Banking Malware 101 - Overview of Current Keylogger Threats
Banking Trojans
- Nethell/Limbo (Browser Helper Object - BHO)
- can register to several browser events, drops several files to %Windir%\system32, varying name (z.B. gcomd32.dll), analyze with OllyDbg, also steals cookies - ZeuS/Wsnpoem/Zbot
- creates %Windir%\system32\wsnpoem (version 1)), files: ntos.exe, oembios.exe or twext.exe, drops other files (audio.dell, video.dll) incects itself into various processes, features: form grabber, inject arbitrary HTML code, stealing certificates, more infos in the paper from Frank Boldewin - other Trojans: Torpig, Sinowal, Mebroot, Banker, Bancos, SilentBanker, ChromeInject (Firefox Plugin)
Dropzone hunting
- Colecting Samples - Client side honeypots: automatically surf websites, monitor system and watch for drive by downloads, capture-HPC, HoneyClient, phoeyd
- Spam traps, watch for attachments and look for links and follow them
- User Simulation
Not all samples immediately access the dropzone - we emulata behavior of a user with AutoIt
Analyse the malware sample
- CWSandbox - www.cwsandbox.org
Automation
- analyzed 2000+ banking trojans
- found 140+ nethell dropzones
- found 200+ ZeuS dropzones
- ...
Recent comments
2 weeks 4 days ago
2 weeks 5 days ago
3 weeks 3 days ago
3 weeks 6 days ago
10 weeks 3 days ago
11 weeks 13 hours ago
12 weeks 17 hours ago
12 weeks 1 day ago
12 weeks 4 days ago
12 weeks 5 days ago