A framework for financial botnet analysis

Financial botnets, those specifically aimed at carrying out financial fraud, represent a well-known threat for banking institutions all around the globe. Unfortunately, these malicious networks are responsible for huge economic losses or for conducting money laundering operations. Contrary to DDoS and spam malware, the stealthy nature of financial botnets requires new techniques and novel research in order to detect, analyze and even to take them down. This paper presents a work-in-progress research aimed at creating a system able to mitigate the financial botnet problem. The proposed system is based on a novel architecture that has been validated by one of the biggest savings banks in Spain. Based on previous experiences with two of the proposed architecture building blocks -the Dorothy framework and a blacklist-based IP reputation system-, we show that it is feasible to map financial botnet networks and to provide a non-deterministic score to its associated zombies. The proposed architecture also promotes intelligence information sharing with involved parties such as law enforcement authorities, ISPs and financial institutions. Our belief is that these functionalities will prove very useful to fight financial cybercrime

Using Multimedia Presentations to Improve Digital Forensic Understanding: A Pilot Study

Improving employees’ understanding of digital forensic technical terms and concepts within an organisation is likely to increase the potential of successful collaboration during a cyber security incident (e.g. data breach) investigation within that organisation. In this paper, we seek to determine whether multimedia presentations, in this case videos, are an effective tool in improving a learner’s technical understanding of digital forensic terms and concepts. Using the cognitive theory of multimedia learning as the underlying theoretical lens, we surveyed nine participants from the financial sector who have cyber security-related responsibilities. With the exception of one participant, the study found that the use of multimedia presentations can improve participants’ understanding of technical digital forensic terms and concepts. Potential future research questions are also identified

Identifying and combating cyber-threats in the field of online banking

This thesis has been carried out in the industrial environment external to the University, as an industrial PhD. The results of this PhD have been tested, validated, and implemented in the production environment of Caixabank and have been used as models for others who have followed the same ideas. The most burning threats against banks throughout the Internet environment are based on software tools developed by criminal groups, applications running on web environment either on the computer of the victim (Malware) or on their mobile device itself through downloading rogue applications (fake app's with Malware APP). Method of the thesis has been used is an approximation of qualitative exploratory research on the problem, the answer to this problem and the use of preventive methods to this problem like used authentication systems. This method is based on samples, events, surveys, laboratory tests, experiments, proof of concept; ultimately actual data that has been able to deduce the thesis proposal, using both laboratory research and grounded theory methods of data pilot experiments conducted in real environments. I've been researching the various aspects related to e-crime following a line of research focusing on intrinsically related topics: - The methods, means and systems of attack: Malware, Malware families of banker Trojans, Malware cases of use, Zeus as case of use. - The fixed platforms, mobile applications and as a means for malware attacks. - forensic methods to analyze the malware and infrastructure attacks. - Continuous improvement of methods of authentication of customers and users as a first line of defense anti- malware. - Using biometrics as innovative factor authentication.The line investigating Malware and attack systems intrinsically is closed related to authentication methods and systems to infect customer (executables, APP's, etc.), because the main purpose of malware is precisely steal data entered in the "logon "authentication system, to operate and thus, fraudulently, steal money from online banking customers. Experiments in the Malware allowed establishing a new method of decryption establishing guidelines to combat its effects describing his fraudulent scheme and operation infection. I propose a general methodology to break the encryption communications malware (keystream), extracting the system used to encrypt such communications and a general approach of the Keystream technique. We show that this methodology can be used to respond to the threat of Zeus and finally provide lessons learned highlighting some general principles of Malware (in general) and in particular proposing Zeus Cronus, an IDS that specifically seeks the Zeus malware, testing it experimentally in a network production and providing an effective skills to combat the Malware are discussed. The thesis is a research interrelated progressive evolution between malware infection systems and authentication methods, reflected in the research work cumulatively, showing an evolution of research output and looking for a progressive improvement of methods authentication and recommendations for prevention and preventing infections, a review of the main app stores for mobile financial services and a proposal to these stores. The most common methods eIDAMS (authentication methods and electronic identification) implemented in Europe and its robustness are analyzed. An analysis of adequacy is presented in terms of efficiency, usability, costs, types of operations and segments including possibilities of use as authentication method with biometrics as innovation.Este trabajo de tesis se ha realizado en el entorno industrial externo a la Universidad como un PhD industrial Los resultados de este PhD han sido testeados, validados, e implementados en el entorno de producción de Caixabank y han sido utilizados como modelos por otras que han seguido las mismas ideas. Las amenazas más candentes contra los bancos en todo el entorno Internet, se basan en herramientas software desarrolladas por los grupos delincuentes, aplicaciones que se ejecutan tanto en entornos web ya sea en el propio ordenador de la víctima (Malware) o en sus dispositivos móviles mediante la descarga de falsas aplicaciones (APP falsa con Malware). Como método se ha utilizado una aproximación de investigación exploratoria cualitativa sobre el problema, la respuesta a este problema y el uso de métodos preventivos a este problema a través de la autenticación. Este método se ha basado en muestras, hechos, encuestas, pruebas de laboratorio, experimentos, pruebas de concepto; en definitiva datos reales de los que se ha podido deducir la tesis propuesta, utilizando tanto investigación de laboratorio como métodos de teoría fundamentada en datos de experimentos pilotos realizados en entornos reales. He estado investigando los diversos aspectos relacionados con e-crime siguiendo una línea de investigación focalizada en temas intrínsecamente relacionadas: - Los métodos, medios y sistemas de ataque: Malware, familias de Malware de troyanos bancarios, casos de usos de Malware, Zeus como caso de uso. - Las plataformas fijas, los móviles y sus aplicaciones como medio para realizar los ataques de Malware. - Métodos forenses para analizar el Malware y su infraestructura de ataque. - Mejora continuada de los métodos de autenticación de los clientes y usuarios como primera barrera de defensa anti- malware. - Uso de la biometría como factor de autenticación innovador. La línea investiga el Malware y sus sistemas de ataque intrínsecamente relacionada con los métodos de autenticación y los sistemas para infectar al cliente (ejecutables, APP's, etc.) porque el objetivo principal del malware es robar precisamente los datos que se introducen en el "logon" del sistema de autenticación para operar de forma fraudulenta y sustraer así el dinero de los clientes de banca electrónica. Los experimentos realizados en el Malware permitieron establecer un método novedoso de descifrado que estableció pautas para combatir sus efectos fraudulentos describiendo su esquema de infección y funcionamiento Propongo una metodología general para romper el cifrado de comunicaciones del malware (keystream) extrayendo el sistema utilizado para cifrar dichas comunicaciones y una generalización de la técnica de Keystream. Se demuestra que esta metodología puede usarse para responder a la amenaza de Zeus y finalmente proveemos lecciones aprendidas resaltando algunos principios generales del Malware (en general) y Zeus en particular proponiendo Cronus, un IDS que persigue específicamente el Malware Zeus, probándolo experimentalmente en una red de producción y se discuten sus habilidades y efectividad. En la tesis hay una evolución investigativa progresiva interrelacionada entre el Malware, sistemas de infección y los métodos de autenticación, que se refleja en los trabajos de investigación de manera acumulativa, mostrando una evolución del output de investigación y buscando una mejora progresiva de los métodos de autenticación y de la prevención y recomendaciones para evitar las infecciones, una revisión de las principales tiendas de Apps para servicios financieros para móviles y una propuesta para estas tiendas. Se analizan los métodos más comunes eIDAMS (Métodos de Autenticación e Identificación electrónica) implementados en Europa y su robustez y presentamos un análisis de adecuación en función de eficiencia, usabilidad, costes, tipos de operación y segmentos incluyendo un análisis de posibilidades con métodos biométricos como innovación.Postprint (published version

An exploration into the use of webinjects by financial malware

As the number of computing devices connected to the Internet increases and the Internet itself becomes more pervasive, so does the opportunity for criminals to use these devices in cybercrimes. Supporting the increase in cybercrime is the growth and maturity of the digital underground economy with strong links to its more visible and physical counterpart. The digital underground economy provides software and related services to equip the entrepreneurial cybercriminal with the appropriate skills and required tools. Financial malware, particularly the capability for injection of code into web browsers, has become one of the more profitable cybercrime tool sets due to its versatility and adaptability when targeting clients of institutions with an online presence, both in and outside of the financial industry. There are numerous families of financial malware available for use, with perhaps the most prevalent being Zeus and SpyEye. Criminals create (or purchase) and grow botnets of computing devices infected with financial malware that has been configured to attack clients of certain websites. In the research data set there are 483 configuration files containing approximately 40 000 webinjects that were captured from various financial malware botnets between October 2010 and June 2012. They were processed and analysed to determine the methods used by criminals to defraud either the user of the computing device, or the institution of which the user is a client. The configuration files contain the injection code that is executed in the web browser to create a surrogate interface, which is then used by the criminal to interact with the user and institution in order to commit fraud. Demographics on the captured data set are presented and case studies are documented based on the various methods used to defraud and bypass financial security controls across multiple industries. The case studies cover techniques used in social engineering, bypassing security controls and automated transfers

Identification and Recognition of Remote-Controlled Malware

This thesis encapsulates research on the detection of botnets. First, we design and implement Sandnet, an observation and monitoring infrastructure to study the botnet phenomenon. Using Sandnet, we evaluate detection approaches based on traffic analysis and rogue visual monetization. Therefore, we identify and recognize botnet C&C channels by help of traffic analysis. To a large degree, our clustering and classification leverage the sequence of message lengths per flow. As a result, our implementation, CoCoSpot, proves to reliably detect active C&C communication of a variety of botnet families, even in face of fully encrypted C&C messages. Furthermore, we found a botnet that uses DNS as carrier protocol for its command and control channel. By help of statistical entropy as well as behavioral features, we design and implement a classifier that detects DNS-based C&C, even in mixed network traffic of benign users. Finally, perceptual clustering of Sandnet screenshots enables us to group malware into rogue visual monetization campaigns and study their monetization properties