Category Archives: Uncategorized

AusCERT 2011 presentation “Transactional Banking Malware” covering Gozi/Carberp…

I finally found the time to upload my presentation at AusCERT 2011 with the topic “Transactional Banking Malware – Don’t fear the trojans; fear how they are configured to attack a banking website. A practical session with surprising outcomes” (http://conference.auscert.org.au/conf2011/speaker_Andreas_Baumhoff.html)

It is attached to this post (AusCERT_2011_Andreas_Baumhof_V2)… What do you think? Would love to hear some feedback.

Quick update to Carberp

Thanks for all the responses to the in-depth report about Carberp. Wow. We didn’t anticipate such a huge response…

As Carberp has developed quite heavily over the last couple of month and also because there are many different Carberp versions out there, I just wanted to quickly give you an update to our research and answers to many questions we got (that we thought might be interesting for you as well)

  • The Browser Hooking also works for Firefox in various versions (!). We haven’t seen it working for Chrome yet.
  • Carberp was originally a malware that was used to distribute other malware. Especially earlier samples will download additional malware as well.
  • Carberp also has a configuration file system where it can inject arbitrary HTML into any website. This is similar to the configuration file of Zeus and while they can inject anything, we have seen mostly injection of JavaScript that is dynamically sending information to to a server.
    • Similarly to Zeus where the receiving server is an addon to the “normal” C&C Zeus server, Carberp will  send the information to a different server than the C&C server.

We’ll keep an eye on this as this trojan develops (and there is no doubt that it will)

A first look at Microsoft’s free Antivirus Engine Security Essentials (MSE)

With much press attention, Microsoft released its free Antivirus Engine called Microsoft Security Essentials. We had a quick look at it and while Microsoft has done a pretty good job altogether (quick, nice user interface, fairly decent signature database), it is what it is: an Antivirus Engine that is based on blacklists / heuristics.

However this means MSE won’t protect you against the sophisticated Trojans that we hear in the press almost daily. We have successfully infected a machine with enabled and up-to-date MSE with a new mutation of the Zeus Trojan that is active in the wild. (for the interested reader, here is a screencapture movie that also shows how TrustDefender protects you from Zeus).

So in our opinion MSE will not make any impact on the malware landscape at all, however it will most certainly take market share from the other Antivirus Vendors and put the pressure on them from a pricing point of view.

Analysis of stolen data through Torpig (deployed through Mebroot/MBR/Sinowal)

We have posted some technical analysis to the mebroot/MBR/Sinowal trojan lately and while we at TrustDefender Labs focus quite heavily on the analysis of the trojans and infection vectors itsself on the client side, Researchers at the University of California looked at the data they received on the server side. This compliments our research quite nicely as it provides hard facts how successful those attacks are and how much data the bad guys actually receive.

The research was done by Researchers at the Security Group, Department of Computer Science at University of California, Santa Barbara released a very interesting paper “Your botnet is my Botnet: Analysis of a Botnet Takeover”. (see http://www.cs.ucsb.edu/~seclab/projects/torpig/index.html)

In this paper the security researchers “infiltrated” the Torpig C&C control network for a period of 10 days and their results are nothing less but astonishing.

In the 10 days, the sinkholed C&C Server collected almost 70GB of data. This data included stolen credentials from 52,540 different infected machines and they sent some 297,962 unique credentials (username/password), credentials of 8,310 bank accounts at 410 different financial institutions. Furthermore the data included more than 11 million HTTP(S) Form Data, 1,258,862 email accounts, 1,235,122 windows password, …

stolen_data_type

Key quotes by the original text are:

 The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217).

The most common cards include Visa (1,056), Master-
Card (447), American Express (81), Maestro (36), and Discover
(24).

While 86% of the victims contributed only a single card number,
others offered a few more. Of particular interest is the case of a
single victim from whom 30 credit card numbers were extracted.
Upon manual examination, we discovered that the victim was an
agent for an at-home, distributed call center. It seems that the card numbers were those of customers of the company that the agent was working for, and they were being entered into the call center’s central database for order processing.

And very interestingly they also looked at the financial implications of this

Quantifying the value of the financial information stolen by Torpig is an uncertain process because of the characteristics of the underground markets where it may end up being traded. A report by Symantec [37] indicated (loose) ranges of prices for common goods and, in particular, priced credit cards between $0.10–$25 and bank accounts from $10–$1,000.

If these figures are accurate, in ten days of activity, the Torpig controllers may have profited anywhere between $83k and $8.3M.

Also, a Torpig server was seized in 2008, resulting
in the recovery of 250,000 stolen credit and debit cards and 300,000 online bank account login credentials [31].

For more on the botnet hijack, check out UC Santa Barbara’s Torpig project page.  Also features on Slashdot.