25C3 -

25th Chaos Communication Congress
Nothing to hide

Thorsten Holz
Day Day 2 (2008-12-28)
Room Saal 3
Start time 20:30
Duration 01:00
ID 3020
Event type lecture
Track Hacking
Language used for presentation en

Banking Malware 101

Overview of Current Keylogger Threats

In the recent years, we observed a growing sophistication how credentials are stolen from compromised machines: the attackers use sophisticated keyloggers to control the victim's machine and use different techniques to steal the actual credentials. In this talk, we present an overview of this threat and empirical measurement results.

Nowadays, attackers often steal sensitive information from a victim's machine with the help of a keylogger that sends the stolen information to a so called dropzone. A dropzone is a publicly writable directory on a server in the Internet that serves as an exchange point for keylogger data: the malware running on a compromised machine sends all stolen credentials to the dropzone, where the attacker can pick them up and start to abuse them. Such an approach is more promising than "traditional" phishing sites since the attacker can steal many more credentials from a single victim. In this talk, we present the results of an empirical study of this phenomenon, giving many details about these attacks we observed during the recent months.

In the first part of the talk, we provide a detailed overview of some of the most common keyloggers found in the wild. We focus on the two malware families ZeuS/Zbot and Limbo/Nethell and show how they propagate, what features they have, and how the actual dropzone works. Several other malware families will be briefly covered to cover a larger number of threats. Afterwards, we present several statistics and qualitative information for the keylogger data we found on some dropzones.