One Article Review
| Source |  BAE |
|---|---|
| Identifiant | 352317 |
| Date de publication | 2017-03-06 12:15:07 (vue: 2017-03-06 12:15:07) |
| Titre | Pray before you buy with Shylock |
| Texte |  Written by Sergei Shevchenko, Cyber Research"I will buy with you, sell with you, talk with you, walk with you, and so following; but I will not eat with you, drink with you, nor pray with you" Shylock, 1.3.37 The Merchant of Venice, Shakespeare, 1564 Shylock-The-Trojan will indeed talk to you via Skype; walk with you while you browse Internet or while you buy or sell online. Ironically, this Man-in-the-browser (MitB) trojan considers the homeland of Shakespeare its target #1.Being a banking trojan that targets multiple banking institutions, it employs a plug-in architecture that allows complementing the main 'framework' with additional functionality. Shylock plug-ins are DLLs with the exports:Destroy()Init()Start()This description enlists main Shylock's components, one-by-one.DriverShylock driver is a kernel-mode rootkit that is designed to hide files, processes, registry entries, and traffic that is associated with Shylock. In addition to that, it also switches off Windows UAC by resetting the value:EnableLUA = 0x00000000HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemWith UAC disabled, Windows Vista/7/8 will no longer prompt for consent or for credentials for a valid administrator account before launching a Shylock executable, allowing it to start silently.If the Windows version is Vista, 7, or 8, it will obtain "NSI proxy" driver and then it will hook its IRP_MJ_DEVICE_CONTROL dispatch routine. On a pre-Vista Windows OS, it will also hook IRP_MJ_DEVICE_CONTROL dispatch routine within TCP driver.The reason why Shylock hooks "NSI proxy" driver is to hide itself from netstat - a tool that is often used by technically savvy users to check for active connections that are present on a compromised PC: to inspect any open ports and to see what executables are holding any active connections. In those scenarios where Shylock engages its user-mode VNC component, the remote attacker will have full remote access to the compromised system: its graphical desktop will be fully relayed to the attacker, along with the keyboard and mouse events. The generated VNC traffic is thus relatively 'heavy' and so, there is a high chance it will eventually draw attention from the end user (e.g. the user might keep wondering why the modem LEDs are blinking so wildly). In that case, the netstat tool becomes one of the first tools to be run to see what's going with a system, and Shylock doesn't like that.Whenever netstat is run, its calls are marshalled into the kernel and are eventually handled by "NSI proxy" driver. The hook it installs is known as IRP-hook. The hook handler it places will monitor enumerated connections, and whenever it locates a TCP connection that involves any particular port number that it needs to hide (e.g. responsible for VNC traffic), it wi |
| Envoyé | Oui |
| Condensat | #0: #13h #57 #58 #59 #60 #61 #usr &deviceobject &fileobject &pnsidrvobj &uninsidrvname &unitcpdevice but shylock *szapi *szencrypted *szstring ++icount; +0x70 /> /> /> 0000h:7c00h 0:0x9e00 0:mem:9e0f0 0aa55h 0fffeffffh 0once 0x00 0x00000000hkey 0x02 0x04 0x08 0x0c 0x0e 0x0eknowing 0x0ethe 0x10 0x10d 0x14 0x18 0x18f 0x1b 0x1c 0x24 0x28 0x2c 0x2fe483f3 0x30 0x34 0x38 0x5c 0x70 0x70; 0x7c00 0x7e00 0x8b00 0x9e000 0xc66a1d2e:the 0xffffffff; 10000h 1200 127 139 13h 1564 shylock 15th 17k 18k 256 37 the 3apa3a 3proxy 42h 43aef8 46b46 47de1 47e8abf258ab82ecef14f79b37177391 4ch 4mem:9e0f4 510 512 55aa 560 577 600 74f685f0h 74mem:9e155 751 8021h 80mem:9e15d 845 9e10d 9e233 :auto :http://ei0nciwerq7q8 :the ;at ;can ;jquery ;once ;status ;the >driverobject; ability about above accept accepted accepting accepts access accesses accessing accompanied account accounts across action actions:first activated active actual addition additional address addressed administrator administrators adoption affect after against ahmem:9e123 alert algorithm all allocated allocates allow allowed allowing allows alone along already also always analysis anomalies another anti antivirus/firewall any apart api apis appdata appended appends application applications applied applying architecture are are:zwenumeratekeyzwenumeratevaluekeyzwquerysysteminformationzwquerydirectoryfilezwallocatevirtualmemorythe area around as:#define as:https://wguards as:if as:it asks asm associated assume attacker attackers attacks attempt attempts attention attr audio authorised authors auto available avoid avoiding aware b1; b2; back back: backconnect backdoor background backsocks backsocksbacksocks bank banking banks base base64 based basically batch be:key=a323e7d52d&id=47e8abf258ab82ecef14f79b37177391&inst=master&net=net2&cmd=cfgthe beacon because becomes been before being bells below below: below:as below:char below:mem:9e10d below:mem:9e10e below:mem:9e149 belowmem:9e0f9 bendofstring bendofstring; best bit black blended blinking block blocked blocks: bool boot bootable booting bootkit bootkitin bootkits bootkitvnc bootorg bootroot borrowed botnet breach break; breakpoint breed broadcasts browse browser browser:security browsers bug build builder but button button:first buttons buy byte bytes bytes:the c&c ca5f2abe calculate calculates calculation call called calling calls can cancel card carried case cases cc/ping ccca5f2abe cfg chance change changed char characters check check: check; checker checking checks classic clear cleared cli cli/sti click clicking clicks client client: climem:9e12e clone cloned clones cloning: close closenss3 closer cmd cmp cmpinfo code coded collect com combination coming command command:var communicates communication communications compare compilation compile compiled complaint complementing complexity complicate component components compressed compromised computer concerned conclusionwhat configuration confirm connect connected connection connections connects consent consequent considers constantly construct contact contacts contagion contain contained contains contents continues:c: control controlled controllers controlling controls conventional cookie cookies copied copy corporate correspond corresponds could cr0 credentials credit critical cross crypt cs:int13handler cs:int13lastfunction cshort css current currentversion customers cyber dangerous data database date day debug debugged declared decoded decodes decodestring decompressed decrementing decrypt decrypted decrypting decryptor decrypts dedicated defaultmem:9e132 define definition: del delay delete deleted deletes delimited demonstrated deny depending description descriptor designed desktop detailed details detection detects developed device deviceiocontrol deviceobject deviceobject; di+4 |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.