Download Gataka: A banking trojan ready to take off?

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
Document related concepts
no text concepts found
Transcript 
Gataka: A banking trojan ready to take off?
Jean-Ian Boutin
ESET
Outline
• Background
• Architecture
• Overview of plugins
• Webinject
• Network Protocol
• Campaigns
Background
Origins
• Aliases: Tatanga, Hermes
• First publicly discussed in 2011 by S21Sec
• Targets mostly European users
What is it?
• Banking trojan
• Designed to steal all kind of sensitive information through ManIn-The-Browser scheme
• Regionalized
• Not very wide spread
• Developped in C++
• Modular architecture similar to SpyEye
• Very verbose, a lot of debug information are sent to Command and
Control Server.
• Frequent update with new plugins and plugin versions.
• Several advanced features
Geographic distribution of detection
Business model
• This is not a do-it-yourself kit like
SpyEye
• It seems that this kit is private or sold
only to selected groups
• Infection vector
• BlackHole
• Malicious attachment
Architecture
Modular Architecture
• HermesCore
• Communicate with C&C
• Ability to launch downloaded
executable
Interceptor
Interceptor
• Supported browsers
• Firefox
• Internet Explorer
• Opera
• Maxthon
• Frequent update to
support latest browser
versions
Communication can now be monitored
• NextGenFixer
• Install filters on particular
URLs
• Webinject
• Inject html/javascript
• Record videos/screenshots
• HttpTrafficLogger
• Log selected communications
to/from specific websites
• CoreDb
• Stores information received
from C&C
Webinject
CoreDb
Webinject
Self-contained webinject
Webinject contained in DB
Webinject downloaded from
external server
Injected content
Webinject – Gataka platform communications
Network Protocol
Topology
Compromised hosts
Hacked servers
C&C
Packet Decomposition
TCP/IP Header
Packet 1
Gataka Header
Encrypted Data
…
Packet n
Gataka Header
Encrypted Data
Gataka header
0-7
NW Protocol
Use xor key
• When packets are
received from C&C,
dword9 is optional
and Bot Id is absent
8-15
16-23
Magic Number
Byte mask
dword1
dword2
Data size
Uncompressed Data Size
XOR key
dword6
dword7
checksum
dword9
Bot Id (64 bytes)
24-31
Send packet - log
Campaigns
Germany – statistics from one campaign
1.51%
• These statistics were obtained
from a C&C
• Almost 75% of
compromised hosts in
Germany
0.25%
0.17%
0.05%
Total Hits: 248,468
Germany
25.10%
Unresolved/Unknown
United States
Israel
Sweden
Canada
72.92%
Germany – Two factor authentication bypass
Image sources: wikipedia.org and postbank.de
Netherlands
Ready to take off?
Time will tell
Credits
• David Gabris
Thank You!
Questions ?
Appendix
Basics
Installation
• Infection vector
• BlackHole
• Malicious attachment
• Installation
• Injection in all processes
• Communications done through IE
Architecture
Interceptor
Network Protocol
Send packet – installed plugin information
plugin ID
• Bot configuration info
• Contains all plugin
installed along with
their versions
plugin version
Detailed Protocol Analysis (From C&C)
0-7
NW Protocol
Use xor key
8-15
16-23
Magic Number
Byte mask
24-31
dword1
dword2
Data size
Uncompressed Data Size
XOR key
dword6
dword7
checksum
dword9 (only with protocol 4)
Related documents
Slides - The University of Texas at Dallas
Slides - The University of Texas at Dallas
Networking1b
Networking1b
Summer Packet EnteringGrade7
Summer Packet EnteringGrade7
Using Web Suite - Western Reserve Hospital
Using Web Suite - Western Reserve Hospital
Introduction to Twedit++-CC3D
Introduction to Twedit++-CC3D
The Transport Layer
The Transport Layer
H37-R38 - Uplift Mighty Prep
H37-R38 - Uplift Mighty Prep
Modern Geometry Review Packet
Modern Geometry Review Packet
2 - UTRGV Faculty Web
2 - UTRGV Faculty Web
doc.cultivatearchitecture - SE-Wiki
doc.cultivatearchitecture - SE-Wiki
Voice over IP (Lecture 15)
Voice over IP (Lecture 15)
Network Traffic Measurement and Modeling
Network Traffic Measurement and Modeling
A6_Oct_07_08 - Raadio- ja sidetehnika instituut
A6_Oct_07_08 - Raadio- ja sidetehnika instituut
Networks
Networks
CSCI 3421 Data communications and Networking
CSCI 3421 Data communications and Networking
EOY `98 Pre-Prototype - Washington University in St. Louis
EOY `98 Pre-Prototype - Washington University in St. Louis
McGill University Monday, Sept 21 st 2009
McGill University Monday, Sept 21 st 2009
Introduction - Ilam university
Introduction - Ilam university
r01
r01
ppt
ppt
More Info »
More Info »
Lecture Note Ch.20
Lecture Note Ch.20