Dyre Malware Analysis
Dyre, also known as Dyreza, is a banking Trojan that was first seen around June 2014. With the combination of its ability to steal login credentials by browser hooking and bypassing SSL, its man-in-the-middle (MITM) proxy server, and its Remote Access Trojan (RAT) capabilities, Dyre has become one of the most dangerous banking Trojans. The Dyre Trojan is designed to steal login credentials by grabbing the whole HTTPS POST packet, which contains the login credentials sent to a server during the authentication process, and forwarding it to its own server. The malware downloads a configuration file containing a list of targeted bank URLs. Each URL is configured to be redirected to Dyre’s MITM proxy server, on a different port for each bank. This allows the attacker to make a MITM attack by forwarding any user request to the bank and returning bogus data, including fake login pages, popup windows, and JavaScript/HTML injections. After all the information has been acquired by the attacker, he can remotely access the victim’s computer using a built-in VNC (Virtual Network Computing) module and perform transactions, data exfiltration, and more. How it works malware downloads a configuration file containing a list of targeted bank URLs. Each URL is configured to be redirected to Dyre’s MITM proxy server, on a different port for each bank. This allows the attacker to make a MITM attack by forwarding any user request to the bank and returning bogus data, including fake login pages, popup Malware behavior on a Win7-32bit system Surprisingly, the malware behaves differently on Win7-32bit, most likely due to security implementation differences. The method of registering itself as a system service is implemented on WinXP and 64bit systems (tested on Win7-64bit). On Win7-32bit, Dyre operates more similarly to the known Zeus malware by injecting code in the Explorer.exe process and operating from there. Man-In-The-Middle (MITM) Attack When a user enters his bank’s URL in the browser line, the Trojan is triggered and forwards the URL to the corresponding proxy server as stated in its configuration file. · The MITM proxy server forwards requests to the banks and disguises itself as the real user. · The returning response from the bank is intercepted by the proxy server. · Instead of the real response, the user receives a fake login page which is stored on the proxy server, and contains scripts and resources from the real bank’s page. The scripts and resources are stored in folders named after the unique port configured for each bank. · The information entered by the user is sent to the proxy server and then forwarded to the real bank server, allowing the attacker to log in instead of the user and perform operations on his behalf. The fake login page The fake page contains a script called main_new - , which is responsible for handling the objects presented to the user on the fake page and performing the MITM attack. The fake page contains an array of configuration parameters in the header. Some of the more interesting ones are: · ID. The unique identification of the bank, which is the same as the port number in the configuration file. · Incorrect login error. On each login attempt to the bank, the proxy server will forward the request to the real bank’s server and perform the authentication. If the authentication fails, it will also present an error to the user on the fake page. · Block message. If the MITM attack succeeds, the attacker is able to perform a transaction and block the user from accessing his account. This parameter stores the presented message. The F5 Solution Real-time identification of affected users - F5 WebSafe and MobileSafe are able to detect the user is affected by a Trojan and that the information provided by it to the customer is also sent to an unauthorized drop zone. Identification of malicious script injection – once downloaded to the client’s browser, WebSafe and MobileSafe make sure there has been no change to the site’s HTML. If such a change is detected, the customer is notified immediately. Protection against Trojan-generated money transfers - the combination of recognizing affected users, encrypting information, and recognizing malicious scripts is key to disabling Trojans from performing unauthorized actions within the account. WebSafe and MobileSafe detect the automatic attempts and intercept them. Malware research - F5 has a dedicated Trojan and malware R&D team that searches for new threats and new versions of existing ones. The team analyzes the programming techniques and methodologies used to develop the malware in order to keep the F5 line of products up to date and effective against any threat. To get the full technical detailed Malware analysis report click here. To download the executive summary, click here.iBanking Malware Analysis
Co-Authored with Itzik Chimino. --- iBanking is malware that runs on Android mobile devices. It is delivered via a new variant of the computer banking Trojan Qadars, which deceives users into downloading iBanking malware on to their android device. It can be used with any malware used to inject code into a web app. The malware enables cybercriminals to intercept SMS and bypass the two-factor authentication methods used by several banks throughout the world to authorize mobile banking operations. iBanking malware acts as a spy that can also of grab contact lists, steal bank account details, forward incoming voice calls, and record the victim’s voice, which enables it to overcome voice recognition security features that financial institutions are beginning to implement. Cyber criminals ultimately utilize iBanking malware to transparently complete money transfers on behalf of the infected targeted users. How the attack works Focusing specifically on the new variant of iBanking malware that targets Facebook users, the attack begins by infecting users’ devices with the Qadars banking Trojan via a drive-by download from an unsuspecting website. Qadars then intercepts the webpage and uses JavaScript to inject code into the webpage—in this case, a Facebook page—that presents users with a fake verification pop-up page upon initial login. This page requests the victim’s phone number and Android device confirmation. The victim then receives an SMS message on the verified device, which directs him to a page with instructions to download added security. Once the victim installs the iBanking malware, it cannot be removed if it was given admin rights during the install process. Remote control of the infected device Once the malware is activated by the user on his smartphone, the attacker gains administrator permissions on his device. The attacker can now control a vast amount of functions such as: 1. Allows applications to change network connectivity state. 2. Allows an application to send/read SMS messages. 3. Allows an application to automatically start when the system boots. 4. Allows an application read-only access to phone state. 5. Allows an application to access approximate location derived from network location sources such as WiFi and cell antennas. 6. Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call being placed. 7. Allows an application to open network sockets. 8. Allows an application to write to external storage such as modify/delete SD card contents. 9. Allows an application to read the user's contacts data. 10. Allows an application to record audio such as phone calls and voice messages. Click here to read the full technical iBanking Malware Analysis Report by F5 SOC. To read more about F5 Global Security Operation Centers click here.Slave Malware Analysis
During the last couple of weeks, Nathan Jester, Elman Reyes, Julia Karpin and Pavel Asinovsky got together to investigate the new “Slave” banking Trojan. According to their research, the early version of the Slave performed IBAN swapping in two steps with great resemblance to the Zeus “man-in-the-browser” mechanism. First, the host header is compared to a hard-coded bank name. If the match is successful, the hard-coded HTML tag is searched throughout the request body and the content is swapped if it matches the IBAN pattern. Then, After the browser infection which takes place in the exact manner as the later version, the malware places hooks on the outbound traffic functions. The latest version of the Slave is, of course, much more sophisticated than the first one and include creation of registry keys with random names, IE, Firefox and Chrome infections, kernel32.dll hooks and more. However, one of the most interesting capabilities of the Slave is the timestamp check. As can be seen in the screenshot below, the malware is conditioned to run before April 2015 and not after that so the sample is basically "valid" for two weeks only, probably to avoid research and detection. Click here to download the full technical Malware Analysis Report. Or here for the Executive Summay Report. To learn more about F5 Security Operation Centers, visit our webpage. -- Editors Note: F5 and DevCentral do not condone the usage of the term ‘slave’ in the context of our technology. In this case the term ‘slave’ is a name, used to specify a particular piece of malware. We believe removing or changing the term, here, would only cause confusion and remove information necessary for effective application security.
“Phishing you say, well that’s not my problem.”
Yes, I heard this at a meeting with the CISO of a well-known establishment just the other day. This was a commonly held belief, just a few years ago, and by many that are now eating crow. When do you recognize that Phishing is ‘Your’ problem and could be a costly one at that to ignore? Efforts to help customers and employees learn how to self-protect and not become victims of deception are important, but not nearly enough. Google did some research that showed 45% of folks are still fooled by the best phishing scams – having their accounts hacked within 30 minutes. According to the report, even the least successful of phishing scams, with success rates of around 3%, can be very dangerous when targeting millions with phishing emails. Protecting your brand from the results of phishing threats (i.e., costly data breaches, wide-spread system infiltration, and unauthorized transactions) bears a greater responsibility. It requires an ongoing effort to identify and overtake attackers, and shutdown malicious services before you suffer what could be crippling losses. It is certain that phishing attacks have played a key role in attributing to the vast number of credentials (over 300 million), banking information and personal (or corporate) identities for sale on the underground internet. Although keylogging, form grabbing and other spyware are commonly used tactics, there is an increase use in fake phishing website designed to look like a legitimate log in pages. These fraudulent websites successfully attract unsuspecting users into volunteering information. Supplemented by email or social media lures, phishing tactics have become a weapon of choice by many attackers and is also used to deploy malware packages to not only gather valuable information, but to ensure the success of larger exploits by controlling devices, evading detection, and gaining access to protected, high valued information and assets and executing a transaction or full attack on a specific application. Verizon estimates that two-thirds of Cyber espionage has a phishing component. Given what was reported about the Sony attacks, a phishing attack may have been instrumental in one of the prominent data breaches of all time – resulting in a loss estimated to have reached 15 million dollars. The point, however, is that guarding against phishing threats (and client-side credential theft) should be an area of focus for companies, institutions and agencies alike. Attackers are monetizing credentials, seeking high-valued information, and are seizing the assets of businesses of all sizes and types. Don’t hold off protecting your users against threats that target them in order to breach your systems or execute fraudulent transactions. Here are 4 best practices that can protect your customers, employees, and brand Protect your customers, employees and your brand 1. Obfuscate form fields: Slow the progress of attacker by obscuring form fields on internet facing login pages and other forms where users input confidential information -- making such fields ambiguous or unknown to attackers 2. Encrypt information at rest in the browser: Protect information while users type within form fields, even before information is submitted then transmitted via SSL 3. Protect against client-side malware: Identify at-risk devices that have been unlocked, are considered vulnerable or which contain malware 4. Identify phishing sites before emails go out: Be informed when your website has been copied, uploaded to spoofed host servers, and when your customers have fallen victim to related phishing lures. Give serious thought to this and don’t wait until price tag to resolve such matters reaches $15,000,000.00. Consider taking the above actions to improve your overall security posture and to protect against phishing threats and credential theft. You cannot expect employees or customers to always make the right choice when exploring the web. Additionally your security strategy and its effectiveness should not be dependent upon your users, nor require their involvement. Put measures in place to provide a degree of confidence that the information behind the internet facing apps your customers and employees use is protected against attackers that may target them to gain access. Visit https://f5.com/products/modules/websafe for more information about F5 solutions that extend application security to the clientTinba Malware – New, Improved, Persistent
As investigated by Pavel Asinovsky, F5 SOC Malware Researcher, Tinba, also known as “Tinybanker”, “Zusy” and “HµNT€R$”, is a banking Trojan that was first seen in the wild around May 2012. Its source code was leaked in July 2014. Cybercriminals customized the leaked code and created an even more sophisticated piece of malware that is being used to attack a large number of popular banking websites around the world. The original Tinba malware was written in the assembly programming language and was noted for its very small size (around 20 KB including all Webinjects and configuration). The malware mostly uses four system libraries during runtime: ntdll.dll, advapi32.dll, ws2_32.dll, and user32.dll. Its main functionality is hooking all the browsers on the infected machine, so it can intercept HTTP requests and perform web injections. The new and improved version contains a domain generation algorithm (DGA), which makes the malware much more persistent and gives it the ability to come back to life even after a command and control (C&C) server is taken down. Tinba configuration file reveals browser injections of several targeted banks, mainly from Australia, but also from Germany, Spain, Finland, and Switzerland. There are multiple injection types, most likely bought in the underground from different Webinject writers. There is a generic VBV grabber, ATSEngine CC+VBV grabber, some specially crafted injections that are adjusted to each bank, and some other miscellaneous injections such as a Bitcoin stealer. Some of the man-in-the-browser (MITB) panels and files are hosted on different servers. The ATSEngine CC+VBV grabber is also widely used by the known Zeus Trojan, and is sold as a toolkit in the underground. This is a dynamic injection that can be updated easily on the server side without sending a new configuration to each bot, and it can be configured to steal credit card and other sensitive information from Google, Yahoo!, Windows Live, and Twitter websites. When an infected user logs in to his banking account, a specially crafted injection may produce a popup requesting additional details, credit card information, PIN/OTP authentication, or other info that may be used for fraudulent activities such as performing transactions, stealing sensitive data, and more. It all depends on the configuration of the malware and the script it injects. Some scripts may present false information in regards to the banking account, such as balance information, history of transactions, out-of-service messages, and more. Download Tinba full technical analysis report from here. Get your Tinba executive summary here.Neverquest Malware Analysis
Since the beginning of 2014 F5 SOC Malware investigations resulted in some new methods of Malware attacks operations, mainly in Eastern Europe where the Neverquest Malware was detected. Neverquest, also known as Vawtrak, is a banking Trojan that has been active since around July 2013, and is being used to attack a number of popular banking websites. Similar to the known Zeus banking Trojan, after infecting a system, the malware steals login credentials and sensitive information from the infected machine, gaining the ability to inject scripts to the victim’s browser and perform transactions. It also gives the attacker VNC access and SOCKS proxy server on the victim’s computer in order to gain full control of the infected machine. Neverquest uses social engineering to urge the victim to install a malicious application on his mobile device, which will forward sensitive SMS messages used for second factor authentication. Once the infected user enter the bank login page the MITB attack is getting activated and the victim is asked to enter his/her mobile phone number to download a “security certificate.”After the user enters his phone number, an SMS containing a link for downloading the malicious APK is sent to his phone. Each targeted entity has its own specially crafted APK. Here is a sample of the Android APK with the easy step by step installation guide. To download the full F5 SOC Neverquest Malware Analysis Report click here. An Executive Summary of the report can be downloaded here.IT security isn’t one size fits all
The security landscape today is highly complex, which can largely be attributed to the increasingly sophisticated nature of cyber attacks, particularly from an execution perspective. For example, DDoS attacks are now reaching speeds of up to 400Gbps, targeting both the network and application layer. Evidently, attackers are progressing towards other methods to bypass traditionalsecurity defenses, including the firewall. In this particular scenario, the challenge for organisations with application-layer DDoS attacks is to differentiate human traffic from bot traffic. In addition, the motivation behind attacks is becoming more complex especially from a political and economic standpoint. The NSA leaks by Edward Snowden, which revealed classified information from governments including the US, UK, Australia, Canada, and New Zealand is a recent example of a high profile hacking incident that certainly reminds us of this fact. Moreover, one of the biggest threats to IT security is now organsied cyber theft and fraud, as the smartest criminals in the world are increasingly realising the substantial financial gains that can be made via online crime. Hence, the need for an enterprise to ensure it is adequately protected against cyber attacks is becoming increasingly critical. An effective security strategy will cover all devices, applications and networks accessed by employees, beyond the enterprise infrastructure itself. Traditional security methods such as next generation firewalls and reactive security measures are losing the fight of being effective against the new breed of attacks. Security is now very much about the protection of the application, enforcement of encryption and the protection of the users identity, and less about the supporting network infrastructure. This is because it has become far less static in recent times and has truly proven to be nothing more of a commodity transport vehicle for the complex applications that run on top of it. What organisations need is a security strategy that is flexible and comprehensive, with the ability to combine DNS security and DDoS protection, network firewall, access management, and application security with intelligent traffic management. Developments in the market which has seen theintegration of WebApplication Firewalls (WAFs) with Application Delivery Controller (ADC) platforms, as recognised by a recent study by Frost & Sullivan (the Frost Industry Quotient), has driven F5 to create a new vision / architecture called F5 Synthesis for the application delivery market. This vision offers a high performance network fabric to protect fundamental elements of an application (network, DNS, SSL, HTTP) against sophisticated DDoS attacks. F5 Synthesis, through the use of tested reference architectures, ensures that applications are kept secure and available as customers make the journey toward software defined data centres (SDDS). Moreover, F5’s DDoS protection solution delivers the most comprehensive attack protection available on the market to date. While the average DDoS attacks reach 2.64 Gbps, upgrades to F5’s BIG-IP platform allow servers to handle attacks as large as 470 Gbps. Not only is there enough bandwidth to mitigate a DDoS attack, the extra capacity allows online companies to continue normal business - even while under attack. Security won’t be one size fits all during 2014. End users will expect high performance, however organisations must ensure they deploy security solutions that don’t become a bottleneck. This year, we can expect to see a rise in a multi-dimensional or 'cocktail' style attacks: DDoS attacks combined with application layer attacks and SQL vulnerabilities. As such, the traditional firewall is no longer a viable security defense, and organisations need to have a multi-stack security approach, combined with a process to handle internal control. With attacks from multiple angles on different devices, single-purpose security machines will be phased out in favour of sophisticated multi-purpose machines.
IT安全性不能以一種方案「一體適用」
This is adapated from the original post by Matt Miller. 今天的安全局勢具有高度複雜化的傾向,原因大致上可以歸咎於日益複雜化的網路攻擊本質,特別是從管理者的觀點來看。例如,分散式拒絕服務攻擊(DDoS)現在已達到400Gbps速度,目標包括網路和應用層。很顯然的,攻擊者持續進化,開發其他方法來繞過包括防火牆等傳統安全防護。 對於面對應用層DDoS攻擊威脅的企業而言,必須克服的挑戰在於如何區分人類流量與魁儡(bot)流量。 再者,攻擊背後的動機越來越複雜,特別是從政治與經濟觀點而言。例如,美國國家安全局(NSA)洩密案 - 前僱員Edward Snowden洩漏了包括美國、英國、澳洲、加拿大和紐西蘭等國政府的機密資訊 - 此一事件確實提醒了我們必須重視駭客活動。另外,現在IT安全的最大威脅之一就是組織化的網路竊盜與詐欺,因為那些聰明的犯罪者越來越了解可以藉由線上犯罪獲取可觀的財務利益。 因此,確保擁有適切的防護以杜絕網路攻擊,已成為企業的一項關鍵課題。一個有效的安全策略必須涵蓋員工存取的所有裝置、應用程式和網路,並且跨越企業本身的基礎設施。傳統安全方法例如新一代防火牆和被動回應的安全措施,已無法有效的對抗新類型的攻擊。現在的安全性非常重視對於應用程式的保護,以及使用者身分識別的加密和保護措施,而比較不偏重於基底的網路基礎設施。這是因為網路基礎設施已演變得比較沒那麼靜態,並且也已被證明它只是用來運行複雜應用程式的一個載具。 企業需要的是一個彈性且完整的安全策略,必須有能力將DNS安全性與DDoS保護、網路防火牆、存取管理、應用安全性等結合智慧型的流量管理。 Frost & Sullivan的一項報告(Frost Industry Quotient)指出,市場呈現了朝Web應用防火牆(Web Application Firewall; WAF)與應用交付控制器(Application Delivery Controller; ADC)平台整合的發展趨勢,而這促使F5針對應用交付市場開發了一個稱為F5新融合架構(F5 Synthesis)的新觀點。此一觀點提供了一個高效能分散網路架構(high performance network fabric),為一個應用的基本單元(網路、DNS、SSL、HTTP)提供保護以防範複雜的DDoS攻擊威脅。 F5新融合架構透過業經測試的參考架構,在客戶朝軟體定義資料中心(software defined data centres; SDDS)轉移的過程中確保應用安全與可用性。再者,F5的DDoS防護方案提供目前市場上最完備的攻擊防護。DDoS攻擊的平均速度達到2.64 Gbps,而升級到F5的BIG-IP平台後,伺服器將能處理高達470 Gbps的攻擊威脅。這不僅提供了充裕的頻寬以舒緩DDoS攻擊,而且其額外的容量讓線上公司可以維護正常的商務營運 - 即使是在遭受攻擊的期間。 安全性不再是一種「一體適用」的方案。終端使用者期望擁有高效能服務,而企業必須確保他們所部署的安全方案不會變成一個瓶頸。我們可以預期見到多維(multi-dimension)或「雞尾酒」式的攻擊出現,亦即DDoS攻擊結合應用層攻擊與SQL安全弱點威脅。因此,傳統防火牆不再是一個有效的安全防衛,企業需要採行一種多堆疊的安全方法,並結合內部控管程序。面對來自不同裝置和多重面向的攻擊威脅,單一用途安全設備將被高功能的多用途設備取代。Slave – IBAN swap, persistency and Zeus-style webinject
Slave is a financial malware written in visual basic. It was first seen around March 2015 and has undergone a significant evolution. Slave conducts its attack by hooking the Internet browser functions and manipulating their code for various fraudulent activities. This manipulation can be used for fraudulent activities such as credentials theft, identity theft, IBAN swapping and fraudulent fund transfers. Two weeks before the discovery of ‘Slave’, the F5 research team analyzed an unknown malware variant that was used for swapping IBAN numbers – a technique used by fraudsters to swap the destination account number before a funds transfer takes place. Static analysis has shown a strong relationship between the two malware samples, implying that ‘Slave’ started out with a simple IBAN swap capability and later advanced to more advanced capabilities such as persistency and Zeus-style webinjects. If you want to deep-dive into the ‘Slave’ internals click here to read the full technical Malware Analysis Report by F5 SOC. --- Editors Note : F5 and DevCentral do not condone the usage of the term ‘slave’ in the context of our technology. In this case the term ‘slave’ is a name, used to specify a particular piece of malware. We believe removing or changing the term, here, would only cause confusion and remove information necessary for effective application security.
Saudi Cybersecurity Threat Landscape “More Intense and Complex Than Ever”
Leading Saudi IT decision-makers agree that cybersecurity threats are growing in intensity and scale across the Kingdom. The situation is putting businesses at risk of hits to both reputation and bottom line. A new survey commissioned by F5 Networks found that nearly seven in ten of surveyed businesses (68%) regarded cybercrime as a “severe” threat. 75% of respondents said that their business’ sales and marketing efforts would suffer most from an attack. Worryingly, only 15% are confident their organisation has consistent IT security measures across its entire IT network. 84% claimed that it has become harder in the past three years to maintain a consistent security posture. This is partly due to the rise of cloud, off-premise IT and trends such as Bring Your Own Device (BYOD). 58% of respondents described the degree to which fear of cybersecurity threats had increased in the past two years as “tremendous” or “very strong”, whereas 66% reported that it is more difficult than ever to protect their organisation against cybersecurity threats. Common cybersecurity threats include distributed denial of service (DDoS) attacks, phishing/spear-phishing emails, data theft, “zero-day” software assaults, web application exploits, and website defacement. “Traditional security methods such as next generation firewalls and other reactive measures are losing the fight against a new breed of attacks,” said Mamduh Allam, Saudi Arabia Country Manager, F5 Networks. “Security is now very much about the protection of the application, enforcement of encryption the protection of user identity, and less about the supporting network infrastructure. Organisations need a security strategy that is flexible and comprehensive, with the ability to combine Domain Name System (DNS) security, DDoS protection, network firewalls, access management, and application security with intelligent traffic management.” The Kingdom’s burgeoning cyber security market size is indicative of the new cybersecurity threat landscape. According to MicroMarket Monitor, the market is expected to grow from US$1.51 billion in 2013 to US$3.48 billion in 2019 at a CAGR of 14.50% for the period 2013 to 2019. For the wider region, MarketsandMarkets suggests that the Middle East cybersecurity market is on course to grow from US$5.17 billion in 2014 to US$9.56 billion in 2019 at a CAGR of 13.07%. In its 2014 Global Economic Crime Survey, PrincewaterhouseCooper identified cybercrime as the second most common form of economic crime reported in the Middle East. The top cybersecurity challenges listed in F5 Networks’s survey include the complexity of managing a variety of security tools (50%), the shift from data-centre focused infrastructure to the cloud (48%), desktop and server virtualisation (42%), BYOD (40%), the growing desirability and flexibility of web-based applications (33%) and the increasing complexity of threats (32%).As a result, 61% called for greater consolidation of security tool management. 61% also wanted to see a stronger focus on security from management. When asked about desired coping solutions, the decision-makers’ wish-lists included improved tracking and tougher actions on cybercriminals by authorities (54%), better understanding of the wide variety of live security threats (43%) and more context-awareness for devices accessing networks (28%). “With multi-dimensional or 'cocktail' style attacks - DDoS attacks combined with application layer attacks and Structured Query Language (SQL) vulnerabilities –organisations really need to look at a multi-stack security approach, combined with a process to handle internal control,” said Allam.
