Bank malware mitigations

Published in

Code Fighters

4 min readJun 27, 2018

Malware is the name for a program designed to mistreat its users. Viruses typically are malicious, but sometimes software products and software preinstalled in products can also be malicious — and often are, im not even joking, it’s a sad fact. You can see that these softwares sometimes stand in the whitelist of signatures of some antivirus. Malware often contains hidden behavior which is only activated when properly triggered. Well i can tell you some known examples of malwares like the MyDoom worm which DDoS’s on particular dates, keyloggers which only log keystrokes for particular bank sites(you can include GetWIndowText()[1] function of windows API), and DDoS zombies that are only activated when given the proper command. When you enter a particular site like a bank site, you can feel strange things happening in your machine. We call such behavior trigger based behavior.

Turn functional malwares to nonfunctional

To prolong the life of a malware, you can frequently see anti-VM and anti-debugging techniques being used to delay the analysis process performed by security experts. The good news for you is that you have a lot of ways to try and mitigate that, for example with ollydbg you can use OllyExt plugin[6] to try bypassing anti-debugger resources, another way you can detect some behaviors while also following the hooking approach is, for example, when the debugger executes a malware, you can force by hooking the function IsDebuggerPresent()[7] to make it always return zero( bypassing the debug detector).

But in any case, you can also protect the machine. You can use the function IsDebuggerPresent() and, with hooking, force it to always return value 1. By following this approach the malware is never going to start the trigger since he’s either frozen or called an exit() function by now, some other contexts may happen as well. Malware often contains hidden behavior which is only activated when properly triggered. No trigger, the malware quits, simple.

However, the problem is not always in the IsDebuggerPresent() function, take look here.

“You must be shapeless, formless, like water. When you pour water in a cup, it becomes the cup. When you pour water in a bottle, it becomes the bottle. When you pour water in a teapot, it becomes the teapot. Water can drip and it can crash. Become like water my friend.” — Bruce Lee

For every anti-debug function or anti-VM resource you need to search and study a different path to follow and ultimately solve the problem. For example in Anti-VM context, if you need to debug a bank malware in the VM, you can try to bypass that resource by making a simple hardening.

For the Blue team purpose, you can create fake VBox files in the operating system with registers of Vbox, that action can trigger the anti-vm resources in the malware, in other words you can use that technique to do mitigation on a real machine because this technique can turn a functional malware nonfunctional. To properly and easily understand that, you can try to install Vbox guest additions[8] and monitor his calls that use sys calls like RegCreateKeyEx()[9]. The idea is simple, insert false vbox registers in your machine and some vbox files, the malware then uses its anti_vm checks and detects the vbox files and quits.

The odyssey

Clear your mind and try to remember: “ You can try to mitigate or detect a lot of threats. But this is not the silver bullet for all monsters.”. Following a rhetorical approach, many bank malwares attack their operational system using common functions like GetCursorPos()[2], GetMessage()[3] and GetKeyState()[4] for example, if you study some of these functions calls in the microsoft official documentation, you can say: “That’s amazing, these functions are ground base for a spyware!”.

Ok, but let’s go deeper now, you may ask:“How can i detect these function calls ?”.

The answer: try to use hooking. There are many ways to do that. I recently studied the API easyhook[5], i chose this API so that i may easily explain my study, yes i know other techniques but easyhook turns all resources portable, for example the same software can run in both windows 7 32bit and windows 10 64bit, the API promotes the gateway between archs using conditions to detect and load correct DLL… I made a presentation better explaining this here.

By following that stuff you can block keyloggers and screenloggers, look at this proof of concept:

Screenlogger block youtube video

Thank you for reading.

Author: Antonio Costa