Tag Archives: financial Trojans

Financial Trojans’ Persistent Attacks on the Japanese Internet Community

bankeiya_concept.png
In the recent years, the Japanese internet community has faced difficult times trying to combat financial Trojans such as SpyEye (Trojan.Spyeye) and Zeus (Trojan.Zbot). The number of victims affected and the amount of funds withdrawn from bank accounts due to the compromise are increasing at an alarming rate. Just to give you an idea, according to the Japanese National Police Agency, the number of reported illegal Internet banking withdrawals jumped from 64 incidents in 2012 to 1,315 incidents in 2013. The loss in savings amounted to approximately 1.4 billion yen (US$ 14 million) in 2013, up from 48 million yen (US$ 480,000) in 2012.

More recently, the nation has also discovered that multiple malware families dedicated to stealing banking details from Japanese users are being developed. Recently, we have seen the development of  Infostealer.Ayufos, Infostealer.Torpplar, as well as Infostealer.Bankeiya. Today, we are going to take a closer look at Infostealer.Bankeiya.

We became interested in this Trojan when we observed a widespread attack exploiting the Internet Explorer Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322) in February, which we published a blog on. At the time, there was no patch available for the vulnerability which left users of Internet Explorer 9 and 10 insecure. The  Infostealer.Bankeiya developer decided to take advantage of the situation and compromised various legitimate websites in order to perform drive-by-download attacks. Even after the patch was released on March 11, the aggressive attacks have continued. These legitimate sites include commonly visited websites such as a Japanese tour provider, TV channel site, and a lottery site as well as a handful of small sites including online shops, community websites, and personal websites, among others.

After further investigating the malware we noticed that this was not a new family of malware. The very first variant was actually discovered in October 2013 and a large number of variants have been observed since. The sole purpose of Infostealer.Bankeiya is to steal banking details from  compromised computers. Besides using the Internet Explorer vulnerability, we have also confirmed that Oracle Java SE Remote Code Execution Vulnerability (CVE-2013-2463) is being exploited to infect systems with Infostealer.Bankeiya as well. Other vulnerabilities could also be exploited.

A typical Infostealer.Bankeiya attack works like this:

  1. The attacker compromises a legitimate website to host exploit codeon the site in order to infect visitors’ computers.
  2. If someone with a computer vulnerable to the exploit visits the site, the system becomes infected with Infostealer.Bankeiya.
  3. The malware uploads details about the compromised computer including the IP address, Mac address, OS version, and the name of security software installed.
  4. The malware downloads encrypted configuration data which specifies the location of its updated version from either:
    1. A profile on a blog page solely created to host the encrypted data.
    2. A specified URL on a compromised website.
  5. If an update is found, the malware will download the new version and replace itself with it. This version may contain information about the location of its new command-and-control (C&C) server.
  6. If a victim logs onto  the targeted bank’s online site, the malware will display a fake pop-up window in order trick the victim into entering banking details.
  7. The banking details entered by the victim will be sent to the C&C server and stored for the attacker to retrieve.

figure1_19.png
Figure 1. Login page for Infostealer.Bankeiya command-and-control server

Symantec sinkholed known C& C servers to prevent the malware on the compromised computers from transmitting any further data to the attacker. We also monitored the servers by logging the accesses made by the victims’ computers in order to estimate how successful the attacks had been. We did this for a week in mid-March and the results indicate that up to 20,000 computers could have been compromised. A majority of accesses were coming from Japanese IP addresses. This is not surprising, but the sheer volume is a bit alarming. Please note that the following figure is based on the number of devices on the Internet accessing the servers and some devices were removed because they were non-infected systems.

figure2_18.png
Figure 2. Devices accessing the command-and-control servers

According to the sinkhole data, the second largest number of hits came from Hong Kong. This is also in line with the figure we provided in our previous blog about computers targeted with the CVE-2014-0322 exploit code. There is a reason for this. During our investigation we also noticed a connection with another type of attack that uses files to mine for bitcoins. One particular attack targeted users visiting a compromised forum site in Hong Kong. In this case, the CVE-2014-0322 exploit code was used to download and execute bitcoin miner software called jhProtominer on the victim’s computer in order to abuse the computer’s hardware to mine for the virtual coin. The attacker appears to be motivated enough to target different audiences across borders and is looking for any type of opportunity to make a profit.

Many malware infections occur as a result of visiting legitimate sites that have been compromised. It is vital that all software products are frequently updated so that the most recent patches are applied. In some cases, a patch will not be available, as was the case for one of the vulnerabilities used by Infostealer.Bankeiya. Security software can be used to strengthen the computer’s security status in such cases. So we urge you to install security software and keep it up-to-date. By following these recommendations, most infections can be prevented.

Tiylon: ???????

      No Comments on Tiylon: ???????

史上最悪の銀行強盗は、2005 年にブラジルで起きたものです。この事件で、銀行強盗団は鋼鉄と強化コンクリートでできた厚さ 1.1m もの壁に穴を開け、紙幣が保管されている 3.5 トンものコンテナを運び出しました。このとき、約 1 億 6,000 万ブラジルドル(3 億 8,000 万米ドル相当)が盗み出されています。

一方、最近の強盗は壁に穴を開けたりせずに金銭を盗み出します。自宅でコンピュータの前でくつろぎながら銀行を襲えるのです。サイバー犯罪によって、企業は百万ドル単位の財政的な損害を被っています。シマンテックのホワイトペーパー「State of Financial Trojans 2013(金融機関を狙うトロイの木馬の 2013 年における概況)」(英語)でも、オンラインバンキングを狙うトロイの木馬の急増が指摘されています。ZeusSpyeye などの一般的なマルウェアを別にすると、サイバー犯罪者がオンラインバンキングを狙って最近よく使っているのは、Tiylon というマルウェアです。このトロイの木馬は、MITB(Man-in-the-Browser)攻撃を使って、オンラインバンキングサイトでユーザー認証とトランザクション承認を傍受します。

標的型攻撃による最初の感染
Tiylon は、スパム対策フィルタをすり抜けるために、短い電子メールの添付ファイルとして送られてくるのが普通です。オンラインバンキングを狙うトロイの木馬(Zeus など)を使う大部分のスパム攻撃と異なり、Tiylon の電子メールは標的型攻撃の一部となっています。シマンテックの遠隔測定によると、この攻撃では世界のいくつかの地域でオンラインバンキングユーザーが狙われていますが、特に英国、米国、イタリア、オーストラリア、日本に攻撃が集中しています(図 2)。

Fig1_8.png

図 1. 悪質なファイルが添付されている Tiylon の電子メール

この脅威は、ダウンローダ、メインコンポーネントファイル、設定ファイルという 3 種類のファイルで構成されています。

ダウンローダファイル
ダウンローダはロードポイントとして機能し、メインコンポーネントファイルをインストールする機能を持ちます。ダウンローダが実行されると、コンピュータのシリアル番号からシステム情報が構成され、攻撃者が用意したコマンド & コントロール(C&C)サーバーへの接続が確立されます。接続が確立すると、以下のレジストリキーが作成されます。

  • Windows XP の場合:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\“WwYNcov” = “%System%\WwYNcov.exe”
  • Windows 7 の場合:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{905CC2F7-082A-4D1D-B76B-92A2FC7341F6}\“Path” = “\\xxUxqdT”

ダウンローダは次に、explorer.exe と svchost.exe にコードをインジェクトし、悪質な活動を開始します。

メインコンポーネントファイル
メインコンポーネントファイルは、Tiylon のダウンローダファイルによってダウンロードされ、復号されます。このコンポーネントは、C&C サーバーから設定ファイルを収集して、攻撃のパラメータを指定します。また、レジストリ設定を操作してコンピュータとブラウザのセキュリティを低下させる機能も備えています。また、これはユーザーと金融機関の Web サイトとの通信を傍受するコンポーネントでもあります。

主として以下のような機能を持っています。

  • Web インジェクション攻撃を実行する
  • キーストロークを記録する
  • スクリーンショットを取得する
  • FTP サーバーと RDP サーバーを起動する
  • リモートデスクトッププロトコル(RDP)を開始する
  • 証明書を読み取る
  • ファイルをダウンロードして実行する
  • サービスを作成する
  • オペレーティングシステムの API をフックしてネットワークデータを盗み出す
  • 他のプロセスにコードをインジェクトする
  • ログオフして再起動するか、侵入先のコンピュータをシャットダウンする
  • Web ブラウザに対してプロセスインジェクションを実行する

Tiylon は、インストールされているアプリケーションとディレクトリを調べて検出をすり抜けようと試みます。また、コンピュータが仮想マシンかどうかを判定するために、プロセスリストも確認します。C&C サーバーは、悪質な活動を検出できる環境を見つけると、そのコンピュータの IP アドレスを使用禁止扱いとして、他のユーザーへの感染を試みます。検出をすり抜ける確率を高くするために、シマンテック製以外のウイルス対策ソフトウェアに対して強制的に例外を設定する場合もあります。マルウェアのコード自体が不明瞭化されており、複数のパッケージングサイクルがあることからも、解析が困難になっています。

攻撃の発生期間
Tiylon の攻撃が起きたのは、2012 年 1 月 1 日から 2013 年 10 月 1 日の間です。

Table1_0.png

表 1. Tiylon による攻撃の国別の件数

Fig2_0.gif

図 2. Tiylon による攻撃の件数を国別に示したアニメーション

シマンテック製品をお使いのお客様は、以下のウイルス対策定義と IPS 検出定義で Tiylon の攻撃から保護されています。

ウイルス対策:

IPS:

脅威から保護するために、最新のソフトウェアパッチと検出定義を適用することをお勧めします。今回の Tiylon の場合は特に、お使いの電子メールクライアントに対応したスパム対策ソリューションをインストールし、疑わしい添付ファイルは開かないようにしてください。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Tiylon: A Modern Bank Robber

      No Comments on Tiylon: A Modern Bank Robber

The biggest bank robbery of all time was identified in Brazil in 2005. In this case, a gang broke into a bank by tunneling through 1.1 meters of steel and reinforced concrete and then removed 3.5 tons of containers holding bank notes. This heist resulted in the loss of about 160 million Brazilian dollars (US$380 million).

Robbers today, however, don’t have to bother with drilling through walls to steal money. They can rob a bank while sitting comfortably at home behind a computer. Thanks to cybercrime, organizations have suffered financial losses in the order of millions. The Symantec State of Financial Trojans 2013 whitepaper shows that banking Trojans are becoming more prevalent. Apart from other more common malware such as Zeus and Spyeye, one of the most popular financial malware that cybercriminals currently use is a threat called Tiylon. This Trojan uses a man-in-the-browser (MITB) attack to intercept user authentications and transaction authorizations on online banking sites.

Initial infection by targeted attack
Tiylon typically arrives as an attachment in the form of a short email to attempt to evade antispam filters. Unlike most spam campaigns associated with financial Trojans (like Zeus), Tiylon emails are part of a targeted attack. Symantec telemetry shows the attack targets online banking users  in several different regions around the world, with a particular focus on the UK, US, Italy, Australia, and Japan (Figure 2).

Fig1_8.png

Figure 1. Tiylon email with a malicious attachment.

The threat consists of three different files: a downloader, a main component file, and a configuration file.

Downloader file
The downloader acts as a load point and is responsible for the installation of the main component file. When the downloader executes, it constructs system information derived by the computer’s serial number and establishes a connection to the attacker’s command-and-control (C&C) server. When the connection is established, a registry key is created.

  • Windows XP:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\“WwYNcov” = “%System%\WwYNcov.exe”
  • Windows 7:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{905CC2F7-082A-4D1D-B76B-92A2FC7341F6}\“Path” = “\\xxUxqdT”

The downloader then injects code into explorer.exe and svchost.exe to initiate malicious activity.

Main component file
The main component file is downloaded and decrypted by the Tiylon downloader file. This component collects a configuration file from the C&C server to specify the parameters of the attack. The component also manipulates registry settings to reduce the security of the computer and browser. This is also the component that intercepts communications between the user and financial institution websites.

Core functionalities include the following:

  • Performs Web injection attacks
  • Logs key strokes
  • Captures screenshots
  • Starts FTP and RDP servers
  • Starts Remote Desktop Protocol (RDP)
  • Reads certificates
  • Downloads and executes files
  • Create services
  • Hook operating system APIs in order to steal network data
  • Inject code into other processes
  • Log off, restart, or shut down the compromised computer
  • Perform process injections into Web browsers

Tiylon attempts to evade detection by inspecting directories and installed applications. It also tries to find out if the computer is a virtual machine by checking the process list. If the C&C server finds any environment that could detect malicious activities, it may ban the computer’s IP address and then try to infect other users. It may also force some non Symantec antivirus software to set exclusions, helping the threat avoid detection. The malware code itself is obfuscated and has several packing cycles, which complicates analysis.

Timeline of attacks
The Tiylon attacks occured between January 1, 2012, and October 1, 2013.

Table1_0.png

Table 1. Tiylon attack numbers by country

Fig2_0.gif

Figure 2. Animation showing Tiylon attack numbers by country

Symantec protects customers against Tiylon with the following anitvirus and IPS detections:

AV:

IPS:

Symantec recommends users to have the most up-to-date software patches and definitions in place to protect against threats. In this particular case, we suggest installing an antispam solution for your email client and refrain from opening suspicious attachments.

?????????????? 2013 ???????

      No Comments on ?????????????? 2013 ???????

「そこにカネがあるからさ」という有名な台詞は、銀行強盗ウィリー・サットン(Willie Sutton)が「なぜ銀行を襲うのか」と問われて答えたものだと言われています。真偽のほどは別としても、この台詞は今でも有効です。

同じ状況が、金融機関を狙う今日のマルウェアにも当てはまります。お金の移動する場所がオンラインバンキングのアプリケーションに変わったので、攻撃者もそれに引き付けられています。オンラインバンキングのサービスを標的にするトロイの木馬が開発され続けているのは、驚くほどのことではありません。最近のブログでお伝えした例は Neverquest というトロイの木馬ですが、これは 2006 年に初めて確認されて以来使われ続けている Trojan.Snifula の後継種でした。

金融機関を狙う最も一般的なトロイの木馬による感染の件数は、2013 年の 1 月から 9 月までの間に 337% という増加を示しています。1 カ月あたり 50 万台近くのコンピュータが感染して詐欺行為を受けやすくなっているという計算になります。金融機関を狙うトロイの木馬の背景にある仕組みと、その運用の規模を詳しく理解するために、シマンテックはオンラインバンキングを狙うトロイの木馬 8 種類に属している 1,000 以上の設定ファイルを解析しました。これらの設定ファイルには、トロイの木馬が攻撃する URL と、そのとき利用する攻撃方法が定義されています。攻撃方法は、単なるユーザーのリダイレクトから、バックグラウンドでトランザクションを自動実行できる複雑な Web インジェクションまでさまざまです。解析した設定ファイルは、合計で 1,486 の金融機関を標的にしていました。このことからも、トロイの木馬が広く拡散しており、攻撃者にとって金銭的な儲けを生むのであればあらゆるものが標的になっていることが明白です。

最も頻繁に攻撃されているのは米国内の銀行で、調査したトロイの木馬の設定ファイルのうち 71.5% に出現していました。標的となった上位 15 の銀行はすべて、設定ファイルのうち 50% 以上で見つかっており、2 つに 1 つのトロイの木馬が上位の銀行の少なくとも 1 行を狙っていることになります。このように高い数値が表れているのは、トロイの木馬とともに売られている基本ツールキットの一部に、標的となる URL がサンプルとして存在するためかもしれません。あるいは、トロイの木馬が依然としてこうした企業に対して有効だからという理由も考えられます。金融機関の一部はいまだに強力な認証を採用していないからです。もちろん、大部分の金融機関はこうしたサイバー犯罪の推移を意識しています。また、このような攻撃を遮断する新しい保護対策も講じているのですが、残念なことに、新しいセキュリティ対策を始動するには時間も費用も掛かり、攻撃者は常に新しい攻撃の経路を生み出しています。結局のところ、ソーシャルエンジニアリング攻撃は依然として機能し続けることになります。巧妙な作り話に引っ掛かってしまう人というのは、後を絶たないからです。オンラインバンキングのサービスを狙う攻撃は、来年も続くものとシマンテックは予測しています。

金融機関を狙うトロイの木馬の状況について詳しく知りたい方のために、このトピックを扱ったホワイトペーパーの最新版を公開しました(英語)。

金融機関を狙う脅威の 2013 年における概況については、以下の解説画像も参考にしてください。

the_state_of_financial_trojans_infographic_v1.1_0.jpg
 
 
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

The State of Financial Trojans in 2013

      No Comments on The State of Financial Trojans in 2013
“Because that’s where the money is!” This is a quote frequently attributed to Willie Sutton as the answer he allegedly gave when asked why he robbed banks. Even though Mr. Sutton never gave this answer, it still holds true. 
 
This paradigm also holds true when it comes to today’s financial malware. Online banking applications are where money is moved; hence they are also the focus of attackers. It should not come as a surprise that we still see further development of Trojans targeting online banking services. One example that we recently blogged about is the Neverquest Trojan, a successor of Trojan.Snifula, which was first seen in 2006 but is still in use. 
 
The number of infections of the most common financial Trojans grew to 337 percent in the first nine month of 2013. This represents nearly half a million infected computers per month that are susceptible to fraud. To get a better understanding of the mechanics behind financial Trojans and the scale of their operations, we analyzed over one thousand recent configuration files belonging to eight online banking Trojans. These configuration files define which URLs the Trojan should attack and what attack strategy to use. Attacks vary from simple user redirection to complex Web-injects, which can automatically conduct transactions in the background. The analyzed configuration files targeted 1,486 organizations in total. This highlights the wide distribution of the Trojans, which target everything that could yield a monetary profit for the attacker.  
 
The most frequently attacked bank is located in the US and was present in 71.5 percent of all the examined Trojans’ configuration files. All of the top 15 targeted banks were found in more than 50 percent of the configuration files. This means that every second Trojan targets at least one of these banks. These high numbers might be because the targeted URLs are present as examples in some of the basic toolkits, which are sold with the Trojans. Another reason could be that the Trojans simply still work against these firms, as not all financial institutions have moved to strong authentication yet. Of course, most financial institutions are aware of these cybercrime developments and are deploying new protection mechanisms to block such attacks. Unfortunately, new security measures take time and money to roll out and the attackers will always come up with new attack avenues. After all, social engineering attacks still work, since some people will always fall for a cleverly crafted story. We expect that we will continue to see attacks targeting online banking services in the coming year.
 
If you want to learn more about the state of financial Trojans, we released an updated whitepaper on this topic.
 
We also have the following infographic on 2013’s financial threat landscape.
 
the_state_of_financial_trojans_infographic_v1.1_0.jpg

The State of Financial Trojans in 2013

      No Comments on The State of Financial Trojans in 2013
“Because that’s where the money is!” This is a quote frequently attributed to Willie Sutton as the answer he allegedly gave when asked why he robbed banks. Even though Mr. Sutton never gave this answer, it still holds true. 
 
This paradigm also holds true when it comes to today’s financial malware. Online banking applications are where money is moved; hence they are also the focus of attackers. It should not come as a surprise that we still see further development of Trojans targeting online banking services. One example that we recently blogged about is the Neverquest Trojan, a successor of Trojan.Snifula, which was first seen in 2006 but is still in use. 
 
The number of infections of the most common financial Trojans grew to 337 percent in the first nine month of 2013. This represents nearly half a million infected computers per month that are susceptible to fraud. To get a better understanding of the mechanics behind financial Trojans and the scale of their operations, we analyzed over one thousand recent configuration files belonging to eight online banking Trojans. These configuration files define which URLs the Trojan should attack and what attack strategy to use. Attacks vary from simple user redirection to complex Web-injects, which can automatically conduct transactions in the background. The analyzed configuration files targeted 1,486 organizations in total. This highlights the wide distribution of the Trojans, which target everything that could yield a monetary profit for the attacker.  
 
The most frequently attacked bank is located in the US and was present in 71.5 percent of all the examined Trojans’ configuration files. All of the top 15 targeted banks were found in more than 50 percent of the configuration files. This means that every second Trojan targets at least one of these banks. These high numbers might be because the targeted URLs are present as examples in some of the basic toolkits, which are sold with the Trojans. Another reason could be that the Trojans simply still work against these firms, as not all financial institutions have moved to strong authentication yet. Of course, most financial institutions are aware of these cybercrime developments and are deploying new protection mechanisms to block such attacks. Unfortunately, new security measures take time and money to roll out and the attackers will always come up with new attack avenues. After all, social engineering attacks still work, since some people will always fall for a cleverly crafted story. We expect that we will continue to see attacks targeting online banking services in the coming year.
 
If you want to learn more about the state of financial Trojans, we released an updated whitepaper on this topic.
 
We also have the following infographic on 2013’s financial threat landscape.
 
the_state_of_financial_trojans_infographic_v1.1_0.jpg