Fritz
Adept
Gender: 
Posts: 1746
Reputation: 7.84
Rate Fritz
  
|
 |
BlackEnergy 2's one-two punch
« on: 2010-06-16 17:07:39 » |
 |
ONline banking hmmm; No one mentions that many still do not use an external certificate authority and there by invite spoofing to capture credentials.
"We've off to see the wizard the wonderful wizard of OZ ... ignore the man behind the curtain."
Fritz
Eastern European banks under attack by next-gen crime app
Source: The Register
Author: Dan Goodin in San Francisco
Date: 2010.06.16
Banks in Russia and Ukraine are under continued siege by criminal gangs wielding a sophisticated, next-generation exploitation kit that hacks the financial institutions' authentication system and then hits it with a denial-of-service attack.
The attacks are being carried out with the help of a top-to-bottom revision of BlackEnergy, a popular hack-by-numbers toolkit that until recently was used primarily to launch DDoS, or distributed denial-of-service, attacks. Eastern European criminal gangs are using the expanded capabilities of BlackEnergy 2 to siphon funds out of electronic bank accounts and then assault the financial institutions with more data than they can handle, said Joe Stewart, a researcher with security firm SecureWorks' Counter Threat Unit.
The attacks, which also use a BlackEnergy 2 module to bypass a Java-based application the banks use to authenticate customers online, began near the end of 2009. They show no signs of letting up, said Stewart, who observed the same modus operandi earlier this week.
“Over the months that I've been monitoring this botnet, it's attacked probably a dozen or more banks with the same type of pattern of attacking the java authentication app,” Stewart told The Register. “All we see is, yes, this group has the plug-in that does the banking theft and then we see them also hacking that same banking authentication with the DDoS attack.”
BlackEnergy came to prominence in 2008 when it was reportedly used to disrupt internet communications in Georgia during the armed conflict between the former Soviet republic and Russia. It quickly became a major staple among Eastern European thugs, selling online for about $40 until free, pirated copies became widely available.
BlackEnergy 2, which Stewart first began monitoring in 2009, greatly expands what the software can do. It brings modular functionality to the tool, so separate programmers can write plug-in programs in much the way developers do for the Firefox browser. The gangs Stewart is monitoring are combining BlackEnergy's core DDoS functionality with an add-on to hack the Java authentication application, said Stewart, who presented his findings at this week's FIRST, or Forum of Incident Response and Security Team, conference in Miami.
“It's a good technique to keep [bank employees] distracted while they get the money moved out,” Stewart said. It also “keeps people whose money is in transfer from logging on and seeing what's happening.”
Bank customers victimized in the attacks are being targeted by trojans disguised as pay-per-install applications
In a major break from previous methods, the gangs are exclusively attacking banks in Russia and Ukraine. Previously, they went out of their way to avoid attacking banks in the region, presumably out of fear of attracting attention of law enforcement agents in the criminals' own backyard. Stewart said he's seen at least two unrelated bank fraud scams exclusively targeting banks in Russia and Ukraine, including the Bredavi trojan.
Stewart's report is below:
BlackEnergy Version 2 Analysis
Source: http://www.secureworks.com/research/threats/blackenergy2
Date: March 3, 2010
Author: Joe Stewart, Security Researcher with the SecureWorks' Counter Threat Unit (CTU)
Introduction
BlackEnergy, a popular DDoS Trojan, gained notoriety in 2008 when it was reported to have been used in the cyber attacks launched against the country of Georgia in the Russia/Georgia conflict. BlackEnergy was authored by a Russian hacker. A comprehensive analysis of the version of BlackEnergy circulating at the time was done in 2007 by Arbor Networks. Although many versions of the trojan builder kit are in circulation on underground forums, the last release of the original BlackEnergy trojan available at the time of this writing seems to be version 1.9.2.
It appears however that BlackEnergy 2 has been in quiet development for over a year, and is a top-to-bottom rewrite of the codebase. Although there have been no public releases of the trojan builder kit for BlackEnergy 2 at this time (and thus we do not have any documentation actually containing the name "BlackEnergy 2", it is certain that this new trojan is the successor to BlackEnergy version 1, even if the author chooses to rename it. Various fingerprints of the original BlackEnergy codebase can be found throughout the new trojan, along with fingerprints of other source codes which were released by the author at different times. This analysis will refer to BlackEnergy version 2 as “BE2” at times throughout for the sake of brevity.
Unlike the old BlackEnergy versions, BlackEnergy 2 uses modern rootkit/process-injection techniques, strong encryption and a modular architecture. The original BlackEnergy kit did have a rudimentary trojan component used to hide the trojan executable and process, but BlackEnergy 2 is much more sophisticated. The basis for the new rootkit seems to be found in an older rootkit project released by the author called "BlackReleaver". Analysis of the code has shown that the older rootkit source code has been combined with new functions for unpacking and injecting modules into user processes and is now the core of the new rootkit-based BlackEnergy 2.
There is no distinct antivirus trojan family name that corresponds to the BE2 dropper or rootkit driver. Antivirus engines that detect it either label it with a generic name, or as another trojan - most often it is mis-identified as "Rustock.E", another rootkit trojan from a different malware family. The BlackEnergy rootkit does share some techniques in common with the Rustock rootkit, so this detection is not surprising. Even at a high level, there are some common tactics, such as the use of a "matryoshka doll" architecture (see ThreatExpert's blog entry "Rustock.C - Unpacking a Nested Doll"). <snip>
|
Author
Logged
