Recently McAfee detected together with Guardian Analytics a massive online bank fraud. According to the
analysis report (Dissecing Operation High Roller)
published by McAfee, modified Zeus and SpyEye trojans were used to steal
money (around 60M Euro) from corporate bank accounts. A list of MD5 for
samples used in the fraud can be found
here.
Some key facts:
-
SpyEye and Zeus are known for years. Zeus first appeard in 2007, SpyEye
in 2009. Lot of technical analysis exists which describe their
internals.
-
SpyEye nor Zeus use any 0-day exploits to infected systems.
-
According to the McAffee report the modifications include new modules to
bypass two-factor physical authentication, rootkits to prevent AV
detections and lot of serverside automation.
Some Joe Sandbox 6.0.0 analysis reports (cookbook detect e-Banking trojan):
According to our analysis the three samples listed above work successfully on XP, Vista, W7 and W7 x64.
One of the key for identifying / detecting successfully Zeus and SpyEye
is the process injection and hooking behavior. It starts with a code or
PE file injection into explorer.exe:
Instead of creating a remote thread (which may lead to detection by a
HIPS) a frequently called function (NtClose) is overwritten with a
call-stub which redirects execution to the previously injected payload:
Right after the payload starts from the trusted explorer.exe context and
injects into other system processes by using the same technique:
Once the victim starts browsing for doing online banking the trojan
injects itself into the browser to finally execute its payload (redirect
money to a foreign bank account):
The described code injection attack is not new and is being used for a
long time. Therefore it is well detected by HIPS and AVs. The more it is surprising that the trojan was that successful. Inside the report
"Dissecing Operation High Roller" we could not found any information
about installed AV, HIPS and other protection software on the victims
systems.
To demonstrate how easy it is to protect a system from beeing infected,
we developped a simple device driver. Checkout the following Joe Sandbox report
to understand what the driver is doing:
Explorer Protect Report
The driver hooks NtWriteVirtualMemory. NtWriteVirtualMemory is called by
WriteProcessMemory which is used to inject code into a foreign process.
The driver terminates all processes which try to call
WriteProcessMemory with explorer.exe as a target:
The following report
shows the executing of a High Roller sample right after the protection
drive has been loaded:
High Roller Sample with Explorer Protect
The source code of the driver you find
here.