F5 Anti-Fraud Solutions: Frictionless Protection for the Masses
Anti-Fraud Solutions: Why F5? In 2013, F5 Networks grew its security portfolio to include advanced Anti-Fraud services with the acquisition of the Israeli-based security company Versafe. At the RSA Conference in San Francisco this week, we have a section of our F5 booth dedicated to the Anti-Fraud solution where we are talking about the technology, answering questions and demonstrating the capabilities all week. If you cannot make it to the conference or even if you attended but missed us at our booth, that’s not a problem. I’ll fill you in on some of the details. First, just walking around the RSA Conference, it’s clear that there is no shortage of anti-fraud solutions on the market. The number is mind blowing and continuously growing. As new threats emerge, new technologies are introduced to combat them. But if you look at the approaches each company takes, they are often quite different. So that begs the question: why F5? Well, from a feature and function standpoint, we cover a wide range of web-based fraud detection and protection capabilities. The WebSafe solution, which protects web-based applications, safeguards against various forms of malicious activity including phishing attacks, Man-In-The-Middle, Man-In-The-Browser and Trojan activity such as web injections, form hijacking, page modifications and transaction modification. But what makes the solution unique is that it enables 100% coverage of the user base in a completely clientless manner, without impacting the user experience. We inject our obfuscated code via an iRule, into the web application code as part of the response data. In other words, the solution is completely frictionless, which is key differentiator number one. And because the solution leverages common browser-based technologies, we protect users who are navigating from all types of devices: laptops, PCs, tablets, smart TVs, mobile devices, etc. As long as the user is navigating with a standard web browser, they will be protected. This is key differentiator number two. From a deployment standpoint, today the WebSafe solution is implemented via an iRule on an F5 device (either physical or virtual), so there is no need to introduce changes to the web applications our customers are looking to protect from online fraud. This saves time when deploying the solution because there is no need to engage web development resources which are often outsourced or already engaged in critical projects. Our ability to deploy without these web application changes equates to savings and is key value proposition number three. As a matter of fact, many F5 customers can leverage their current F5 investment and deploy the Anti-Fraud services on their existing infrastructure, requiring no additional hardware investment: differentiator number four. Lastly, WebSafe provides protection against online fraud without a client install and with no change in the online users’ experience. Introducing CAPTCHAs, popups, etc is often too intrusive to the end user, so we are looking to protect the users without introducing friction in the process. Summary If you are at the RSA Conference, stop by booth 1801. We would be happy to demonstrate our Anti-Fraud solution and help to enhance your fraud protection capabilities. If you are not at RSA, look for further details here. We will be posting more details about F5’s Anti-Fraud solutions throughout the coming weeks.
Gootkit Malware, New Targets around the World
During the last campaign of Gootkit malware, detected by F5 in February 2016, new targets were spotted while analyzing its configuration. Gootkit, identified in some cases as Waldek, is a banking Trojan that was first seen in the wild around April 2014. Gootkit is a JavaScript based malware which uses web-injects, recording actions and utilizes a unique persistency mechanism in order to steal user credentials on infected machine. In this specific configuration, the malware recorded user actions when they are interacting with the login page, those recordings are assumed to be sent over email to the fraudster. While it was previously reported by “Proofpoint”, that the Gootkit malware started expanding its interest to other geographical areas and assumed that it will keep on this trend, we can currently witness this actual expansion forecast. By analyzing the malware configuration, we’ve noticed it targeting financial institutions from previous reports in Europe such as UK, France, Spain, Italy, Germany, Belgium, Luxemburg, Hungary, Bulgaria and Swiss banks. From latest investigation we’ve noticed that Gootkit has started to examine new areas around the world, from the Middle East, attacking financial institutions in Israel and Egypt, now also targeting banks in US and Canada, even found targeting Sri Lanka and New Zealand. Figure 1 Gootkit list of targets As with other financial Trojans, Gootkit performs preparations by using video recording functionality before it is launching actual attacks on financial institutions websites. The video recording documents user interaction with the bank’s website, while it can include several options, such as recording time and the frame rate of the video. After a record has been created the file will be uploaded to the C&C. Figure 2 Gootkit configuration targeting generic "bank" name Gootkit has an interesting traffic pattern, while communicating over HTTPS using port 80. We just can assume that it is intended to trick some weak firewall rules. Gootkit communicates with couple of domains defined hardcoded in the infection file. Figure 3 Gootkit Communication points In order to avoid detection, the malware rewrites itself under a different file name every hour while deleting the previous version of the file. To survive a reboot, it adds an “Autorun” registry key in HKEY_CURRENT_USER registry hive, under the \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, which will run the malicious file every time a user logs on to his Windows account. MD5 Sample: 1002c739e6152d917335c6f46d15e8c5 References: · https://www.proofpoint.com/us/gootkit-banking-trojan-jumps-channelDyre - No Rest for the Wicked
Dyre malware requires little introduction as it had been the focus of many publications and it is a well-known threat in the financial malware world. One of the reasons for it being so infamous is the frequent changes the authors incorporate in the code. Recently, my colleague Gal Shilo and I noticed a few minor changes in Dyre’s configuration file. This triggered research that uncovered a significant evolution in the malware’s behavior. Windows 10 and Microsoft Edge Browser are Under Attack While Windows 10 is gaining momentum, Dyre creators don't miss the opportunity to target the early adopters by also infecting the Edge browser that ships with this OS. This is an example of the browser injection routine: Renewed Dyre Commands Dyre uses a windows pipe for inter-process communication, passing commands from the main module it injects into the “windows explorer” process to other processes. The commands are passed both to browsers launched by the user and stealthy worker-processes launched by the malware itself. In the new sample, most of the commands discussed in previous F5 research have been replaced and a few new ones have been added, along with new functionality. The following is a list of new commands and their functions: 0xF1”lli” – Get the botid name srvv – Get the C&C IP dpsr – Get the data POST server IP grop – Get the botnet name seli – Get the self-IP gcrc – Get the fake pages configuration gcrp – Get the server-side webinjects configuration pngd – Get the account information stolen by the pony module sexe – Among other jobs, it copies the droppee path and its content both to Dyre’s special structure and the configuration file on disk. It also tries to get the anti-antivirus module from the C&C. gsxe – Get the droppee path Additional Protection Layers Here is a list of new features designed to add protection from removal and detection: The pipe’s name is no longer hardcoded (e.g. "\\\\.\\pipe\\3obdw5e5w4"). It is now based on a hash of the computer name and windows OS version Although the purpose was to make the pipe harder to detect because it is unique per machine, the opposite was accomplished as the name can now be predicted for each machine. Anti-antivirus module – A new Dyre module dubbed aa32(or aa64 on 64 bit OS) by the malware, was observed. After receiving it from the C&C, it is injected to the “spoolsv.exe” process (the spooler service responsible for fax\print jobs). Its functionality is to locate anti-virus products on the machine and disable their activity (for example, by deleting their files or changing their configurations). Some of the spotted vendors include: Avira, AVG, Malwarebytes, Fortinet and Trend Micro. Looking for the product path in the registry: Encrypted strings – The hardcoded debug strings that used to make analysis much easier are now encrypted. They are decrypted only during runtime, so the static analysis reveals much less than before about the malware’s behavior. In former versions of the malware, a runkey was set in order to maintain persistency after a reboot. However, in this version, a scheduled task is ran every minute. Disable windows security center We conclude from the addition of these features that the authors of the malware strive to improve their resilience against anti-viruses, even at the cost of being more conspicuous. They also wish to keep the malware up-to-date with current OS releases in order to be “compatible” with as many victims as possible. There is little doubt that the frequent updating will continue, as the wicked require very little rest. Sample MD5: 5f464d1ad3c63b4ab84092d2c1783151
Slave Malware Analysis
During the last couple of weeks, Nathan Jester, Elman Reyes, Julia Karpin and Pavel Asinovsky got together to investigate the new “Slave” banking Trojan. According to their research, the early version of the Slave performed IBAN swapping in two steps with great resemblance to the Zeus “man-in-the-browser” mechanism. First, the host header is compared to a hard-coded bank name. If the match is successful, the hard-coded HTML tag is searched throughout the request body and the content is swapped if it matches the IBAN pattern. Then, After the browser infection which takes place in the exact manner as the later version, the malware places hooks on the outbound traffic functions. The latest version of the Slave is, of course, much more sophisticated than the first one and include creation of registry keys with random names, IE, Firefox and Chrome infections, kernel32.dll hooks and more. However, one of the most interesting capabilities of the Slave is the timestamp check. As can be seen in the screenshot below, the malware is conditioned to run before April 2015 and not after that so the sample is basically "valid" for two weeks only, probably to avoid research and detection. Click here to download the full technical Malware Analysis Report. Or here for the Executive Summay Report. To learn more about F5 Security Operation Centers, visit our webpage. -- Editors Note: F5 and DevCentral do not condone the usage of the term ‘slave’ in the context of our technology. In this case the term ‘slave’ is a name, used to specify a particular piece of malware. We believe removing or changing the term, here, would only cause confusion and remove information necessary for effective application security.
Anti-Fraud Protection: Filling Security Gaps for Online Banking
This year at RSA we experienced a new level of conversation about online threats. Anti-fraud protection was the topic for many guests stopping by the booth following the announcement of F5’s solutions for web fraud protection. Booth visitors shared with me that their customer-users expect web applications [& Mobile Apps] they rely on for online banking, shopping, etc. to protect their assets and sensitive information from unauthorized disclosure or access. Being an avid user of such applications I merely thought “of course we do buddy”. I was not surprised by the percentage (70%) of those representing retail banks who were greatly interested in what we offered around anti-fraud (or web fraud protections). After all, during the last 2 weeks my account was successfully breached for hundreds of dollars. It is clear that adequate measures towards strengthening security against web fraud attacks may be missing from overall security strategies at some banks – mine particularly. Let’s take a look at where some gaps may exist and what can be done to improve upon security. Let’s look at protections against phishing attacks since this has been part of the conversation over the last few days. Phishing attacks are amongst the most common type of fraud threat retail banks defend against. Overall 37 million users were subject to Phishing attacks between 2012 and 2013 [1] . The sophistication of this attack type continues to grow, targeting specific individuals (spear-phishing) and creating the impression of a credible organization to enable attackers to gain access to bank accounts, credit card information, or business systems. Spear-phishing combined with vulnerability exploits are commonly used to achieve an initial point of access that attackers can use to drain accounts or ultimately further a Trojan attack. Example - In December, 2013, a man was arrested for his part in a phishing scam targeting UK college students. The scam sent emails inviting students to update their loan details on a malicious site that took large amounts of money from their accounts. Given events like this, banking anti-fraud teams continue to look for more effective ways to guard against phishing attacks and before their customers fall victim and protect users from malware and fraudulent websites that seek to steal credentials, confidential information and make unauthorized money transfers. Solutions like F5 WebSafe allows organizations to detect phishing attacks earlier and shut down phishing proxies even before convincing emails are sent to customers. Your fraud teams can quickly identify efforts to glean information and assets from your website to use in fraudulent activities, and provide alerts about website copies and uploads to proxies or servers, complimenting protections in traditional WAFs. With F5’s web fraud protection organizations can more effectively identify phishing attacks and easily drive efforts to shut down phishing servers to stop ongoing theft of sensitive information. Proxy Trojans used to modify web pages, transactions or transaction flows is considered one of the greatest threats to online banking, allowing attackers to act as the man-in-the-browser (MITB/M). The transparency of this malware allows it to effectively intercept SSL/PKI and authentication measures to covertly control communications between customers and banks. Although some trojans of this type can be detected and removed with anti-virus software, there remains a great percentage that requires other detection and protection methods to help minimize or block such threats. This includes recommended security measures such as strong authentication, combined application validation by the device and user validation by the app, latency examination for cryptographic hash functions. WebSafe is specifically designed to go beyond recommended security measures to analyze user behavior, identify infected users or devices and encrypt information at the app layer to protect against eavesdropping. With WebSafe companies gain an added layer of protection that more effectively identifies, scores and alerts of potential malware, while ensuring any information intercepted is render useless by an attacker. Certain attacks use malware to target those using mobile devices. These concerns lead to great discussion during my RSA booth duty. One example discussed was FAKEBANK, a malware spotted in the second quarter of 2013. Once installed, it uses the Google Play icon to stay low-key. During installation, it replaces parts of legitimate banking app files with malicious code, but it does not modify their icons and user interface. Once users access these apps on their mobile device, they unwittingly give out their account information. Aside from this, FAKEBANK also steals call logs and received text message. As you can see, the attack can be very successful in ultimately acting as the customer to illegally transfer money. The F5 MobileSafe SDK can help you prevent attacks like FAKEBANK by identifying jail broken devices and mobile malware. MobileSafe also provides virtual keyboard overlays and performs behavioral analysis to determine if attempts to login on mobile applications are potentially being executed by a script or BOT. MobileSafe is designed to protect against attacks that specifically target mobile device users. In closing, although security is a continuous process, it is possible to fill the security gaps and provide early detection and protection to safeguard customers and banks from data interception and fraud loss. There are a variety of solutions in addition to what I have covered that can be used. The important thing to take away is look for transparent- clientless solutions, Layer 7 application encryption, early malware attack detection and solutions that also guard against attacks targeting mobile device users. For more information on F5 Anti-Fraud solutions visit us at RSA, on the web and read the blog titled ”F5 Anti-fraud Solutions: Frictionless Protection for the Masses” Watch for my next blog on developing a more cohesive and streamlined security strategy that fills in security gaps for retail banking. [1] Kaspersky Report: The evolution of Phishing attacks http://media.kaspersky.com/pdf/Kaspersky_Lab_KSN_report_The_Evolution_of_Phishing_Attacks_2011-2013.pdfDridex Malware – New Week, New Targets
Our ongoing campaign analysis has revealed that Dridex malware’s latest campaign focus has strongly shifted in recent months from U.K. banks, which had been the main targets previously, to US banks today. Dridex and its latest trends are constantly monitored in our lab, which allowed us to take note when many new targets were recently added to the target list. Redirects to fake pages were most common with U.K. bank incidents. Now the malware mainly uses classical webinjects alongside the redirection technique. The latest campaign is marked as Botnet 301, version 196810. Figure 1: Dridex botnet information The Dridex target list was significantly expanded (129 redirect and injection directives), mainly focusing on U.S. financial institutes, form-grabbing targets on social media sites (which are also related to the United States), credit card companies, and financial investment corporations. The most noticeable observation in the current webinjects is that most of them are accompanied by activating the VNC functionality, which enables the fraudsters to remotely connect to their victim during the credentials theft. Figure 2: Dridex 301 targeted Institutions by country New form-grabbing targets Dridex also steals credentials for non-financial accounts, both over HTTP communication and HTTP over SSL (HTTPS) encrypted communication: Figure 3: Dridex 301 form grabbing of social media information There have been several targets, including: · Yahoo · Microsoft · Skype · Twitter · AOL · Facebook How Dridex initiates VNC communication VNC research conducted by malware researcher Hadas Dorfman Dridex continues using the VNC functionality in order to remotely connect to machines to facilitate the committing of fraudulent transactions. The VNC is used inside the redirection mechanism, which was described in our previous blog post, Dridex Botnet 220 campaign. The following is a snippet of a classical Dridex webinject: Figure 4: Dridex 301 classical webinject When the site's URL matches the URL regex in the webinject, Dridex will inject another “script” tag into the original response from the bank. This will cause the browser to issue a request for the JavaScript script mentioned in the “src” ("scripts/contextprov23.js"). As a result, the request for the script is generated with the domain of the targeted site. For example, if the targeted site was mybank.com, the request for the script that was generated would be "mybank.com/scripts/contextprov23.js". When the request for this script is generated within the browser, it is intercepted by the malware's network hook and is passed to the redirection mechanism, as seen in Figure 5. Figure 5: Dridex 301 redirection directive When the requested script is checked against such a redirection directive and there is a match, the request for the script is dropped and the same script request is launched to a different domain (the “URI” directive), so the script is actually fetched from the fraudster’s server. During the redirection mechanism, the VNC flag (part of the redirect directive in the malware configuration) is checked, and if it’s true, the VNC module is launched. This triggers the browser network hook to deliver a message to the Dridex worker module inside the explorer.exe process. This message signals the worker module to launch the VNC module. The module “vnc_x32” (or “vnc_x64” for 64-bit systems) is responsible for the VNC functionality. It exports: “VncStartServer” and “VncStopServer” functions to operate this activity. While the Dridex worker module inside the explorer.exe process receives the message to launch VNC, the “VncStartServer” function address is resolved and the appropriate function is called. Static code analysis of a “VncStartServer” call: Figure 6: Dridex 301 VncStartServer static view Runtime debugging view: Figure 7: Dridex 301 VncStartServer runtime view Once the VNC server is started, the fraudster is able to remotely connect and use the victim’s machine. Tested MD5: f6a9835201d5cae894863a46bbf12d69 Mitigation F5 mitigates online identity theft by preventing phishing, malware, and pharming attacks in real time with advanced encryption and identification mechanisms. F5 products and services complement your existing anti-fraud technologies, improving your protection against malicious activity and providing an encompassing defense mechanism. F5 enables financial organizations working online to gain control over areas that were once virtually unreachable and indefensible, and to neutralize local threats found on customers’ personal computers, without requiring the installation of software on the end user side. This approach covers the entire install base. The entire solution is delivered from the F5 BIG-IP platform and therefore doesn’t require any integration or modification of the application. Rounding out its offerings, F5 provides professional services and advanced research capabilities in the field of cybercrime including malware, Trojans, viruses, and more. To learn more about F5 fraud protection, read the WebSafe datasheet as well as the MobileSafe datasheet. To learn more about the F5 Security Operation Center, read the F5 SOC datasheet.Slave – IBAN swap, persistency and Zeus-style webinject
Slave is a financial malware written in visual basic. It was first seen around March 2015 and has undergone a significant evolution. Slave conducts its attack by hooking the Internet browser functions and manipulating their code for various fraudulent activities. This manipulation can be used for fraudulent activities such as credentials theft, identity theft, IBAN swapping and fraudulent fund transfers. Two weeks before the discovery of ‘Slave’, the F5 research team analyzed an unknown malware variant that was used for swapping IBAN numbers – a technique used by fraudsters to swap the destination account number before a funds transfer takes place. Static analysis has shown a strong relationship between the two malware samples, implying that ‘Slave’ started out with a simple IBAN swap capability and later advanced to more advanced capabilities such as persistency and Zeus-style webinjects. If you want to deep-dive into the ‘Slave’ internals click here to read the full technical Malware Analysis Report by F5 SOC. --- Editors Note : F5 and DevCentral do not condone the usage of the term ‘slave’ in the context of our technology. In this case the term ‘slave’ is a name, used to specify a particular piece of malware. We believe removing or changing the term, here, would only cause confusion and remove information necessary for effective application security.
