Trusteer

The following document constitutes an analysis of Carberp, a new variant of financial malware targeting numerous banks around the world.The analysis provides a detailed description of malware operation, communication and installation on the infected machine. It also contains thorough analysis of Carberp configuration, including targeted banks and attack methods.

Read More

Internet users are required to memorize multiple login credentials to access different web services. As a result, many decide to use the same login credentials for multiple websites. This practice can be dangerous when sharing login credentials used for online financial services applications with less secure websites. Trusteer measured the magnitude of this problem and the results are presented in this report.

Read More

cPanel is a very popular CMS (Content Management System), used by many leading hosting providers, including Yahoo. During December 2009 Trusteer saw a phishing email campaign targeting owners of cPanel-based sites in various hosting providers, trying to phish the FTP credentials of those site owners using cPanel-oriented messaging. This advisory explains what fraudsters were trying to achieve by stealing cPanel login information.

Read More

Trusteer measured the effectiveness of in-the-wild phishing attacks, and normalized the data for a single bank over one year, across one million customers. This method provides financial institutions with a yard stick to calculate losses associated with phishing attacks.

Read More

W32.Silon is new malware variant that intercepts Internet Explorer web browser sessions, and has been associated with fraud incidents at several large banks. Trusteer retrieved and analyzed a sample of this two headed Trojan which is designed to steal generic login information and commit bank-specific fraud.

Read more

Zeus (AKA Zbot) is a highly effective Trojan that steals personal information and website login credentials. Once downloaded, the Trojan injects itself into the browser and monitors all traffic. It then steals login credentials to sensitive websites. Zeus also changes web pages that users view, asking for additional sensitive information and sending it to the attackers.

Read more

This security advisory discusses a sophisticated and highly effective phishing attack technique that is carried out while a user is in an active session with a secure banking, brokerage, or other sensitive web application.

Read more

Over the last few years, several technologies have been suggested in order to strengthen or replace the traditional password input field, as a result of its vulnerability to keyloggers. This whitepaper surveys the myths of anti-leylogger technologies, and pinpoints material flaws in each such technology.

Read more

Device Identification is considered by many to be a viable solution to phishing and other client-side attacks due to the fact that even when a phishing attack is successful, the attacker has no way of enrolling his/her device with the website. Notwithstanding, this paper discusses three different, yet very simple attack vectors that can be used to completely overpower device identification.

Read more

This executive whitepaper describes the DNS cache poisoning/spoofing attack in general, and the recent reports by Trusteer about the vulnerabilities of Microsoft DNS Server and ISC BIND servers to this kind of attack. The paper also discusses the impact of the attack on financial institutions, and offers possible remedies.

Read more

User tracking across domains, processes (in some cases) and windows/tabs is demonstrated by exploiting several vulnerabilities in major browsers (Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, and to a limited extent Google Chrome). Additionally, new cross-domain information leakage, and cross domain attacks are described, which provide a foundation for attacks such as “in session phishing”. According to Opera’s security team, Opera is vulnerable as well, but it was not researched by the author.

Read more

The paper shows that BIND 9 DNS queries are predictable – i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the "next" query (10 in the basic attack, and 1 in the advanced attack), thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS cache poisoning than the currently known attacks against BIND 9.

Read more

The paper shows that BIND 8 DNS queries are predictable – i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides a single guess for the “next” query (with probability between 43% and 25%, depending on the DNS traffic the server handles), thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS cache poisoning than the currently known attacks against BIND 8.

Read more

The paper shows that Microsoft Windows DNS Server outgoing queries are predictable – i.e. that the source UDP port and DNS transaction ID can be effectively predicted, for the Windows DNS server (part of Microsoft Windows Server 2003 platforms and of Microsoft Windows 2000 Server platforms) in caching mode. A predictability algorithm is described that, in optimal conditions provides 8 possible guesses for the next transaction ID value, thereby overcoming whatever protection offered by the transaction ID mechanism.

Read more

The paper describes a weakness in the pseudo random number generator (PRNG) in use by OpenBSD, Mac OS X, Mac OS X Server, Darwin, NetBSD, FreeBSD and DragonFlyBSD to produce random DNS transaction IDs (OpenBSD) and random IP fragmentation IDs (OpenBSD, Mac OS X, Mac OS X Server, Darwin, NetBSD, FreeBSD and DragonFlyBSD – the latter three only if the kernel flag net.inet.ip.random_id is 1). A technique is disclosed that allows an attacker to detect the algorithm used and predict its next values.

Read more

PowerDNS is the third most popular DNS server on the Internet today. This paper shows that PowerDNS recursor DNS queries are predictable – i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides a single guess for the “next” query thereby overcoming whatever protection offered by the transaction ID and the UDP port randomization mechanisms. This enables an effective DNS cache poisoning attack against PowerDNS Recursor.

Read more

The Windows DNS stub resolver is a Windows service used by Windows desktop software to resolve DNS names into IP addresses. The DNS stub resolver forwards DNS queries to the DNS server configured for the workstation (or server) and returns the DNS server’s response to the requesting software.

Read more

IE6 is the second most popular web browser (after IE7), with market share of around 25% (according to recent surveys e.g. http://marketshare.hitslink.com/report.aspx?qprid=2).

Read more

FFsearcher is a malware (with rootkit components) that steals money from... Google... It does so via a variant on the well known theme of click-fraud. The scheme in general is this:

Read more

Tigger is a Trojan that captures keystrokes and form submissions. Keystrokes are captured through a kernel-level key-logger. Form submissions are captured via hooking HTTP functions in Internet Explorer and in Firefox. Interestingly enough, the hooks are implemented as in-line patches of the second machine instruction in the respective function’s entry point (as opposed to the more traditional in-line patching which modifies the first instruction). Thus, many security products fail to detect that the function is in fact patched.

Read more

The Ambler Trojan is a pretty standard BHO-based malware. Apparently it is based on the earlier NetHell/Limbo family, with which it share many properties (including the file formats of the configuration file and the temporary storage file, and their encryption algorithms).

Read more

LdPinch is patching malware, with kernel abilities. The variant analyzed here installs a kernel driver (C:\Windows\system32\java2.sys). At the kernel, it hooks several SSDT functions. These hooks are used to inject a DLL (C:\Windows\system32\snjava.dll) into userspace processes (such as Internet Explorer) as well as to hide its own files. When injected into Internet Explorer, the DLL hooks several WinInet functions (now in userspace) in order to monitor and manipulate browser traffic. This way, LdPinch is able to intercept every POST request the user makes.

Read more

Once malware has access to the browser (for simplicity. let’s assume it is Microsoft Internet Explorer), it can act as a “man in the browser”, potentially modifying incoming HTML from the web server. This capability enables malware to conduct various interesting attacks:

Read more

One of the easiest ways to implement relatively powerful malware is to make use of the built-in browser extensibility offered by leading browser vendors – commonly known as browser plug-ins. For example, in Microsoft Internet Explorer, a BHO (Browser Helper Object) is a DLL that will be loaded by the browser each time the browser is started. Moreover, browser plug-ins can easily interact with the browser’s internal data structures, most notably the DOM (Document Object Module) using a standard and rich API offered exactly for plug-ins to be able to extend the browser behavior.

Read more

Recently we investigated a malware encountered in the wild. It turned out to be a recently released variant of the Banker/InfoStealer/Bancos/Zbot family (identified as PWS-Banker.gen.bw by McAfee, as Infostealer.Banker.C by Symantec, as Trojan-Spy.Win32.Bancos.aam by Kaspersky and as Mal/Zbot-A by Sophos). Initial analysis indicated that this is a descendent of the malware analyzed by SecureScience and Michael Ligh (http://ip.securescience.net/advisories/pubMalwareCaseStudy.pdf) – in fact, quite possibly a variant of the new strand identified in section 18 of that paper.

Read More

Over the last few months, we’ve seen a new and disturbing threat: rootkits. A rootkit is a sophisticated kind malware which hides itself, typically at the kernel level (and sometimes even below the kernel), so that regular scanning for malware processes, files, registry entries and malware activities at large would miss it. The theoretic possibility of rootkits has been known for many years, and few rootkits have emerged in the past, but only recently we have seen rootkit-enabled malware as a serious trend.

Read more