Presentation is loading. Please wait.

Presentation is loading. Please wait.

ZeuS MitMo Mikel Gastesi 2011-02-25 S21sec e-crime analyst

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ZeuS MitMo Mikel Gastesi 2011-02-25 S21sec e-crime analyst"— Presentation transcript:

1 ZeuS MitMo Mikel Gastesi 2011-02-25 S21sec e-crime analyst http://null.co.in/http://nullcon.net/

2 ZeuS MitMo Introduction Banking protections Banking trojans – ZeuS / Zbot ZeuS MitMo Conclusion http://null.co.in/ http://nullcon.net/

3 Introduction http://null.co.in/ http://nullcon.net/

4 Introduction Target – Why the user?? http://null.co.in/ http://nullcon.net/

5 Banking protections User / password User / password + extra password for transactions Code card OTP – mTAN = mobile Transaction authentication number http://null.co.in/ http://nullcon.net/

6 Cat and mouse game User / password  Form grabbing User / password + extra password for transactions  Form grabbing Code card  HTML Injection OTP – mTAN = mobile Transaction authentication number  Zitmo, MITB – Token? http://null.co.in/ http://nullcon.net/

7 Attacking the user Phishing Trojans – One shot trojans – Modifying host file – Form grabbing – HTML injection http://null.co.in/ http://nullcon.net/

8 Banking trojans ZeuS / Zbot SpyEye Bankpatch SilentBanker Sinowal Gozi Carberp … http://null.co.in/ http://nullcon.net/

9 Zbot You can buy it for less than 600$ ! – Easy to install – Easy to configure – Creates an easy-to-manage botnet – Very powerful – Add-ons IM / Jabber Zitmo has been seen for sale!! ¿?¿? http://null.co.in/ http://nullcon.net/

10 Zbot Characteristics: – Creates a botnet – Configuration file update – Binary file update – /etc/hosts modification – Socks proxy – HTML injection – HTML redirection http://null.co.in/ http://nullcon.net/

11 Zbot Characteristics: – Screenshots – Captures virtual keyboards – Captures form data – Steals certificates – KillOS function! – Encrypts configuration file and data http://null.co.in/ http://nullcon.net/

12 Zbot http://null.co.in/ http://nullcon.net/ ExecutableConfig & DataMutex / PipeVersion ntos.exe \wsnpoem\video.dll \wsnpoem\audio.dll _SYSTEM_64AD0625_ 1.0.x.x oembios.exe \sysproc64\sysproc86.sys \sysproc64\sysproc32.sys _SYSTEM_64AD0625_ 1.1.x.x twext.exe \twain\local.ds \twain\user.ds _SYSTEM_64AD0625_ 1.1.x.x twex.exe \twain\local.ds \twain\user.ds _H_64AD0625_ 1.2.x.x sdra64.exe bootlist32.exe userinit32.exe \mac32\cbt.lc \mac32\cc.lc \lowsec\local.ds \lowsec\user.ds \zad32and\boot.pop \yad32and\codec.dll _AVIRA_2109_ _LILO_19099_ 1.2.x.x bootwindows.exe \skype32\win32post.dll \skype32\win64post.dll _SOSI_19099_ 1.3.x.x

13 Zbot ExecutableConfig & DataVersion msxxx32.exe1.3.x.x host32.exe \jh87uhnoe3\ewf32.nls \jh87uhnoe3\ewfrvbb.nls 1.3.7.0 svchost32.exe \efee3f32f\brrve.nls \efee3f32f\wrfsf.nls 1.4.1.3 random 2.x Licat Hydra? …. http://null.co.in/ http://nullcon.net/

14 Zbot Why does it work so good? – Stealth – User doesn’t see anything wrong Green lock + https = OK?? #FAIL http://null.co.in/ http://nullcon.net/

15 Zbot http://null.co.in/ http://nullcon.net/

16 Zbot http://null.co.in/ http://nullcon.net/

17 Zbot http://null.co.in/ http://nullcon.net/

18 Zbot Screen capture http://null.co.in/ http://nullcon.net/

19 Zbot Redirection http://null.co.in/ http://nullcon.net/

20 Zbot http://null.co.in/ http://nullcon.net/

21 Jumping to the phone http://null.co.in/ http://nullcon.net/ ZEUS TROJAN MITMO

22 Attacking phones Today - Why? – Stealing OTP – Hidding information messages (instead of SMS flooding) Avoid detection of MitB – Blocking incoming calls Prevent s communicating with bank – No mail – No SMS – No phone call http://null.co.in/ http://nullcon.net/

23 Attacking phones Today and Tomorrow – Why? – False Security perception – 2 factors  1 factor – Personal information Passwords of a lot of services, social networks, etc. Password reuse? http://null.co.in/ http://nullcon.net/

24 Implementation OTP != mTAN – Hardware token – Ownable platform How do you configure your phone number? http://null.co.in/ http://nullcon.net/

25 Zitmo http://null.co.in/ http://nullcon.net/ 0023424 : OTP CREDENTIALS 0023424 ZEUS COMMANDS MITMO

26 Zitmo Zeus 2.0.8.9 with custom injection http://null.co.in/ http://nullcon.net/

27 Zitmo http://null.co.in/ http://nullcon.net/ Fake SMS to install the trojan (one-time URL)

28 Zitmo Platforms – Symbian – BlackBerry – Windows Mobile Targets – Spanish banks on September (+1 german) – Polish banks this week (+ portugal…) – ZitMo dependes only in the PC ZeuS config http://null.co.in/ http://nullcon.net/

29 Zitmo How does it work? – Preconfigured admin phone number – Hello message: “App installed OK” – Resend messages – Inspired on “SMS Monitor” http://null.co.in/ http://nullcon.net/

30 Zitmo Commands: – Set admin – Sender add – Sender rem – Block on – Block off – Set sender http://null.co.in/ http://nullcon.net/

31 Zitmo Mikel, don’t forget the video!!! http://null.co.in/ http://nullcon.net/

32 ZitMo reloaded ZeuS version 3.1.8  Fake? http://null.co.in/ http://nullcon.net/

33 ZitMo reloaded New UNINSTALL 45930 command http://null.co.in/ http://nullcon.net/

34 ZitMo reloaded Set admin  App installed ok http://null.co.in/ http://nullcon.net/

35 ZitMo reloaded Android version???  FAKE? http://null.co.in/ http://nullcon.net/

36 Conclusions Real threat, actively used Defeats OTP (mTAN) To think: 2 factor authentication is becoming single authentication! Android > Symbian – Same scenario? – Installing from the web android market? http://null.co.in/ http://nullcon.net/

37 Questions? http://null.co.in/ http://nullcon.net/

38 Thank you!!! Contact: mgastesi@s21sec.com http://null.co.in/ http://nullcon.net/

Download ppt "ZeuS MitMo Mikel Gastesi 2011-02-25 S21sec e-crime analyst"

Similar presentations

McAfee One Time Password

McAfee One Time Password
HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.
What is Lurking in the shadows...

What is Lurking in the shadows...
WYSI WYG Peter Stancik Security Evangelist

WYSI WYG Peter Stancik Security Evangelist
The Threat Landscape Jan 2013. 2013 Threat Report 2.

The Threat Landscape Jan Threat Report 2.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” emails to counterfeit sites Users “give up” personal financial.

A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” s to counterfeit sites Users “give up” personal financial.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,

6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Android Malware Characterisaion. Android Under Attack Android Malware is on the rise In 2012 malware presence has increased by 580% compared to the same.

Android Malware Characterisaion. Android Under Attack Android Malware is on the rise In 2012 malware presence has increased by 580% compared to the same.
#AVeSPresents AVeS Cyber Security Confidence in your Digital Information 2014/09/25 Charl Ueckermann Managing Director AVeS Cyber Security Lex Informatica.

#AVeSPresents AVeS Cyber Security Confidence in your Digital Information 2014/09/25 Charl Ueckermann Managing Director AVeS Cyber Security Lex Informatica.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
1 Managing Identity Threats May 2010. 2 Where are the threats ? Customer Web/App Server Vulnerabilities: Trojan sniffers Soliciting Email to enter credentials.

1 Managing Identity Threats May Where are the threats ? Customer Web/App Server Vulnerabilities: Trojan sniffers Soliciting to enter credentials.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
The Office of Information Technology Two-Factor Authentication.

The Office of Information Technology Two-Factor Authentication.
Security Advice Georgie Pepper Campsmount Acadamy.

Security Advice Georgie Pepper Campsmount Acadamy.
William Enck, Machigar Ongtang, and Patrick McDaniel.

William Enck, Machigar Ongtang, and Patrick McDaniel.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do

Similar presentations

Ads by Google