Finjan Malicious Code Research Center Malicious of July 2007

1.1 What is Crimeware?

Crimeware (Crime Software) refers to software designed specifically for financial crime. Crimeware targets your company, your employees, your customers and your data. Crimeware encompasses a range of technologies that can be used to execute a crime. These include the following:
. Trojan horse: A program that may appear to be legitimate, but in fact does something malicious. Trojans are often used to gain backdoor access to a user’s system.
. Keylogger: A specially crafted application designed to “listen” to the user’s keyboard (and mouse) activity, record it, and send it over to a third party. “Interesting” activities are logged – such as logging into online bank accounts, document writing, etc.
. Rootkit: An application designed to seamlessly integrate into the core components of the operating system, gain control over the main functionality (and alter it), and stay hidden from security products.

When Trojans go Phishing

The example analyzed in this report is a crimeware being used by the known MPack toolkit. As noted in the last few weeks, MPack is being widely used in the wild and has successfully infected thousands of corporate and individual users. We have chosen to analyze this kind of activity as crimeware and anti-forensics techniques have created a new problem in the web security arena. Crimeware is being funded by financial fraud with an elaborate scheme of capital incentives behind it. The scope of this new problem is different than the issues usually dealt by web security solutions, while its impact on the corporate world is immediate and can be easily quantified. This may be viewed as a new Phishing attack, although much more sophisticated, controlled and targeted, as the following analysis shows. As shown in Figure 1a below, VirusTotal report indicates that the crimeware downloaded by the MPack toolkit was not detected by the majority of popular security products on July 1st 2007, thus it remains quite effective in infecting the PC.

30 days later, Finjan re-tested the same crimeware using VirusTotal. As indicated by VirusTotal report, Figure 1b indicates that the crimeware downloaded by the MPack toolkit is still not detected by the majority of popular security products on July 29th 2007, thus it still remains quite effective in infecting the PC. During July 2007, Finjan identified 58 criminals using the MPack toolkit who have successfully infected over 500,000 unique users. The infection ratio stands at 16% from 3.1 million attempts - indicated by the web traffic volumes of the infecting sites.

30 days later Finjan’s analysis indicates that the crimeware being used by MPack steals bank account information, such as user name, password, credit card number, social security number etc., in a creative way.
The specific crimeware analyzed here is capable of stealing account information from several banks all around the world without leaving any traces behind. Stolen data is being sent to the criminals over a secure communication channel (SSL) to avoid detection. Users whose machines were infected by this crimeware will not notice any change to their normal PC and online browsing experience. The rootkit nature of the crimeware leaves no sign and does not impact the end-user experience.

Following is a demonstration of surfing to [Bank A] from an infected computer in our lab:
A sniffer and a proxy debugger were used during the analysis to track the traffic sent to and from the infected machine.

- Step 1 – Login form interception

Our lab analysis found that after filling the login form and clicking on the “Log In” button, the crimeware, running on the infected user machine, intercepts the communication. The crimeware sends the intercepted UserID and password to the criminal’s server, instead of sending to [Bank A] server. Additionally, as seen in the screenshots below, the post is not generated by the browser itself (Internet Explorer in this case), but by a user agent identifying itself as “MSID” (with a suspiciously distinct string following it – probably used to identify this specific infected host). All of this is being carried out in the background, unknown to the user.

- Step 2 – Stealing additional online banking information

After the user credentials (UserID and password) were sent, the following web form is presented to the user by the criminals’ server. Note the highlighted ATM, SSN and PIN information requested from the user as well as the valid security lock on the bottom right of the browser.

- Step 3 – Crimeware manipulates the browser’s content

Despite the way it looks, this form is NOT being sent by [Bank A]. The response of the malicious server to which the login information was sent contained a replacement script containing the data to construct the alternative page. The page is being reconstructed in real-time by the crimeware that took over the browser, and is being displaying over the pre-established SSL connection with the [Bank A] server. Note that the page has the “look and feel” of a normal [Bank A] page.
The same technique is used when browsing to several other online financial service providers. Thus, for each financial institution, the crimeware will send a customized set of crafted forms and pages, designed to harvest the specific information needed to log into that particular service (such as “favorite” questions, memorable date, favorite word, etc.). Naturally, they will have the identical “look and feel” of the financial institution they are scamming.
The browser does not show any signs that this modified page is suspicious in any way, and the surfing activity appears to be normal. When opening the “secure” icon of the web browser to validate the SSL connection, a valid [Bank A] certificate is presented:

- Step 4 – Intercepting the additional information submission

Once the victim clicked on the “sign on” button, the data is sent again through a secured session to the criminal’s server in the background:

After the data was successfully sent to the attacker site, the original [Bank A] response to the credentials used is presented. It should be noted here that the transmission to the attacker’s site is being carried out in parallel in the background, and as such there is no delay whatsoever from the user’s perspective. Figure 11 shows the actual [Bank A] response received in Finjan’s lab, reflecting our use of a fictitious User ID and password. A valid [Bank A] customer would receive the standard welcome page for his/her account. Figure 11 – Original [Bank A] page presented after sending the data to the attacker host

The above screenshot is for illustrative purposes. The screenshot was taken from an Infected PC exposed to a successful Crimeware attack. [Bank A] is NOT responsible for the problem portrayed here, and have been notified of this vulnerability.
From this moment on, the attacker has all the information needed to carry out a criminal activity – including making a direct ATM withdrawal by simply coding the required information onto the magnetic stripe of a blank card, and using the ATM PIN number. [Bank A] is just one example. Several other leading online banking sites, all around the world, were found targeted by this crimeware as well.

- 1.2 Sample Financial Crimeware Workflow

_ In general, the flow of extracting the sensitive information from the infected PC user is as follows:
1) Detect login page to a financial service
2) Send the login credentials to the financial service as well as the crimeware server
3) Crimeware server response contains custom designed page to get more sensitive information (designed for the service provider)
4) Crimeware on infected PC injects the custom page into the browser (which is already connected via SSL to the financial provider)
5) Victim enters sensitive data into customized form
6) Crimeware sends customized form data to crimeware server
7) Crimeware gets the financial service response to the original login credentials and shows them on the browser.

The elaborate scheme, as depicted above, enables crimeware to cover a multitude of financial services and to harvest the relevant information from each service, according to the needs of the criminal. For example, one bank would be used to get ATM PIN numbers and Social Security Numbers, while a different bank would be used for stealing confidential login details used to access personal accounts. The following screenshots show samples of the crimeware in action for several major online financial providers.

1.3 Where is the Stolen Information Stored?

In the example shown above, the sensitive personal data has been covertly sent to an anonymous IP address on the Internet. Looking up the address information reveals that it is located in Panama, behind what appears to be a fictitious corporation (Nevacon Ltd). Our check showed that no such corporation exists.

1.4 Additional Information Theft

In addition to the real-time theft of personal and financial data targeted at several financial services, we have also spotted another type of recurring malicious behavior. This crimeware uses a keylogger to post information back to an attacker host, using an encrypted file containing additional information on the ongoing activity of the PC

An analysis of this host address reveals that this address belongs to the same corporation in Panama that owns the IP shown in the previous analysis. Thus, it becomes clear that there is a connection between the real-time page modification management as demonstrated before, and the ongoing keylogging of activities on the host.

This analysis has demonstrated the true impact of being exposed to the risk of modern anti-forensics attack technologies. The infection is fast, seamless and does not leave any trace on the infected PC. The cybercriminals are creating increasingly sophisticated crimeware to make sure that - from the victim’s point of view – the experience is identical in every way to normal financial transactions. As there are no external indications that the machine has been infected, there is no reason why users should not continue to use the infected machine.

The criminal intent behind these infections is obvious as shown in the example from [Bank A], as well as other leading online financial service providers. The use of SSL as a transportation layer for all the malicious activity should be noted as well, since standard security solutions are usually not configured to handle the SSL connections. In other words, a completely covert channel is left open for the crimeware applications to run on. As attacks become more evasive and obfuscated, security companies find it more difficult to put their hands on malicious code, analyze it in their labs and create a signature for it. Anti-virus, reputation-based services and URL filtering solutions are potentially limited in their ability to cope with evasive attacks, which appear once and then vanish. Moreover, recent estimates indicate that some 80% of malicious code appears on sites categorized as legitimate. The fact that today’s malicious code is constantly changing hosting locations is also an inhibitor for URL filtering and reputation services.

The methods being used by today’s cybercriminals can only be identified and stopped by real-time content inspection techniques; by security solutions that are able to understand the intent of web content and make a decision on the fly regarding the content. Real-time analysis is required to protect users from malicious code the first time it strikes. By understanding the true intent of web content, Finjan’s real-time content inspection technology detects and prevents crimeware despite the propagation techniques and anti- forensic methods in use. This prevents any malicious web content from entering the corporate network, protecting enterprises from crimeware that may result in severe business damage.

About MCRC

Malicious Code Research Center (MCRC) is the leading research department at Finjan, dedicated to the research and detection of security vulnerabilities in Internet and email applications as well as other popular applications. MCRC’s goal is to continue to be steps ahead of hackers attempting to exploit open platforms and technologies to develop malicious code such as Spyware, Trojans, Phishing attacks, worm and viruses. MCRC researchers work with the world’s leading software vendors to help patch their security holes, as well as contribute to the development of next generation defense tools for Finjan’s proactive secure content management solutions. For more information, visit our MCRC subsite.

About Finjan

Finjan is a global provider of secure web gateway solutions for the enterprise market. Our ral-time, appliance-based web security solutions deliver the most effective shield against web-borne threats, freeing enterprises to harness the web for maximum commercial results. Finjan’s real-time web security solutions utilize patented behavior-based technology to repel all types of crimeware threats arriving via the web, such as spyware, phishing, Trojans, obfuscated code and other malicious code, securing businesses against unknown and emerging threats, as well as known malware. Finjan’s security solutions have received industry awards and recognition from leading analyst houses and publications, including IDC, Butler Group, SC Magazine, eWEEK, CRN, ITPro, PCPro, ITWeek, Network Computing, and Information Security. With Finjan’s award-winning and widely used solutions, businesses can focus on implementing web strategies to realize their full organizational and commercial potential.