochum Friedrich Wiemer and Ralf Zimmermann Friedrich Wiemer

484 views • 29 slides
Network Security Dr. Haojin Zhu Zhu-hj@cs.sjtu.edu.cn https://nsec.sjtu.edu.cn/ 1 About

Network Security Dr. Haojin Zhu Zhu-hj@cs.sjtu.edu.cn https://nsec.sjtu.edu.cn/ 1 About

Network Security Dr. Haojin Zhu Zhu-hj@cs.sjtu.edu.cn https://nsec.sjtu.edu.cn/ 1 About Instructor Dr. Haojin Zhu, Professor of Computer Science and Engineering Department https://nsec.sjtu.edu.cn/ zhu-hj@cs.sjtu.edu.cn Office:

748 views • 56 slides
BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Joint work

BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Joint work

BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE Sbastien Bardin (CEA LIST) Joint work with Richard Bonichon, Robin David, Adel Djoudi &amp; many other people Sbastien Bardin -- ISSISP 2017 | 1 ABOUT MY LAB @CEA Sbastien Bardin

1.11k views • 87 slides
WHY YOU WILL SOON SEE 100S OF NEW NFC APPLICATIONS HOW IOS11 AND NXP CAN BOOST YOUR BUSINESS

WHY YOU WILL SOON SEE 100S OF NEW NFC APPLICATIONS HOW IOS11 AND NXP CAN BOOST YOUR BUSINESS

WHY YOU WILL SOON SEE 100S OF NEW NFC APPLICATIONS HOW IOS11 AND NXP CAN BOOST YOUR BUSINESS JORDI JOFRE 24/10/2017 PUBLIC Agenda The NFC journey including iOS 11 release Key NFC use cases with smartphones NXP NFC portfolio

338 views • 32 slides
7 sins of ATM protection against logical attacks Timur Yunusov Senior expert ptsecurity.com

7 sins of ATM protection against logical attacks Timur Yunusov Senior expert ptsecurity.com

7 sins of ATM protection against logical attacks Timur Yunusov Senior expert ptsecurity.com whoami Positive Technologies (from 2009) Application security researcher (from 2009) Banking systems

647 views • 45 slides

More recommend