(Source: wikipedia.org/wiki/Trojan horse)A Trojan horse, or Trojan, is a stand alone malicious program which may give full control of infected PC to another PC. It may also perform typical computer virus activities. Trojan horses may make copies of themselves, steal information, or harm their host computer systems. The term is derived from the Trojan Horse story in Greek mythology because Trojan horses employ a form of “social engineering,” presenting themselves as harmless, useful gifts, in order to persuade victims to install them on their computers (just as the Trojans were tricked into taking the Trojan Horse inside their gates.)
A Trojan may give a hacker remote access to a targeted computer system. Once a Trojan has been installed on a targeted computer system, hackers may be given remote access to the computer allowing them to perform all kinds of operations. Operations that could be performed by a hacker on a targeted computer system may include:
- Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of service attacks.
- Electronic Money theft.
- Data theft (e.g. retrieving passwords or credit card information)
- Installation of software, including third-party malware
- Downloading or Uploading of files on the user's computer
- Modification or deletion of files
- Keystroke logging
- Watching the users screen
- Crashing the computers
- Anonymizing internet viewing
- etc.
 |
| Dmitry Bestuzhev |
Article by: Dmitry Bestuzhev, Senior Researcher, Analysis & Global Research, Kaspersky, 1997-2012.
(Source:securelist.com)
“Brazil: a country rich in banking Trojans”
Anyone who has ever analyzed malware designed to steal data from online banking customers will agree that Brazil is one of the biggest sources of so-called banking Trojans. But why exactly is Brazil a world leader in producing this type of malicious program? Who is responsible and what drives them? Having analyzed the malicious code originating from Brazil, we are ready to share our conclusions.
Why Brazil?
Brazil is the biggest country in Latin America with a population of approximately 200 million people. Nearly one third of the population – about 70 million – are Internet users and their number is constantly growing.
Brazil's highly stratified social structure often means that those on a low income are drawn into illegal activity, including writing malicious programs designed to steal data belonging to bank customers. The fact that online banking systems are widely used in Brazil makes this type of criminal activity all the more attractive. Additionally, the country does not have legislation which effectively combats cyber crime.
Between them, Brazil’s biggest banks have millions of online banking customers. For instance, Banco do Brasil has 7.9 million online customers, Bradesco has 6.9 million, Itaú has 4.2 million and Caixa has 3.69 million. These numbers are high enough to motivate the criminals: even if the percentage of successful attacks is small, the profits can still be impressive.
Targets
Unfortunately, lots of customers at different banks fall victim to this type of cybercrime.
Percentage of malicious programs designed to steal customer data from different banks
The pie chart shows that the majority of malicious programs that steal money from bank accounts target customers of Bradesco, Caixa, Banco do Brasil and Itaú. This is hardly surprising considering they are Brazil’s largest banks and provide services to millions of people.
As well as customer numbers, cyber criminals are interested in the security measures that the banks employ. So, what do the banks do to secure the transactions made by their customers?
Many banks suggest that their online banking customers install a special plug-in – G-Buster – on their computers before they access the online banking system. The G-Buster plug-in is designed to prevent any malicious code from running during the authorization or transaction process. This mechanism is the only security measure used by Caixa and Banco do Brasil to protect their customers. Unfortunately, as we shall see later, the presence of the G-Buster plug-in on a computer does not guarantee secure online banking.
Other banks, e.g. Itaú, provide their customers with other security tools in addition to the plug-in, such as tokens or security cards.
Security card issued by Itaú
Bradesco bank offers its customers yet another method of protection that entails a pair of unique digital keys (certificates) being generated for each customer. One of the keys is stored on the customer’s computer while it is recommended that the second be stored on a removable storage device. When a user tries to connect to the bank’s site, the system requires the path to the second certificate. In order to gain access, the customer has to insert the removable storage device (e.g. a flash drive) with the second certificate into the computer.
In theory, these mechanisms ought to be sufficient to protect users. As we shall see in practice, however, they are not very effective. Either they fail to fully protect online banking customers or the cost puts people off. For example, if a bank customer wants to use a token, he first has to buy it. This deters lots of customers from using tokens, leaving them vulnerable to attack by cyber criminals.
Which cyber criminal methods are used to cause the most effective mass infection of users’ computers?
Infected sites
Malicious programs more often than not spread via websites. In order to spread their malicious programs, criminals either compromise legitimate sites located on domains around the world, or use temporary or free hosting. Interestingly, the domains of the Russian company RBC Media – nm.ru and pochta.ru – are often used as free hosting for spreading malicious programs.
In some cases when cybercriminals plan a particularly serious project they need a long-term resource. For this particular purpose they use “bulletproof” hosting, with the use of technology that identifies the IP addresses of potential victims. Knowing the IP address of a user that has ended up on an infected web page enables criminals to perform targeted attacks and hide malicious programs from antivirus companies. IT security specialists and those not residing in Latin America have no access to the binary malicious code. In most cases they will be offered photos of Brazilian girls.
How then do online banking customers end up on the infected pages? They are lured to these sites with the help of spam messages that make use of classic social engineering tactics. Sometimes these messages imitate emails sent by the bank, or offer snippets of news and gossip about the country’s celebrities. Of course, adult content spam is also used. The links in these spam messages lead users to infected sites.
Attacks – Brazilian style
Brazilian banking Trojans are never spread as separate files. The infection process always involves the installation of a whole range of additional malicious programs on a victim’s computer.
Cyber criminals do not focus solely on banking information; they conduct complex attacks. The classic infection scheme looks like this:
Classic scheme used to infect computers of online banking customers
Initially, there is one Trojan on the server whose task it is to download and install all the other malicious programs on a user’s computer:
- a program that steals account data to social networking sites;
- a program that combats antivirus solutions;
- one or two programs that monitor activity when users connect to banking sites, intercept session data, and send harvested data such as passwords and user names to the cyber criminals.
Social networking sites
Social networking sites have become an important source of almost any type of data about a user. A person’s full name, date of birth, address, social status, etc., can be used by criminals, for example, to make an “official” enquiry to a bank’s call center about a user’s PIN code.
The most popular social networking site in Brazil is Orkut. It has nearly 23 million users worldwide, 54% of which are Brazilians. The users of this social networking site are most often attacked by Brazilian cyber criminals.
Fragment of code designed to steal passwords from Orkut users
As a rule, personal data and passwords to social networking sites are sent to the cyber criminals’ email account.
Combating antivirus solutions
How do cyber criminals combat antivirus solutions installed on computers and the G-Buster plug-in?
This plug-in is supposed to ensure that transactions made by the customers of a number of banks are secure. In order to prevent G-Buster from being removed by a malicious program, its manufacturers used rootkit technology to deploy G-Buster deep into the system. However, cyber criminals make use of perfectly legitimate programs that are designed to counteract rootkits.
The most popular anti-rootkit program is Avenger. When infecting a computer a Trojan downloader loads this utility in the system along with a list of files that need to be removed (instructions). All a cybercriminal needs to do to effectively remove the plug-in is to launch the utility and reboot the system.
Example of the instructions used to remove the G-Buster plug-in using the legitimate Avenger anti-rootkit utility
The utility’s only parameter is the path to the files that need be removed. The screenshot above shows a case where the G-Buster plug-in can only be removed from a system installed in the Portuguese or English.
After the system is rebooted, the original plug-in is removed completely and in some cases another plug-in containing malicious code is installed. The new plug-in enables a user to access their bank account, but also steals account data and forwards it to the cyber criminals.
Exactly the same approach is used to remove antivirus programs from a user’s system.
Data theft
After an online transaction is performed by a user, the banking Trojan downloaded on the computer captures data that makes it possible to access the victim’s account. The account details are then forwarded to the cyber criminals’ email address, or to an FTP server or remote database server.
Fragment of code responsible for forwarding stolen data to a remote database server
Extract from a database (user accounts stolen by cybercriminals)
Extract from Bradesco Bank’s database (customer data stolen by cyber criminals)
The screenshots above are of real databases and contain customer data such as user names, passwords, security certificates, etc.
Activity by cyber criminals is not limited to stealing bank accounts details and data for accessing social networking sites, however. They regularly attempt to obtain the MAC address of a user’s network card, the IP address, computer name and other information that can be used to connect to a bank. They do this to cover their tracks and implicate the victim as much as possible – if the bank initiates an investigation, the logs will make everything look as if it was the client who withdrew money or transferred it to another account.
Cyber criminals are also interested in any email addresses used on an infected computer and the passwords used to access them. Often, these addresses and passwords are used by users to access their accounts on social networking sites. And, as I have already mentioned, this presents some attractive opportunities to commit more crimes. In addition, these addresses may be registered in a bank’s database as the official customer contact address, making them trusted addresses. Just imagine what cyber criminals can do when they have access to these addresses!
In order to steal email passwords, cyber criminals also use legitimate programs that can restore forgotten passwords. Such programs are capable of reading passwords stored in the most popular mail clients such as Microsoft Outlook, Microsoft Outlook Express, etc.
Stolen email addresses and passwords are sent to remote web servers.
Fragment of code which shows how stolen addresses are sent to a remote web server
Data stolen by cybercriminals is stored on a web sever
Profile of a cyber criminal
Once cyber criminals have stolen personal data and gained access to a customer's bank account, they generally employ money mules; the first transaction will be made from the victim's account to a money mule account. The mules in their turn transfer the money to a third account in return for a commission. However, if only a small sum has been stolen, the money will generally be directly transmitted to the cyber criminals' account.
In order to understand who is behind these crimes, the following facts need to be analyzed:
- nearly all samples of banking Trojans are written in Delphi;
- some samples are infected with the viruses Virut or Induc;
- in some cases, cyber criminals compromise legal web pages to distribute malicious programs.
Analysis showed that Delphi is not included in the curriculum of Brazilian universities. This programming language can only be learn at special programming courses or at a vocational college. This suggests that the cyber criminals are not necessarily people with a higher education and that they may be fairly young.
The fact that samples are infected with viruses such as Virut suggests that the cyber criminals’ computers are also infected. Very often the sources of these infections are sites containing cracks for software, sites with serial numbers for programs, porn sites and P2P networks. Most probably these kinds of sites and programs are popular with cyber criminals. In Brazil, these sites are mostly visited by young people, which would lend evidence to the claim that the cyber criminals are young – though piracy could be committed by people of various ages.
The fact that cyber criminals often compromise legitimate websites points to teamwork. Every team member has his own specialization – hacking, writing malicious code, etc.
So, our assumption is that the cyberattacks on customers of Brazilian banks are organized by groups of cybercriminals who are generally young and come from poor families. Their desire to make a quick profit shapes their lives, which consists of writing malicious code, infecting users, stealing money, spending it and then repeating the whole process over again. They find themselves in a vicious circle that is very difficult to break out of.
Hint of Russia
Typical Brazilian banking Trojans have a number of characteristics – huge file size, Portuguese strings in the code, etc. From time to time, however, there are some samples that stand out.
At first glance, these banking Trojans don’t seem to differ from the classic examples – the same banks are attacked, the names of the files may coincide with the names used by Brazilian cyber criminals. However, a closer look reveals some clear distinctions:
- the size of the file is optimized;
- the language of the operating system used for compilation is not Portuguese;
- stolen data is transferred via secure channels.
So who is behind these banking Trojans? Brazilian cyber criminals who have just graduated from university? It’s very unlikely.
First of all, when removing a bank’s security plug-in these cyber criminals use an anti-rootkit called Partizan instead of the classic Avenger. The former is part of the Russian edition of the UnHackMe program.
Secondly, there is absolutely no Portuguese in the code.
And finally, after analyzing the secure data transfer channel, we discovered some interesting registration information:
Registration data of a connection used to transfer stolen bank details
Who is organizing these attacks? On the face of it, they are Brazilian malware writers. And if a criminal investigation is launched, the criminals will be sought in Brazil. But, when you consider the registration data and some other details (e.g. the programming language, file size and the strings in the code), it turns out that Russian cyber criminals are stealing money from Brazilian banks.
Conclusion
Brazil’s law enforcement agencies are working hard to track down the cyber criminals. Why, then, does the number of malicious programs continue to grow every day?
The problem of cyber crime is exacerbated by the fact that banks wish to avoid public investigation of such thefts. In order to protect their reputation, banks prefer to compensate customers for losses incurred by infection with malicious code, and simply recommend that the affected customer reconfigures his computer by reinstalling the operating system.
In addition, the cyber crime departments in different Brazilian states experience difficulty in exchanging data with each other. However, this problem is not exclusive to Brazil and affects many other countries.
Additionally, online banking customers' limited awareness of IT security issues can cause them to fall into the hands of cyber criminals.
There is no reason to expect the Internet will become safer while these problems (a low level of IT security awareness, the banks’ policies, social conditions, and a lack of effective legislative tools) continue to exist. Perhaps Brazilian banks should invest more heavily in security solutions which will offer their customers reliable protection, including distributing tokens or other security devices free of charge. This would reduce the likelihood of cyber theft, and correspondingly reduce overall losses.
It is obvious that IT security companies, law enforcement agencies and governmental bodies around the world need to work on interacting more effectively with each other. Until this happens, there can be no significant reduction in the amount of cyber crime.
No comments:
Post a Comment