Breaking the bank(er): automated configuration data extraction for banking malware

Presented at VB2015, Oct. 2, 2015, 11:30 a.m. (30 minutes).

Despite recent successes against large banking malware botnets such as Gameover Zeus and Shylock, banking malware continues to be a huge threat as new families such as Dyreza, Vawtrak and Dridex have occupied the vacant space in the market. Not only has the malware itself matured, but we have also seen the ecosystem and market model used by the malware authors evolve, as they gain in professionalism and sophistication.

In order to provide holistic protection against these threats and to aid an adequate incident response and forensic post mortem should a compromise succeed, we must know as much about the malware as possible. There is a wide variety of information that is useful to us: indicators of compromise, command and control addresses, campaign IDs, botnet names, revision numbers, cryptographic keys, downloaded configuration files that may contain web injects, redirections, further modules, tertiary command and control addresses, and many more. We can use some of these items of information to aid protection, others to identify infected hosts, decrypt network traffic and identify stolen data, and track threat campaigns to help us assess the overall impact of the threat and provide attribution.

Extracting this information can be a painstaking manual task that takes a great deal of time. A far better solution is to automate the process.

In this paper we outline our sandbox-based system that automatically extracts command and control addresses, decrypts and processes network traffic and configuration files, and extracts and stores many other types of valuable data, in a scalable and extensible way.

We describe the architecture of the system, the ease with which new modules can be plugged in to handle new malware families, and how we use this system to track and protect our customers against highly prevalent and damaging malware families including Vawtrak, Dyreza, Dridex and Zeus.


Presenters:

  • James Wyke - Sophos
    James Wyke James Wyke is a Senior Threat Researcher with Sophos where he has worked for eight years. James has published and presented on a range of research topics at a variety of industry conferences including VB, CARO and SOURCE. His research interests include botnets, banking malware, automated analysis, APTs and data mining.

Links:

Similar Presentations: