Em Maio, a Kaspersky Lab detectou o primeiro rootkit bancário criado para infectar sistemas de 64-bit. Foi detectado após um ataque feito por cibercriminosos Brasileiros. Confira o relatório da RSA sobre o assunto
1. SOPHISTICATED LOCAL PHARMING
TROJAN TARGETS BRAZILIAN BANKS
June 2011
RSA recently analyzed one local pharming Trojan which we found to be a highly
A typical local pharming Trojan sophisticated piece of malware that goes as far as installing a driver to achieve its
consists of standard malware intended goal of stealing information. This is the first local pharming Trojan observed
strains that modify a victim’s by RSA to even have a driver.
hosts file or intercept a In fact, the Trojan has been widely reported to be the first rootkit ever designed to
machine’s IP-resolution specifically infect 64-bit operating systems. However, the Trojan does not in fact install a
process. By changing the hosts rootkit; rather it installs a plainly visible malicious driver. Since rootkits by definition hide
file of a computer, specifically their very existence from the user, this driver cannot be classified as such. Any victim
infected with this Trojan, dubbed Rootkit.Win32.Banker.dy (on 32-bit systems) or Rootkit.
the IP address associated
Win64.Banker.a (on 64-bit systems) will be able to see it in plain view on the currently-
with a website, the victim is
loaded driver list.
redirected to a phishing website
This particular Trojan was targeted at online banking consumers in Brazil as it changes
set up to capture specific
the hosts file settings for a handful of Brazilian Banks. Following is an overview of the
information, such as online
Trojan’s main functionalities based on analysis by RSA:
banking credentials, which are
then sent to the criminal.
Modifies User Account Control
In order to gain administrator privileges, this local pharming Trojan tricks the User
Account Control (UAC) mechanism (UAC is used in both 64-bit and 32-bit systems,
including Windows Vista and Windows 7) which enables the Trojan to silently install its
driver at a later stage of its execution. In effect, when running an account with admin-
level privileges on a system that features UAC, every attempt to modify the computer’s
settings results in a warning dialog box requesting the user’s permission to perform
changes. By disabling the UAC, the Trojan removes this warning prompt.
FRAUD REPORT
2. When running an account with user-level privileges, every attempt to modify the computer’s
settings results in a dialog box requesting the user to authenticate as a user with
administrative privileges. Disabling the UAC in this case will not change this behavior.
To disable the UAC mechanism, the infected computer must be rebooted. After the
system reboots, the Trojan registers a batch file named aaa.bat. This batch file installs
the malicious drivers and registers them to load on every system boot, all without
intervention from the UAC mechanism.
Registers Fake Certification Authority
Since a certificate authority (CA) functions as a trusted mediator between a machine
and a website, a fake CA functions as a deceptive mediator that may claim a site is
trustworthy, when it actually is not. In this Trojan’s case, the fake CA mediates between
the phishing pages (which have a fake HTTPS certificate) and the victim’s infected
machine. This enables the CA to issue a ‘secure’ result allowing the phishing website
to display the padlock icon normally associated with trusted HTTPS connections.
Needless to say, under normal circumstances, the icon is reserved for sites where
legitimate HTTPS certificates were issued from a genuine CA. Evidently, the Trojan’s
authors went the length of creating a Trojan that registers a fake CA in the Windows
Registry to lend credibility to the phishing pages presented by the malware.
Installs 32-bit or 64-bit Driver
As mentioned above, an interesting aspect of this Trojan, which we have yet to see in
other advanced Trojans such as Zeus and SpyEye, is its ability to install a new driver
specifically tailored to run on 64-bit systems. Depending on the infected system, the
Trojan either installs a driver compatible with 32-bit or 64-bit operating systems. The
driver’s main objectives are to alter the hosts file and register a fake certificate authority
to the infected computer.
Changes Hosts File
In some operating systems, hosts files are given priority over resolution by DNS systems.
In such systems, if a given host is located in the hosts file, no DNS query is performed to
resolve its IP address, but rather the IP specified in the hosts file is used. (DNS is
comparable to a phone directory, where website names are associated with certain IP
addresses; a hosts file has the same use, but it resides on the machine itself rather than
a third party server.) Consequently, by changing the IP address associated with the host
name of targeted banks, the malware redirects victims to phishing sites instead of the
user’s intended destination.
Disables Security Plug-Ins
Consumers of Brazilian banks are required to install security applications, such as GAS
Technology, as one means of protecting online banking transactions. The Trojan’s driver
has been found to disable files that make up a mandatory security plug-in used by
Brazilian banks; in one case, a DLL-based plug-in that functions as a browser help object.
While protecting login is critical, fraudsters have developed technology capable of
manipulating transactions after login has occurred. Transaction protection refers
to an organization’s ability to monitor and identify suspicious post-login activities –
a capability most often provided by a risk-based fraud monitoring solution.
Transactions typically require more scrutiny and pose more risk than just the act of
logging in to an account. For example, an unauthorized user might secure login access
to an account, but the most risk is posed once a transaction is attempted, such as
transferring money out of the account. A transaction protection solution will alert fraud
investigation teams or challenge the users appropriately in these instances.
page 2
3. 25000 23097
20000 18079
Phishing Attacks per Month 17935
17586 17376
Source: RSA Anti-Fraud Command Center
16756 17579
16541 16247 16047 17579 16355
May 2011 marked a surprising 33 percent
increase in the number of global phishing 15000 13855
attacks identified by RSA – and a record
for the most unique attacks identified 10000
in a single month. About four out of five
phishing attacks in May were launched
using hijacked websites. 5000
0
May 10
Jun 10
Jul 10
Aug 10
Sept 10
Oct 10
Nov 10
Dec 10
Jan 11
Feb 11
Mar 11
Apr 11
May 11
400 376
Number of Brands Attacked 342
350
The increase in phishing attacks numbers 301
was not the only substantial change 300
Source: RSA Anti-Fraud Command Center
268
257
observed in May. RSA witnessed a 25 236
250 223 217
216 216
percent increase in the number of attacked 200
brands suggesting criminals went after 200 178 181
a wider variety of brands rather than
150
consistently attacking the same brands.
When compared year-over-year (May 100
2010), there was a 69 percent increase
50
in the number of attacked brands.
0
May 10
Jun 10
Jul 10
Aug 10
Sept 10
Oct 10
Nov 10
Dec 10
Jan 11
Feb 11
Mar 11
Apr 11
May 11
100
6% 6% 6% 3% 6% 10% 10% 8% 11% 9% 11% 15% 12%
80 29% 30% 32% 32% 30% 25% 19% 18% 15% 15% 18% 22% 12%
Segmentation of Financial Institutions
Source: RSA Anti-Fraud Command Center
Attacked Within the U.S.
Nationwide banks in the U.S. accounted 60
for 3 out of 4 phishing attacks in May. The
portion of phishing attacks targeting U.S. 40
credit unions dropped three percent as did
the portion of attacks against regional U.S.
banks, decreasing from 22 percent in April 20
to just 12 percent in May.
65% 68% 64% 65% 64% 65% 71% 74% 74% 76% 71% 63% 76%
0
May 10
Jun 10
Jul 10
Aug 10
Sept 10
Oct 10
Nov 10
Dec 10
Jan 11
Feb 11
Mar 11
Apr 11
May 11
page 3
4. South Korea 2%
USA Australia South Korea Italy 2%
Canada China Colombia 2%
Germany UK France Nethe
Top Ten Hosting Countries Russia 2.5%
Since January 2010, the U.S. has been the
France 4%
top hosting country for phishing attacks,
hosting 66 percent of all phishing attacks Australia 4%
in May. In the last year, the countries that
have consistently hosted the highest Germany 5%
portion of phishing attacks have been
the U.S., UK, Canada, Germany, France, United Kingdom 6%
Russia, and South Korea.
U.S. 66%
Canada 6.5%
Australia 1.5%
UK US S Africa Netherlands 2.5% Italy Colombia 1%
China Canada Netherlands India Brasil
Italy 2.5%
Canada 3%
Top Ten Countries by Attack Volume Spain 3%
The US, UK, South Africa and India
South Africa 3.5%
remained the top four countries targeted
with the most volume of phishing attacks
India 4.5%
in May. Malaysia, which appeared on the
chart in April, was replaced by Colombia in
May. In the last year, the U.S., UK, South
Africa, Canada, the Netherlands, and Italy
are the top countries that have
U.S. 50%
consistently endured the highest United Kingdom 28%
volume of phishing attacks.
France 3.5%
USA Australia South Korea Canada China
Columbia 3%
Germany UK France Nethe
Brazil 4%
United Arab Emirates 4%
Top Ten Countries by Attacked Brands
Italy 4.5%
The main change in May was Ireland being
replaced by Brazil in terms of the top ten Australia 5.5%
countries whose brands were most targeted
by phishing. Brands in the U.S., UK, India,
and Australia continue to endure the majority Canada 6%
of targeted phishing attacks. U.S. 47.5%
India 7.5%
United Kingdom 14.5%
page 4