phdays.com, phdays.ru
Moscow, 2012
Day1, Track2, 11:00
Aleksandr Matrosov, Eugene Rodionov,
Smartcard vulnerabilities in modern banking malware

Impact since 2010

Blackhole

Nuclear pack Apr 2012
	carders moved from blackhole to nuclear pack

New in nucler pack
	added check for legitimate user
	Java is one of the main vectors in attacking users

Example: google search for "евровидение 2012"
	contains an injected iframe with yandeXXX.<trololo>.ru - valid looking domain
		this helps to void the AV/IDS detection of randomly generated domains
	then the iframe redirects to an exploit

Russia
	provides detection of 70% of worldwide carders activity
	3x increase in detection rate from Nov 2011 till Jun 2012

Biggest botnets
	Origami, Gizmo, Dudorov

BK-LOADER (BootKit)
	Ringo bundle (ZeroKit or 0kit)
	First bootkit to modify volume boot record
	version 1.0, 11/02/2011

Carberp sample
	Around 3000 bots receiving volume boot record BK debug messages
	Looks like GSVSoft supplied some parts of the BK code
	After screenshot publication, their start (because of high traffic incentive) -> started redirecting users to blackhole

Rovnix, Carberp with BK, Rovnix.B
	VBR
	Polimorphic VBR
	Malware driver storage

Anti-debugging
	Removes hooks of HIP systems
	WinAPI functions called by hash, not by name

Cards
	Attacks on APDU level

crackme.esetnod32.ru
	win ipad
	win amazon kindle

Feisty
	if there is any delay in protocol or program execution, the malware changes it's behaviour
	malicious plugins not saved on disk, directly loaded into kernel memory