Wednesday, March 4, 2009

Banks under fire. Malicious software vs. financial companies.

WASHINGTON - FEBRUARY 12:  Former Homeland Sec...Image by Getty Images via Daylife

For many people, the word «hacker» associated with the word «bank». This is not surprising, because for several decades, crackers, who like to «get» a lot of money to pay their tactical look at the banks. And this is understandable: that may give the greatest amount of money, if not an attack on a major bank?

But break the servers that control the transactions and accounts - it ungrateful. That will attract too much attention, and increased attention increases the risk of being caught. It is therefore much more interesting for an attacker with a very different version - it is to gain access to the assets of the bank's clients. Everything is simple enough: less than the scale-breaking - more likely to remain at large - is inversely proportional to, in mathematical language. It is at this, I would like today. In this article I will explain the following points: the type of work, and malicious software that specializes in banks and other financial organizations, social engineering techniques used by crackers, an attack that takes place in order to get account information, or to intercept the transaction management. And also to reflect on the theme, «but as to avoid».

Financial malware - it is called zlovredy are targeted at financial companies in the classifications of anti-virus laboratories. In doing so, monetary malware may include not only the program of one class (for example, not only Trojans-daunloader'y but keylogger ', etc.). To begin with, I think, would be useful to run a little bit of statistics. This is help us in understanding the current situation at the moment, and its contrast to the situation that occurred in the past.


According to Kaspersky Labs, after reducing the activity of writing financial zlovredov at the end of 2006 was marked by a sharp jump in the number of the network, which has already occurred in 2007. Pay attention to the schedule (Fig. 1) - shows that the jump was not impulsive, but just the opposite: the average is almost consistently kept at a sufficiently large. Naturally, the increase in the number of malicious software aimed at finance, and brought to the increase in attacks on banks. The current situation is slightly different, because values began to decline (see chart), but the number of attacks on the banks remained at the same level. The first reason that led to this turn of events, I would like to highlight a wide choice of technologies attacks. Crackers are using different techniques as a matter of fact, and not all of them require the participation of malicious software - hence the difference. The second reason is that most burglars prefer to modify the finished program, rather than write something completely new. This is understandable - why sit for several days, if a couple of hours?

In the main bank zlovredy targeted to a specific region. This led to the creation of software that can carry out an attack on some banks (usually 1-3), typically located in the same region. An attacker can not prepare zlovreda for the bank of another country before you are not acquainted with its structure protection, and make it easier for the whole bank, which is handy. Below is another graph, which reflects the percentage number zlovredov able to attack more banks (Fig. 2). Moreover, in recent times there has been the introduction of or attachment to the type of financial zlovredam rootkit (rootkit) technology, whose main task is to protect the malware from antivirus systems and technology verification. Given that the root-kits are now at a fairly high level of development, and technology allows successful anti cheat, it is difficult to work well antivirus laboratories.

By means of protection concerns and polymorphism, but not one that you all think. The point is that classical polimorfik viruses easily determined by antivirus scanners. At the next level of development has been actively used server-side polymorphism, which is that the script will update the code is not in the body of the virus, but on a remote server. Thus, the algorithm of the script can not be analyzed, and thus determine zlovreda much more complicated - just generic-detection (detection of the common grounds of malicious software), but it is not so reliable as the signature.


Phishing mules and money (money mules) - two techniques of deception. In doing so, the first designed to steal information from people by deception, and the second - «clean» the stolen money. Let us in turn. Activities list «linden» letters is still high - this suggests that deception is effective. Users fall for again and again. The reasons for this are could be several. Perhaps the most foolish - disregard information about phishing lists - our traditional national «maybe proneset». The second reason can be described as a simple lack of awareness of users in terms of security, as a result - ignoring the message that there is no certificate. In general, the outcome is the same - you no doubt passes on the link and enter data about your account (a plastic credit card) in the form of fake bank website. There is also fault the banks, and it is that in most of their security systems using static passwords. Attacker to receive a password and access to an account in his pocket. Change the situation can only dynamic passwords, which can sent to the client by mail, SMS or just transferred into the bank on the media. However, most banks prefer simple static passwords - this is their weakness.

Money Mules (still referred to as drop), as I said, are designed to «wash» money. It is all quite simple: the vacancies posted on the website ad. «Finance Manager», entering into the contract, have no suspects. When financial mules used by the system of electronic money: the purses come mule means that it must be translated into other wallets, while keeping a commission of 5-15%. This helps the machine to avoid penalties if the operation would be revealed and traced the bank or the officials. In addition, the mules, in most cases be treated as accomplices, so do not hang tag «easy money» in this lesson.

the Net

I think that the subtitle seemed strange to you. I will now make a little explanation: it collected information about all the attacks, which in one way or another connected with traffic, its transmission, etc.

First in the queue is the attack, which is widely used for breaking them - to divert the traffic. One of the easiest ways is to change the redirection file hosts, which is located in the rute system at system32\drivers\etc. With this file, you can avoid requests for DNS-server. These servers (DNS) convert domain names into IP-addresses, because the request to the server can only be at. If in some way to change the file, you can ensure that when you enter a certain domain name request will be sent to the fake server.

The next list will be already familiar to many and not once described me attack MitM (Man-in-the-Middle). Let me remind you: this attack is, as is clear from the title, that of service-recipient and host-sender, there is a channel to intercept the data. Naturally, the data sent by the user, may be modified or «podpravleny» to obtain the desired result of an attacker. Naturally, the interception takes place through financial zlovredov, who worked as a spy on the target computer. In such cases, the owner of the account in the Internet banking could trigger a transaction and podpravlennaya information daily on the server, make another one.

Another technique of the attack, which belongs to the new school, a Man-in-the-Endpoint. This attack is different from MitM'a only that the change in traffic is not on the «middle», and on the local machine. The time, of course, much more, but for the illegal transaction does not present any extra IP, which, again, reduces the likelihood of attracting attention. The process is roughly the form: Trojan infects a system and sends traffic to the remote computer, where virusopisatel, analyzing the information, prepares for another trojan attack to a specific bank resource.

And what can we do?

Clearly, that protect the banking system permanently, it is simply impossible. When the main drawback was static passwords, the problem solved (and very successfully) any zlovredy who intercepted keystrokes or fraudulent forms to the fake sites. When all the wake and were put into service a system of dynamic passwords, it decided the problem with static, but the attackers did not stop - the battle went attacks aimed at the traffic. Therefore, the only thing that can be done - to keep the state, to Science and analyze suspicious transactions. It will decide the part of the problem, and the remaining part should be addressed by continuing to update security systems, as in the war Hack vs. Security resistance varies in two directions and is not likely to come into balance more than one century. Therefore, everything depends on the speed. Unfortunately, the losses from attacks on financial institutions to grow, that pet peeve. Therefore, it is hoped, only for professionals in the field of IB, which, under the force in some way to bring some stabilization in this field. At the finish, I - I hope that the information led you to think about the situation, and most importantly - on its state:).

"Get Money for Clicks" - Fastest Growing Domain Parking Company in the World.

No comments:

Post a Comment