ASERT Threat Intelligence Brief 2016-01
ASERT Threat Intelligence Report 2016-01
The Big Bong Theory: Conjectures on a Korean Banking
Trojan
The ASERT research team has recently been analyzing some samples of malware that did not
appear to be well-documented in the security community as far as we could tell. The primary
functionality of the malware is to operate as a banking trojan targetting South Korean financial
institutions. We have internally dubbed this malware family with the moniker “Big Bong” based on the
name that one of its component DLLs uses.
We have developed a theory as to the purpose and goals of this malware family; however we have
not yet definitively proven (or disproven) this theory. The purpose of this article is to share our
preliminary findings to date on this malware family in the hope that other security researchers and
analysts might recognize it and share additional insights into its workings and evolution.
Representative Samples
WehavebeenanalyzingsamplesofboththeBigBongbuilder,andtheresultingBigBongbotbinaries.The
buildersamplewehaveexploredmostthoroughlysofarisasfollows:
MD5: 46c2e48d8bbe7c4e5dec4abc7d85289d
SHA1: c0f64da3a7b40cec1ee3302b7ee5bbd7de1c4600
SHA256: 4936da7feca776fefd9a459d72247667a7d9c565d2c3a417a760d658909db6d4
Size: 221,184 bytes
CompilationDate: Feb3,2015@14:06:55
VirusTotalDetection: 18/57(asofAug28,2015)
VirusTotalAnalysisDate: Aug16,2015@00:53:28UTC
Oftheactualbotbinarieswehaveobservedinthewild,thefollowingrepresentativesamplehasbeenthe
primaryfocusofouranalysis:
MD5: 63bdf04159a1e3d3d775c42b6510f460
SHA1: 8d7ba4cbce50e71bef528733fd85eb3042f18a27
SHA256: 0681e0a076601cc237c586e72f388412cbccb0ea986ef199b4dbdce65d915e26
© Copyright 2016 Arbor Networks, Inc. All rights reserved.
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
Size: 188,416 bytes
CompilationDate: Feb 3, 2015 @ 14:06:54
VirusTotalDetection: 38 / 57
VirusTotalAnalysisDate: Aug 28, 2015 @ 14:17:04 UTC
Mostantivirusdetectionsarerathergenericinnature(“spyware”,“banker”,“malware”,“generic”,etc.)
Evolutionary Ancestors and/or Cousins
Webelievetheparticularstrainofmalwarethatwehavebeenstudyingisrelatedtoafairlylongancestralline
ofKoreanbankingtrojansthatinfectbothWindowsPCsand(morerecently)Androidmobiledevices.These
familiesincludeKRBanker[1,2],Bankrif[3],Boyapki[4,5,6],andVenik[12].Themalwarefamilyweare
callingBigBonghasmuchincommonwiththeseotherfamilies,includingitsspecifictargettingofSouth
KoreanbanksanditsexfiltrationofNPKIcertificatescommonlyusedwithinSouthKoreaforauthentication
purposes.
General Obfuscation Characteristics of the Bot Code
TheBigBongbotbinariesarewritteninC++.Asiscommoninthisdayandage,themalcodemakesextensive
useofobfuscationinordertoslowdownreverseengineering.Inparticular,themalwareavoidstheexplicit
embeddingofsuspiciousorsensitivestringsinitsbinaries,aswellastheexistenceofcertainWin32API
importsthatmightraiseeyebrows.Inthisregard,thepreferedtechniqueofBigBongistoconstructitsstrings
programmatically,onecharacteratatime.Arepresentativeexampleofthiscodingstyleisdemonstratedby
theconstructionofthestring“V3 Manager”(thedisplaynameofaWindowsservicethroughwhichBig
Bonginstallsitself)asshowninFigure1:
Figure 1:
Construction of service display name “V3 Manager”
2
Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
OftentimesBigBongwillfurtherobfuscatethesestringsbyconstructingthembyte-by-byteinXOR-encrypted
form,ratherthaninplaintext.ThemalcodewillthendecryptthemusinganXORkeybufferthatisalso
constructeddynamicallyfrom4-byteDWORDcomponents;seeFigure2foranexampleinwhichthe7-byte
XORkeysdf3xdiisusedtodecrypta30-bytecryptedbuffertoyieldthesensitivestring
SOFTWARE\Microsoft\DataAcSess:(usedtospecifyaRegistrykeyintowhichthebotwillsetvalues.)
Figure 2:
Dynamic construction and decryption of Registry key “SOFTWARE\Microsoft\DataAcSess”
© Copyright 2016 Arbor Networks, Inc. All rights reserved.
3
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
Thesebasicobfuscationtechniques,orslightvariationsthereof,areusedthroughouttheentireBigBongcode
base;forexample,onecommonvariationistouseasinglehard-codedXORbyte0x01insteadofamulti-byte
XORkeystream
Bot Installation
ABigBongbinaryisdeployedasastandalone.EXEinstallerthatcontainstwoembeddedDLLcomponents
storedintheformofresources;Figure3isahigh-leveldiagramoftheinstallationprocess.
Figure 3:
Big Bong Installation Process
ThetwoembeddedresourcesaretypicallystoredasresourcetypeBSSandarenamed101and105.They
areinstoredplaintextformwithintheBigBonginstallerstub.Theinstallerwilldropbothofthesebinary
resources101and105asDLLsintothesystemdirectoryC:\Windows\System32asmodulesnamed
vdV3Manager32.dllandMsLSP.dll,respectively.ThefirstdroppedDLLcomponenthasthefollowing
vitalstatistics:
4
Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
ResourceID: 101
Name: C:\Windows\System32\vdV3Manager32.dll
MD5: 5176921f6c672778827faa2884d4e262
SHA1: a74fdf082180c90b9daec79650c19fe461afdbb0
SHA256: 8e0bc5fe39b8a327ffde5af07cab6d839a7418b3361778148e1c7dcfd9ca757d
Size: 61,952bytes
CompilationDate: Feb3,2015@13:36:48
VirusTotalDetection: 18/57
VirusTotalAnalysisDate: Aug16,2015@05:49:44UTC
FileDescription: FileAttribute.dll
FileVersion: 1, 15, 01, 20
InternalName: Microsoft Software
LegalCopyright: Copyright @ Microsoft Software Corporation. All rights reserved.
OriginalFilename: FileAttribute.dll
ThisfirstDLLexportsthefollowingfunctions:
DllEntryPoint
WoMain
UserCheck
REGAutsi
ClientServer
0x1000C37C
0x100076B0
0x10007670
0x10007660
0x10007660
TheseconddroppedDLLisasfollows:
ResourceID: 105
Name: C:\Windows\System32\MsLSP.dll
MD5: 25479a9f541cec522dd0b9e40e92aa8e
SHA1: 995eb442779d6f81928c4f715ace34ae15456b73
SHA256: e8fef196718527d154aba4339e9aa527ab795709be3f4cb41bb9ff976fd9b5fa
Size:69,632bytes
CompilationDate: Feb3,2015@14:06:52
VirusTotalDetection: 0/57
VirusTotalAnalysisDate: Aug23,2015@01:50:55UTC
FileDescription: BigBong
FileVersion: Ahn BigBong
InternalName: BigBong
LegalCopyright: Copyright @ Ahn 2015
OriginalFilename: BigBong.dll
ThissecondDLLexportsthefollowingfunctions:
DllEntryPoint
0x10002F2F
© Copyright 2016 Arbor Networks, Inc. All rights reserved.
5
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
WSPStartup
PLSPIoControl
0x10002060
0x10001670
Incidentally,ourinternalmonikor“BigBong”wasgiventothismalwarebasedonthefileattributesofthis
secondMsLSP.dllcomponentDLL.
ImmediatelypriortodroppingthesetwoembeddedDLLresources,theBigBonginstallerstubwillcreatea
Windowsservicenamed“V3Manager”,withdisplayname“V3 Manager”.Thisserviceisconfiguredtouse
thebinarypath“svchost.exe -k V3manager”asthemechanismforspawningtheserviceupon
demand.
TheBigBonginstallerwillthencreatethefollowingRegistrykey:
HKLM\system\CurrentControlSet\Services\V3Manager
ThiskeycontainsvariousparametersofthefreshlyinstalledV3 Managerservice,including:
Description: Safe manager for V3 AntiVirius
Group: Com Infrastructure
ServiceDLL: C:\Windows\System32\vdV3Manager32.dll
ServiceMain: WoMain
Thislastparameter,WoMain,isimportantbecauseitspecifiesthenameoftheserviceentrypointwithinthe
serviceDLLvdV3Manager32.dll.
TheBigBonginstallerwillthenstartupthenewlyinstalled“V3 Manager”service,implementedbythe
droppedvdV3Manager32.dll'sexportedfunctionWoMain,viaacalltotheWin32StartServiceA()
APIfunction.
Oncethe“V3 Manager”servicehasbeenstarted,theinstallerstubwilldropthesecondembeddedDLLasa
modulenamedMsLSP.dll.ItwillthenusetheWinsockServiceProviderInterface(SPI)toinstallnew
transportdriverswithintheWinsockTCP/IPstack.TheLayeredServiceProviderarchitecturebuiltinto
Winsockprovidesaninterfacethatmaybeusedtomodifythelow-levelbehaviorofWindows'networksocket
implementationstoachievenumeroustypesofobjectives,suchasinterceptingtraffic,eavesdroppingupon
traffic,surreptiouslyre-routingpackets,etc.[7,8,10].
SpecificallythemalcodewillcalltheWSCInstallProvider()APItoinstallanewTCPtransportdriver,
namedPhoenixLSP,thatisimplementedbythefreshlydroppedMsLSP.dllmodule(seeFigure4.).This
transportdriverisconfiguredwithhard-codedGUID{D3C21122-85E1-48F3-9AB6-23D90C7307EF},
andisinstalledwiththePFL_HIDDENflagincludedinthedwProviderFlagsoptions.Accordingto
Microsoft[9],thisflagspecifiesthattheinstalleddrivershouldnotbeincludedintheresultsetreturnedby
theWSAEnumProtocols()API.
6
Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
Figure 4:
Installing PhoenixLSP transport driver
TheBigBonginstallerwilltheninstallthreeadditionaltransportdrivers:aTCPdriver,aUDPdriver,andaRAW
socketdriver.Theparametersofthesethreedriversareconfiguredbyfirstenumeratingoverallinstalled
WinsockSPIdriversviatheWSPEnumProtocols()APIcallandlookingforthefirstUDP(protocol17),first
TCP(protocol6),andfirstRAWsocket(protocol0)driversamongthepre-existingserviceprovider
components.Foreachofthesethreeexistingserviceproviders,anewdriverisinstalledthatlayersthenew
PhoenixLSPprotocolovertheexistingprotocol.
Forexample,onatypicalinfectedWinXPhost,thethreenewTCP,UDP,andRAWsocketdriverswouldbe
namedPhoenixLSP over MSAFD Tcpip [TCP/IP],PhoenixLSP over MSAFD Tcpip
[UDP/IP],andPhoenixLSP over MSAFD Tcpip [RAW/IP],respectively.Foreachofthesethree
newdrivers,theoriginalpre-existingdriverisconfiguredasthebaseproviderintheprovider's
WSAPROTOCOLCHAINstructure,withtheinitiallyinstalledPhoenixLSPdriverasalayerontopofthisbase
protocol.Again,thefreshlydroppedMsLSP.dllmoduleisspecifiedasthelpszProviderDllPaththat
implementsthethreenewtransportdrivers.
Finally,theWSCWriteProviderOrder()APIiscalledtoupdatetheorderoftransportdriversusedby
Winsock.Thethreenewlyinstalledlayeredtransportdriversarespecifiedasthehighestprioritydriversin
termsofselectionofuse;theyaregivenhigherprioritiesthantheirrespectivepre-existingbaseprotocols.
© Copyright 2016 Arbor Networks, Inc. All rights reserved.
7
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
Soinessence,theBigBongmalwaremanagestoaltertheTCP/IPstackoftheinfectedhostinsuchawaythat
allTCP,UDP,orRAWsocketscreatedbyanyandallclientapplications(e.g.,webbrowsers)willbe
“intercepted”bythenewPhoenixLSPlayeredprotocolbeforebeingpassedalongtotheunderlyingpreexistingTCP,UDP,orRAWsockethandlingnetworkingstackcomponents.Forexample,whenaclient
application,suchasabrowser,makesaWinsock2APIcallsuchasconnect()(eitherdirectlyorindirectly
throughothersystemDLLs),WinsockwillcalltheBigBongdriverinsteadofthestandardWindowsTCPdriver
module;thisBigBongdrivercanmonitorand/ormodifytheparametersoftheconnect()callpriorto
passingitonthestandardWindowsTCPdriver.
Table1showstheoriginalorderedstackofserviceprovidersonatypicalWindowsXPsystempriorto
infection:
Table1:
Original(pre-infection)WinsockTransportProviderStack
Order
Cat
Id
0
0x3e9
MSAFD Tcpip [TCP/IP]
6
1
0x3ea
MSAFD Tcpip [UDP/IP]
17
2
0x3eb
MSAFD Tcpip [RAW/IP]
0
3
0x3ec
RSVP UDP Service Provider
17
4
0x3ed
RSVP TCP Service Provider
6
5
0x3ee
6
0x3ef
7
0x3f0
8
0x3f1
9
0x3f2
10
0x3f3
MSAFD NetBIOS [\Device\NetBT_Tcpip_{16325B0B-46364303-ABE3-C7D49D7CECDC}] SEQPACKET 0
MSAFD NetBIOS [\Device\NetBT_Tcpip_{16325B0B-46364303-ABE3-C7D49D7CECDC}] DATAGRAM 0
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4FE87B73-B12E47D6-82C4-FB0D4CF73262}] SEQPACKET 1
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4FE87B73-B12E47D6-82C4-FB0D4CF73262}] DATAGRAM 1
MSAFD NetBIOS [\Device\NetBT_Tcpip_{CAC79791-BD6D4F3E-BCAD-E3686652FAEE}] SEQPACKET 2
MSAFD NetBIOS [\Device\NetBT_Tcpip_{CAC79791-BD6D4F3E-BCAD-E3686652FAEE}] DATAGRAM 2
Protocol Name
Chain?
Proto
0x80000000
0x80000000
0xffffffff
0xffffffff
0xfffffffe
0xfffffffe
Bycomparison,Table2showstheresultingorderedstackofserviceprovidersaftertheBigBonginstallerhas
completeditsmodificationstoWinsock:
Table2:
Modified(post-infection)WinsockTransportProviderStack
Order
Cat
Id
0
0x3f5
8
Protocol Name
Chain?
PhoenixLSP over MSAFD Tcpip [TCP/IP]
0x3f4,
0x3e9
Proprietary and Confidential Information of Arbor Networks, Inc.
Proto
6
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
1
0x3f6
PhoenixLSP over MSAFD Tcpip [UDP/IP]
0x3f4,
0x3ea
17
2
0x3f7
PhoenixLSP over MSAFD Tcpip [RAW/IP]
0x3f4,
0x3eb
0
3
0x3e9
MSAFD Tcpip [TCP/IP]
6
4
0x3ea
MSAFD Tcpip [UDP/IP]
17
5
0x3eb
MSAFD Tcpip [RAW/IP]
0
6
0x3ec
RSVP UDP Service Provider
17
7
0x3ed
RSVP TCP Service Provider
6
8
0x3ee
9
0x3ef
10
0x3f0
11
0x3f1
12
0x3f2
13
0x3f3
14
0x3f4
MSAFD NetBIOS [\Device\NetBT_Tcpip_{16325B0B-46364303-ABE3-C7D49D7CECDC}] SEQPACKET 0
MSAFD NetBIOS [\Device\NetBT_Tcpip_{16325B0B-46364303-ABE3-C7D49D7CECDC}] DATAGRAM 0
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4FE87B73-B12E47D6-82C4-FB0D4CF73262}] SEQPACKET 1
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4FE87B73-B12E47D6-82C4-FB0D4CF73262}] DATAGRAM 1
MSAFD NetBIOS [\Device\NetBT_Tcpip_{CAC79791-BD6D4F3E-BCAD-E3686652FAEE}] SEQPACKET 2
MSAFD NetBIOS [\Device\NetBT_Tcpip_{CAC79791-BD6D4F3E-BCAD-E3686652FAEE}] DATAGRAM 2
PhoenixLSP
0x80000000
0x80000000
0xffffffff
0xffffffff
0xfffffffe
0xfffffffe
6
OncetheBigBonginstallerhasdroppedthetwoDLLs,completedtheinstallationandstartingofthe
V3managerservice,andcompletedtheinstallationofthePhoenixLSP-basednetworkingstackprotocols,
itwillterminate.Fromthispointonward,themalcoderunsinthecontextofanewlyspawned
svchost.exeprocess(hostingthevdV3Manager32.dll)andallnetwork-awareprocesses,suchas
browsers,thatwillnowinadvertentlybeforcedtoruntheirnetworkingthroughthePhoenixLSP-layered
transportdriversimplementedbyMsLSP.dll.
Transport Driver MsLSP.dll
OncethePhoenixLSPtransportdriversareinstalledintoWinsock2asdescribedabove,anyclientprocess
ontheinfectedhostthatusesthenetworkingstacktoperformsendorreceivedata,suchasabrowser,will
causetheWSPStartup()function,exportedbyMsLSP.dll,tobeinvokeduponWinsock2initialization.
TheDllMain()functionofthisMsLSP.dllWinsockdriverimplementationperformssomeinitialization
whenitisfirstloaded(presumablywhenaclientprocess,suchasabrowser,makesitsinitialcallto
WSAStartup()inordertoinitializetheWinsocklibrary.)
TheDllMain()functionfirstcheckstoseewhetheritisbeingloadedintotheprocesscontextofeitherthe
InternetExplorerorChromebrowsers.ItdoesthisbycallingGetModuleFileNameW(),passinginavalue
© Copyright 2016 Arbor Networks, Inc. All rights reserved.
9
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
ofNULLforthehModuleparameter,inordertoobtainthefullpathtotheexecutableassociatedwiththe
currentprocess,andthenparsesouttheactualfilename,sansextension,bycallingwsplitpath().The
resultingfilenameiscomparedagainstboth“iexplore”and“chrome”;iftheWinsock-usingprocessdoes
notmatchthesetwobrowsers,DllMain()performsnofurtheractions;seeFigure5.
Figure 5:
Checking to see if driver is loaded within Internet Explorer or Chrome
Ontheotherhand,inthecaseofInternetExplorerorChromebrowserprocesses,theMsLSP.dll's
DllMain()functionwilldosomeinitializationbybuildingsometablesthatwillbeusedlateron.First,itwill
performDNSlookupsagainstthefollowing12hard-codedwebsitehostnames:
www.nonghyup.com
www.shinhan.com
www.hanabank.com
www.wooribank.com
www.kbstar.com
www.keb.co.kr
10
Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
www.ibk.co.kr
www.kfcc.co.kr
www.epostbank.co.kr
www.nate.com
www.daum.net
www.naver.com
Notethatthefirst9ofthesehostnamescorrespondtothewebsitesof9largeSouthKoreanbanks;thelast3
hostnamescorrespondtomajorSouthKoreanwebportals.Foralltwelvehostnames,agethostbyname()
callwillbemade,followedbyainet_ntoa()calltoyieldthecurrentIPaddressofthetargethostnamein
ASCIIformat.Thelast“.”(dot)characterineachIPaddressisthenchangedtoaNULLbyteinorderto
produceaNULL-terminatedstringcontainingthefirstthreeoctetsofthetargetIPaddress.Forexample,the
www.hanabank.comtarget(IPaddress59.11.68.10)wouldbestoredas“59.11.68”.These
truncatedIPaddressstringsarethenstoredina12-elementtableinmemory.
DllMain()willthenbuildasecond12-elementtableofIPaddressesinmemory.Thefirstnineelements
(correspondingtothenineSouthKoreanbanktargets)willeachcontainadifferent(hard-coded)RFC-1918IP
address,withthelastthreeelementscontainingthelocalhost(127.0.0.1)IPaddress.Aswillbeseen
later,thissecondtablestoresIPaddressesthroughwhichWinsockcommunicationswillbeproxied.
Inthecaseofourrepresentativesample,thecombinedcontentofthetwotablesinitializedbyDllMain()is
summarizedinTable3asfollows:
Table3:
ProxyingrulesforKoreanbanksandwebportals
TargetHostname
TargetIPAddressPrefix
ProxyIP
Address
www.nonghyup.com
www.shinhan.com
www.hanabank.com
www.wooribank.com
www.kbstar.com
www.keb.co.kr
www.ibk.co.kr
www.kfcc.co.kr
www.epostbank.co.kr
www.nate.com
www.daum.net
www.naver.com
218.239.250
59.7.252
59.11.68
210.182.9
203.248.188
203.234.132
203.227.232
210.123.108
210.90.8
120.50.131
114.108.157
23.63.227
10.10.10.166
10.10.10.167
10.10.10.168
10.10.10.169
10.10.10.170
10.10.10.171
10.10.10.172
10.10.10.173
10.10.10.174
127.0.0.1
127.0.0.1
127.0.0.1
Afterinitializingthesetwotables,theDllMain()functionwillreturn.Shortlythereafter,the
WSPStartup()function,exportedbyMsLSP.dll,willbeinvokedbytheWinsockarchitecture.Thecode
inthisfunctionismoreorlessastandardreferenceimplementationofaWindowsserviceprovider
WSPStartup()routine.SincetheBigBongmalwareinstallersetsupthreelayeredprotocolproviders(one
© Copyright 2016 Arbor Networks, Inc. All rights reserved.
11
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
eachforTCP,UDP,andRAWsockets),asdescribedabove,theWSPStartup()implementationrecusively
callsitself,passingtheprotocolinformationforthecorrectunderlyingbaseserviceprovider(obtainedviathe
WSPEnumProtocols()API).
OncethisrecursivecalltoWSPStartup()returns,thecodewillhaveaWSPPROC_TABLEtableoffunction
pointerscorrespondingtothelegitimate,pre-existingWinsockserviceprovider(e.g.,MSAFD Tcpip
[TCP/IP]).Itwillsavetheentire120-bytecopyofthislegitimatetableof30serviceproviderfunction
pointerstoaninternalmemorybuffer.Itwillthenoverwritesevenofthesefunctionpointerswithitsown
implementationcallbackspriortoreturningthefunctionpointertabletothecallingWinsocklibrary;see
Figure6.
Figure 6:
Interception of seven Winsock APIs
ThefollowingsevenWinsock2clientAPIfunctionsarethusoverriddenbytheBigBongmalware:
socket()
closesocket()
12
Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
bind()
accept()
connect()
sendto()
recvfrom()
NotethattheoverridingofthesesevenAPIcallstakesplaceregardlessofwhethertheclientprocessisan
InternetExplorerorChromebrowser;theremaining23Winsock2clientAPIsarenotoverriddenandtherefore
theirimplementationsessentiallydefaulttothestandardWindowsTCP/IPstackbehavior.
Ingeneral,sixofthesevenoverriddenAPIcallsperformmonitoring/loggingoperationsonthesocket(),
closesocket(),bind(),accept(),sendto(),andrecvfrom()APIs,andpassalongtheoriginal
APIparametersunmodifiedtothestandardWindowsTCP/IPstack.However,inthecaseoftheoverridden
connect()APIcall,theBigBongtransportdriverperformssomemoreinterestingoperations;itfirstwill
checktoseeiftheconnect()callisoccurringwithinthecontextofanInternetExplorerorChromebrowser
process;ifnot,itwillperformsomeloggingandpassthroughtheoriginalunmodifiedconnect()calland
parameters.
However,iftheBigBong'sWSAConnect()callwasinvokedfromInternetExplorerorChrome,itwillexhibit
somemuchmoreinterestingbehavior.ItwillcomparethedestinationIPaddressoftheconnect()call
againstthe12/24IPblocksthatitresolvedatWSPStartup()time(seeTable3);thesecorrespondtotheIP
blocksassociatedwiththe12targetdomains(9Koreanbanksand3Koreanwebportals).Ifthewebbrowser
isattemptingtoconnecttooneofthese12targets,theBigBongproviderwillchangetheoriginalsockaddr
structureinthefollowingtwoways:
1. Thedestinationportwillbeforcedto80;
2. ThedestinationIPaddresswillbechangedtobeoneofthetwelveRFC1918addresseslistedinTable3
(dependingonthetarget);
Inaddition,webrequeststooneoftheninebankingtargetIPblockswilltriggerthemalwaretoinitiateaVPN
connectiontoaVPNserverusingtheRASAPI32library(seebelowfordetails).Oncethesetaskshavebeen
performed,thelegitimateWindowsconnect()implementationwillbeinvoked(usingthemodifed
sockaddrelements);seeFigure7.
TheneteffectofthisWSAConnect()implementationisthatwhentheinfecteduserattemptstobrowseto
oneofthe12targetwebsites,themodifiedTCP/IPstackwillactuallyproduceaconnectiontoeitheroneof
thenine10.X.X.Xproxyservers(inthecaseoftargetbanks),or127.0.0.1(localhost)inthecaseof
thetargetwebportals.
ItshouldbenotedthattheimplementationofthetransportdriverembodiedbyMsLSP.dllappearstobe
derivedfromthecodebaseofaChinesefirewalldrivercalledPhoenixFireWall[10,11].
© Copyright 2016 Arbor Networks, Inc. All rights reserved.
13
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
Figure 7:
Hijacking connections to 12 target IP blocks
VPN Connection
Sincethenineproxyserversthroughwhichbankingwebrequestsgethijackedareallnon-routableRFC1918
IPaddresses,itisnecessaryfortheBigBongmalwaretosetupaVPNsothattheseproxyserverswillbe
reachable.ThisVPNsetupoperationistriggeredwheneveroneoftheninebankingsitesisvisitedbya
browser.Whensucheventsoccur,theBigBongmalwarecallstheRasDialW()APItoestablishtheVPN
session.TheVPNserverandcredentialsarestoredinaRASphonebookfilenameduserf.pbk;this
phonebookfileisdroppedintotheWindowssystemdirectoryduringtheinitializationoftheV3Manager
service(seebelow.)TheBigBongmalwareusesaphonebookentrynamedVPN;thisentrycontainstheIP
addressoftheVPNserver,aswellastheVPNauthenticationcredentials(usernameandpassword).
Soinsummary,theprimarypurposeoftheMsLSP.dlltransportdriveristoproxyallInternetExplorerand
ChromesessionswiththeninetargettedbanksthroughasetofproxyserversviaaVPNnetwork,aswellas
proxyallsessionswiththethreetargetwebportalstoasocketlisteningonport80onthelocalhost;this
locallistenerisactuallyimplementedbytheV3Managerserviceasdescribedbelow.
14
Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
V3Manager Service
ThesecondmaincomponentdroppedbytheBigBonginstalleristheV3Managerservice.Whentheinstaller
callsStartService(),asdiscussedabove,theWoMain()function,exportedbythedropped
vdV3manager32.dll,isinvoked.Thisentrypointexecutessomestandardboilerplateservicecodeand
thenspawnsathreadpriortoreturning.Thisnewthreadperformsvariousinitializationoperations,andthen
spawnstwoadditionalthreadsthat,together,implementthecoreoftheproxyingandinformationstealing
functionalityofBigBong.
Proxying Thread
Thefirstthreadsetsupanetworkproxyingmechanism.ItusesWinsock2APIcallstosetupalocallistening
socketonTCPport80;thiscorrespondstothe127.0.0.1endpointusedforproxyingconnectionstothe
threetargetwebportals,asdescribedabove.Thethreadthenoperatesinastandardaccept()loop
waitingforincomingconnectionstothislisteneronport80.Thearrivalofaninboundconnectiontriggersthe
establishmentofanoutboundTCPconnectiontoaremotehost;forthesamplewefocusedon,thedefaultIP
addressofthisremotehostwas200.0.174.224,althoughthiscanbeoverriddenbyaconfiguration
parameterreferredtoasmapip.
Immediatelyaftercreatinganoutboundconnectionto200.0.174.224,theproxyingthreadwillspawna
childthreadtohandlethisparticularinboundconnectionandtheassociatedoutbound(remote)connection
thatittriggered.Sockethandlestobothconnectionsarepassedtothenewconnectionproxyingchildthread,
whichwillusethestandardWinsock2APIcalls,suchasselect(),send(),recv(),etc.,toproxynetwork
trafficbetweenthetwosockets.Inboundpacketstotheaccept()edsockethostedonlocalport80are
sentoutthetriggeredsockettotheremotehost(e.g.,200.0.174.224).Likewise,responsepacketsfrom
theremotehostareproxiedbacktotheoriginalpeerthatinitiatedtheconnectiontothelisteneronport80.
Thedatapayloadsofthesepacketsarenotmodifiedbytheproxyingoperation.
URL Monitoring Thread
Inadditiontosettingupthisproxyingmachinery,asecondmajorthreadisspawnedthatrunsinacontinuous
looplookingforInternetExplorerprocesses.Themannerinwhichthisthreadisspawnedisabitroundabout:
BigBongwillusethestandardCreateToolhelp32Snapshot(),Process32First(),and
Process32Next()APIstoobtainahandletotheWindowsExplorerprocess(explorer.exe).Itwill
thenusetheAdjustTokenPrivileges()APItohelpitselftotheSeDebugPrivilege.Nextitwill
abusetheOpenProcess(),DuplicateTokenEx(),ImpersonateLoggedOnUser(),and
CreateProcessAsUser()APIstospawnanewprocesswiththesamesecuritytokenprivilegesasthe
system'sexplorer.exeprocess;thecommandlineforthisnewprocessis:
rundll32.exe vdV3Manager32.dll UserCheck
© Copyright 2016 Arbor Networks, Inc. All rights reserved.
15
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
Inotherwords,thenewprocesssimplyconsistsofacalltotheUserCheckfunctionthathappenstobe
exportedbythesameDLLthathoststheV3Managerservice;howeverthecalliseffectivelymadewiththe
elevatedprivilegesenjoyedbyWindowsExplorer.TheUserCheckexportitselfjustspawnsathreadto
performitsURLmonitoringinacontinuousloop.Ineachiterationoftheloop,thethreadwillscanthesystem
toextractthecurrentURLvisitedbyanyrunningInternetExplorerprocesses.
RatherthanusethemuchmorecommontechniqueofCreateToolhelp32Snapshot()toenumerate
runningprocesses,BigBongusesgraphicalwindowingandmessagingAPIstoidentifytheactualwindowing
elements(widgets)associatedwiththeInternetExplorerURLbareditbox.Specifically,itwillinvokethe
FindWindowEx()APItolookforparentwindowsofclassIEFrame,andthenchildwindowsofclass
WorkerW,ReBarWindows32,andComboBoxEx32(orAddress Band Root,dependingonthe
versionofInternetExplorerthatisinstalledontheinfectedhost.)Figure8showsarepresentativeexampleof
thewindowelementtreethatiswalkedbyBigBong.
Figure 8:
Example window element hierarchy for Internet Explorer URL bar
OnceitfindsanInternetExplorerURLbarwindow,itwillsendaWM_GETTEXTmessagevia
SendMessage(),andretrievethecurrentInternetExplorerURLfromtheresult,asshowninFigure9.In
thisexample,BigBongwouldenduppullinghttp://www.naver.com/fromthebrowser'sURLbar.Note
thatnoelevatedprivilegesareneededtoperformthissortofcrude“eavesdropping”onrunningInternet
Explorerprocesses.
16
Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
Figure 9:
Querying the text of the Internet Explorer URL bar's Edit widget
OncethecurrentInternetExplorerURLisfound,BigBongwillcompareitagainstthefollowinglistof43hardcodedtargetURLs(seeTable4),allofwhichareassociatedwithninemajorSouthKoreanbankingwebsites:
Table4:
TargettedBankingURLs
TargettedBankingURLs
http://banking.epostbank.co.kr/
http://banking.hanabank.com/
http://banking.ibk.co.kr/
http://banking.kbstar.co.kr/
http://banking.kbstar.com/
http://banking.keb.co.kr/
http://banking.nonghyup.co.kr/
http://banking.nonghyup.com/
http://banking.shinhan.com/
http://ebank.keb.co.kr/
http://epostbank.go.kr/
http://hana.com/
http://hanabank.com/
http://ibk.co.kr/
http://ibk.kr/
http://kb.kr/
http://kbbank.com/
http://kbstar.com/
http://keb.co.kr/
http://keb.kr/
http://mybank.ibk.co.kr/
http://nonghyup.kr/
http://online.keb.co.kr/
http://shinhan.co.kr/
http://shinhan.go.kr/
http://wooribank.com/
http://wooribank.go.kr/
http://www.epostbank.co.kr/
http://www.epostbank.go.kr/
http://www.hana.co.kr/
http://www.hanabank.com/
http://www.hanabank.go.kr/
http://www.ibk.co.kr/
http://www.kb.co.kr/
http://www.kbstar.com/
http://www.keb.co.kr/
http://www.kfcc.co.kr/
http://www.nonghyup.com/
http://www.shinhan.co.kr/
http://www.shinhan.com/
http://www.shinhan.go.kr/
http://www.woori.co.kr/
http://www.wooribank.com/
IfthecurrentInternetExplorerURLdoesnotmatchanyofthesehard-codedtargets,themonitoringthread
willSleep()for300millisecondsandthenrepeattheprocess.Ontheotherhand,ifamatchisfound,itwill
triggerBigBongtoestablishaVPNconnectionforthepurposeofproxyingcommunicationsthroughasetof
nineproxyservers;theseproxies,presumablyunderthecontrolofthebotnetoperator,correspondtothe
nineRFC1918addresses10.10.10.166through10.10.10.174documentedabove.TheVPN
© Copyright 2016 Arbor Networks, Inc. All rights reserved.
17
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
configurationandsetupprocedure(i.e.,RasDialW()APIcall)isessentiallyidenticaltothatusedbythe
MsLSP.dlltransportdriver(seeabove.).
TheVPNisestablishedusingtheRASAPI32.dllAPIcalls;mostnotablyRasDialA()function.IntheBig
Bongsamplethatwefocusedon,theIPaddressoftheremoteVPNserverwas211.233.128.29.During
sandboxing,weobservedoutboundSYNpacketstothisIPwithdestinationport1723(PPTP,MicrosoftPointto-PointTunnelingProtocol);however,thisVPNserverwasnotacceptingconnectionsduringthetimeframe
weweretesting.AdifferentBigBongsample(MD5f201e087e3c3a827497798939b891acb)did
succeedinreliablyestablishingaVPNtunneltoanotherVPNserverrunningat210.124.84.17).Bothof
thesehard-codedVPNserversliveinSouthKoreanIPspace.
WhenaVPNconnectionistriggered,atimingthreadwillbespawnedwhosesolepurposeistowaitfor20
minutesandthenteardowntheVPNconnection.
Certificate Exfiltration
Inadditiontoverbatimcomparisonchecksagainsttheaforementioned43hard-codedtargetbankURLs,Big
BongwillalsochecktoseeifthefollowingstringfragmentiscontainedwithinthecurrentInternetExplorer
URL:
step_down.php
Ifso,itwilltriggerthespawningofyetanotherthread-thisonefocusedonfindingandexfiltratingdigital
authenticationcertificatesfromtheinfectedhost.Thisthreadwillrecursivelyscanfourdifferentaspectsof
theinfectedhostinordertofinddirectoriesnamedNPKI(caseinsensitive,ofcourse.)Foreachofthesefour
scans,atemporaryPKZIP-formatarchivefilewillbecreated,intowhichallcontentsoftheNPKIdirectorieswill
becopied.ThefourscansaredocumentedinTable5.
Table5:
NPKIscanningoperations
Item(s)Scanned
ZIPArchiveforNPKIFiles
All removable drives with letters C: through L:
%ProgramFiles%\NPKI
%SystemDrive%\Users\%USERNAME%\AppData\LocalLow\NPKI
All fixed drives with letters C: through L:
$RAND_UD_$VPNIP_$COMPNAME.plk
$RAND_PR_$VPNIP_$COMPNAME.plk
$RAND_AP_$VPNIP_$COMPNAME.plk
$RAND_$VPNIPHD_$COMPNAME.plk
The$RAND,$VPNIP,and$COMPNAMEplaceholdersarereplacedwitharandomnumber(courtesyofthe
GetTickCount()API),theVPNclientIPoftheinfectedhost,andthecomputernameoftheinfectedhost
(courtesyoftheGetComputerName()API).Thesecondandthirdscanscorrespondtothedefault
locationsofNPKIcertificatesinWindowsXPandWindows7,respectively.
IfanyoftheserecursivescansyieldatleastoneNPKIdirectory,allfiles(ofsize1,000,000bytesorless)
residingwithinareZIP-compressed(preservingitsoriginalfilename)andappendedtotheassociatedZIP18
Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
format.plktemporaryfile.Theentire.plkarchiveisthenexfiltratedviaFTPtoaremoteserver.The
hostname,username,andpasswordforthisremoteFTPserverarespecifiedatbotbuildtimeandhard-coded
intothevdV3manager32.dllbinaryincrudelyobfuscatedform(XORagainst0x01.)The
InternetConnect()andFtpPutFile()APIsareusedforperformingtheactualFTPupload.
Thesignificanceofthestep_down.phptriggerURLcomponentisunclearatthispoint(tousatleast.)
HoweveritappearsclearthatBigBonghasaninterestinstealingasmanydigitalauthenticationcertificatesas
possible.ItisourunderstandingthatthesedigitalcertificatesarecommonlyusedforInternetbankingin
SouthKorea.However,certificatesaretypicallygoingtobepasswordprotected.
Run-time Configuration Updates
Inadditiontotheprimaryfunctionalitydiscussedabove(i.e.,locallisteneronport80toproxywebportal
traffictoaremotehost,URLmonitoringtotriggeraVPNsessionwhentargettedbanksitesarevisited,and
NPKIcertificateexfiltration)theV3ManagerservicealsoincludestheabilitytophonehometoaremoteCnC
toreceivedupdatedconfigurationparameters.ThisphonehomeprocessisperformedusingtheWinInetAPI
callsInternetOpenA(),InternetOpenUrlA(),andInternetReadFile();thefollowinghardcodedUser-Agentisused:
User-Agent: IE Mozilla/4.0 (compatible; MSIE 8.0; Windows NT6.0)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT5.2))
OurcorpusoflegitimatewebrequestsindicatesthatthisisnotalegitimateUser-Agentvalueandisthusa
veryreliableindicatorofBigBonginfection.
Configurationparametersthatcanbeupdatedviathisphonehomeprocessincludevpn(specifiestheVPN
server),mapip(specifiestheremoteIPusedbythelocallistenerforproxyingwebportaltraffic,and
homepage(specifiestheURLtowhichtheinfecteduser'sInternetExplorerstartpageisset).
Builder Tool
NewBigBongbinariesarecreatedusingabuildertool,arepresentativeexampleofwhichisthe
46c2e48d8bbe7c4e5dec4abc7d85289dsamplementionedabove.Thebuilderisfairly
straightforward:itpresentstheBigBongoperatorwithasimpleGUIcontainingeditboxesintowhichvarious
BigBongparametersmaybespecified.CustomizableparametersincludetheFTPserverandcredentialstobe
usedforNPKIcertificateexfiltration,VPNserver,etc.Withthepressofabutton,anewBigBongbinaryis
built;seeFigure10.
© Copyright 2016 Arbor Networks, Inc. All rights reserved.
19
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
Figure 10:
Big Bong builder tool
Overall Network Architecture
Figure11isanattemptatillustratingthecompletenetworkarchitectureoftheBigBongmalware.Thefullset
ofremoteserversunderthecontroloftheBigBongoperatorincludes:
20
•
VPNserver;
•
Nineremoteserversforproxyingbanksessions(10.X.X.X);
•
Remoteserverforproxyingwebportalsessions(vialocalhost:80);
•
NPKIcertificateexfiltrationFTPserver;
•
ConfigurationupdateCnCserver;
Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
Figure 11:
Big Bong Network Architecture
Putting it all together
NowthatthemajorcomponentsofBigBonghavebeenlaidout,thenextstepistounderstandthenatureof
thegoalthatthemalwareistryingtoachieve.Thisrequiresatleastsomedegreeofbackgroundcontextof
howtheKoreanbankingsystemoperates.
© Copyright 2016 Arbor Networks, Inc. All rights reserved.
21
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
South Korean Banking Infrastructure
InSouthKorea,loggingintoallInternetbankingsitesrequirestheuseofanNPKIauthenticationcertificate.A
typicalSouthKoreanInternetuserwillhavemanysuchcertificatesstoredinanNPKIdirectory(seeFigure12);
thesearethedirectoriesthatBigBongscansforcertificateexfiltrationpurposes,asdescribedabove.These
NPKIcertificatesarestoredinencryptedformandrequireapasswordbesuppliedinordertoactuallybeused
forauthentication.
Figure 12:
NPKI authentication certificates
WhenanInternetbankingcustomerattemptstologintotheirbankingaccount,theirNPKIcertificateforthat
bankispresentedandtheyarepromptedforacertificatepassword,asshowninFigure13.
ThepresentationofanNPKIcertificate,alongwiththecorrectpassword,issufficientforloggingintoaSouth
Koreanbankingwebsite.Thisallowsonetocheckbalances,seetransactionhistories,etc.However,to
actuallytransfermoneytoanotheraccountviaaSouthKoreanbankingwebsite,anadditionalsecurity
procedureisrequired.Thiscanbeeitheraone-time-pass(OTP)keyfobthatgeneratesasequenceof6-digit
numbers,or(morecommonly)aplasticsecuritycardthatcontainsapproximately30to35four-digitsecurity
numbersprintedonitsfront;Figure14showsatypicalsecuritycard.
22
Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
Figure 13:
Password Prompt for NPKI Certificate
Inordertoinitiateoutboundmoneytransfers,theSouthKoreanbankingcustomerwillbechallengedto
provideafewofthenumbersprintedontheirplasticsecuritycard(unlessofcoursetheyhaveupgradedtoan
OTPkeyfob,inwhichcasethecurrentsix-digitOTPcodewillberequested.)Figure15showsanexampleofa
bankingwebsitechallengingacustomertoprovidethefirsttwodigitsfromthe2ndgroupofdigits,andthe
lastfourdigitsfromthe10thgroupofdigits.
Figure 14:
South Korean Plastic Security Card
© Copyright 2016 Arbor Networks, Inc. All rights reserved.
23
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
Figure 15:
Challenge for plastic security code digits
Itseemsclearthattheuniversaluseoftwo-factorauthenticationmechanismsthroughSouthKoreaprevents
unauthorizedmoneytransfersfromtakingplaceeveniftheperpetratorhasmanagedtostealtheNPKI
certificateitself(asBigBongdoes)andtheassociatedNPKIcertificatepassword.
The Big Bong Theory
TakingintoaccountallthemajorcomponentsofBigBongmentionedabove,aswellasthebackground
contextregardingthenatureoftheSouthKoreanbankingsystem,itwasabitpuzzlingastohowtheBigBong
malwareactuallyattemptstocircumventtheformidableSouthKoreanbankingsecuritypractices.BigBongis
clearlycapableofstealingtheNPKIcertificatesofaninfecteduser,albeitinencryptedform.However,in
ordertousethesecertificatestoinitiateoutboundmoneytransfers,itwouldstillneedtoobtainfromthe
victimthecertificatepassword(e.g.,Figure13)andthetwo-factorsecuritycodesfromeithertheOTPkeyfob
ortheplasticsecuritycard(e.g.,Figure15).
Ourcurrenttheoryisasfollows,roughlyoutlinedinFigure16:
1. The10.X.X.Xproxyserversdiscussedabovehostfakebankingsites;
2. TheexfiltratedNPKIcertificates(inencryptedform)areuploadedfromtheFTPdropsitetothesefake
bankingsites;notethatitispossiblethattheFTPdropsite(whichuse“normal”,publiclyroutableIP
addresses)mayactuallybethesamemachineastheproxyservers(whose10.X.X.Xaddressesare
reachableviaVPNconnection),inwhichcasenoactualmachine-to-machinecopyingofcertificates
wouldevenbenecessary;
3. WhenthevictimvisitsatargettedbankingURL(i.e.,ofthe43URLslistedinTable4),theoutbound
connectionisre-routedtoport80onthebank-specific10.X.X.XproxyserverviathePhoenixLSP
layeredserviceprovider;
4. Inresponsetotheincomingconnectionfromthevictim,the10.X.X.Xproxyserverforthatbank
initiatesitsownoutboundconnectionoverTLStoport443onthelegitimatebankingwebsite;the
server-sideproxyingcodeactsasaman-in-the-middlerelaybetweenthevictimandthelegitimate
bankingwebsite;
24
Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
5. Inordertologin,theappropriatebank-specificexfiltratedNPKIcertificateispresentedbythe
maliciousproxyservertothelegitimatebankingsite;whenthelegitimatebankingsiterequeststhe
certificatepassword,theproxypresentsapasswordentryscreentothevictim;oncethevictimenters
thepassword,theproxyserverrelays(andprobablystoresforfutureuse)thispasswodtothe
legitimatebankingsite;
6. Atthispointtheproxyserverhasmanagedtoauthenticateitselftothelegitimagebank,andthevictim
isunderthebeliefthatheorsheisloggedintothelegitimatebank.The10.X.X.Xproxyserverwill
thenmore-or-lessrelayunmodifiedrequestsandresponsesbetweenvictimandbank;itwillwait
patientlyuntilthevictimattemptstoinitiateanoutboundmoneytransfer;itwouldnotbesurprisingif
theproxyserveralsosentrequeststothelegitimatebankingsiteatthispointinordertodetermine
informationsuchasthecurrentaccountbalance;
7. Ifandwhenthevictimattemptstotransfermoney(orforthatmatter,performsanyotheractionfor
whichitwouldnotbeundulysuspicioustobechallengedforOTPorplasticsecuritycarddigits),the
proxyserverwillinitiateamaliciousmoneytransferfromthevictim'saccount.Bythistime,itwill
alreadyknowtheavailableaccountbalance,soitcouldrequestatransferamountthatwasconsistent
withthisbalance;
8. Thelegitimatebankingsitewouldthenchallengetheproxyserverforsecuritydigits;theproxyserver
wouldrelaythischallengetothevictim,andthenrelaythevictim'sprovidedsecuritycodesbacktothe
legitimatebank;
9. Thebank,havingreceivedthecorrectsecuritycodesfromtheproxyserver,wouldpresumablyallow
themalicioustransfertoproceed.Theproxyservercouldthensendaresponsebacktothevictim
falselyindicatingthathisorherlegitimatetransferwassuccessful.Ifthevictimthentriedtocheckhis
orhercurrentbalance,transactionhistory,etc.,itwouldnotbedifficultfortheproxyservertosend
backfakeresponsesthattookintoaccountthelegitimatetransaction(whichneverreallytookplaceas
farasthebankwasconcerned)inordertocontinuetoavoidtheraisingofsuspiciononthepartofthe
victim.
Intheory,bybeingpatientandwaitingforthevictimtoperformsomeactionthatwouldnormallyresultina
securitycodechallenge,theproxyservercouldtakeadvantageoftheopportunitytosneakthrougha
malicioustransferandobtainthecurrentsecuritycodesfromthevictimwithoutmakingthevictimsuspicious.
OnepotentialglitchwiththistheoryconcernsthefactthatallbankingwebsitesoperateoverSSL(port443)
foranysensitivedatatransfer;typically,whenausertypes“http://www.somebank.com”intotheir
browser'sURLbar,thebrowserwillinitiateanunencryptedconnectiontoport80onwww.somebank.com,
andthewebserverwillsendbacka302redirectingtheirbrowsertohttps://www.somebank.comwhich
willforceanSSL-encryptedsession.ThiswouldpresentproblemsfortheBigBongoperatorsbecausetheir
hijackingofbankingsessionsoperatesatafairlylow-level:surreptitiouslychangingthedestinationIPaddress
atthetimeoftheconnect()call.
© Copyright 2016 Arbor Networks, Inc. All rights reserved.
25
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
Figure 16:
How Big Bong performs fraudulent money transfers (CONJECTURE ONLY)
WebelievethisisthereasonthattheBigBongmalwareistriggeredbythespecificsetofURLslistedinTable4
-allofwhicharehttp://URLs,causingthebrowsertosendunencryptedrequeststoport80,ratherthan
https://URLs.Inotherwords,itisprobablyfairlycommonforausertosimplytype
“http://hanabank.com”intotheInternetExplorerURLbar(orforthatmatter,simply
“hanabank.com”,whichwillbeconvenientlyconvertedinto“http://hanabank.com”byInternet
Explorer)andlazilyrelyuponthefactthatthewebsessionwillgetredirectedtoSSLattheappropriatepoint
inwhichsensitiveinformationisbeingtransmittedacrossthewire(seeFigure17.)Buttheproxyserver
listeningonport80andimpersonatinghttp://hanabank.comwillneversendthe302redirectionto
forceanSSLsession.Thus,theproxyserverwillbeabletoactasaman-in-the-middlewithoutevertriggering
theraisingofan“InvalidSSLcertificate”warningtothevictim.
Figure 17:
Normal user behavior
26
Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
Inourtheory,ifthevictimexplicitlytypes“https://hanabank.com”intotheURLbar,thebrowserwould
beginbysendinganSSLClientHellopackettotheproxyserveronport443and,eveniftheproxywere
listeningon443,itwouldproduceaverysuspicious“InvalidSSLcertificate”warningtothevictim.Soitseems
BigBongdoesnotevenbothertryingtocoverthiscase,andjustpreysuponvictimsthathavegrown
accustomedtousingthe“http://somebank.com”form,whichwouldnormallygetredirectedtoSSLon
anuninfectedmachine,butwon'twhenBigBonghasinstalleditself.
Ofcourse,theobservantvictimwouldstillbetippedoffbythefactthattransactionstosensitivepagesonthe
bankingsiteweretakingplaceoverplainoldunencryptedHTTP,ratherthanHTTPS.Butitisnotfarfetchedto
expectthatmany,ifnotthemajority,ofvictimsinfectedwithBigBongmightnotnoticethisproblemand
proceedtobecomefleeced.
WebelievethistheorymightalsoexplainwhytheBigBongmalwaregoestothetroubleofsettingupaVPN
fortheinfectedclientandtheman-in-the-middleproxyserverstocommunicate;inourexperienceitisrather
rareformalwaretocommunicatewithCnCs,web-injectproxies,orothermaliciousinfrastructureviaactual
VPN.Butitispossiblethat,sinceBigBongrequiresunencrypted,plainoldHTTPbeusedbetweeninfected
clientandproxyservertoavoid“InvalidSSLcertificate”hassles,ittunnelsthisplaintextcommunicationsviaa
VPNconnectioninordertoevadenetworksecuritydevicesthatmighttriggeralarmsiftheywereableto
observecertificatepasswordrequestsandothersensitiveinformationonthewireinplainHTTPform.By
encapsulatingitshijackingmischiefviaencryptionattheVPNlayer,itmighthopetoachieveincreased
stealthinessfromthepryingeyesofsecurityappliances.
Itshouldbeemphasizedthattheabovetheoryregardingtheoperationsoftheproxyserversisstilla
conjectureatthispointandhasnotbeenproven.
Summary
AlthoughmalwaretargettingSouthKoreanbanks,similartoBigBong,hasbeenaroundforquitesometimein
variousforms,wefoundtheBigBongvariantstobeinterestingprimarilyforthemannerinwhichtheyabuse
theWinsockServiceProviderInterface(SPI)inordertohijackbankingsessionsinawaythatwouldavoidany
“InvalidSSLCertificate”warningand,ifouras-yet-unproventheoryisreasonablyaccurate,succesfully
circumventthestrongtwo-factorauthenticationmechanismsusedtoprotectSouthKoreanbankingwebsites.
ItwasalsosomewhatinterestingthataBigBonginfectedclientactuallyjoinsaVPNinordertocommunicate
withitsman-in-the-middleproxyingservers.Thishasthebenefitofimplicitlyencryptingthehijackedvictimto-proxycommunicationsonthewirewhilestillallowingplaintext(atthelayer7perspective)HTTPrequests
andresponsestobesenttotheproxyservertoavoidthe“InvalidSSLCertificate”problem.
© Copyright 2016 Arbor Networks, Inc. All rights reserved.
27
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
References
[1] Kumar, Mohit. (2013, June). KRBanker Malware Targeting Korean Financial Institutions.
https://thehackernews.com/2013/06/krbanker-malware-targeting-korean.html
[2] nProtect. (2013, May). New breed of Trojan malware (KRBanker) targeting Korean financial institutes.
https://nprotectsecurity.wordpress.com/tag/krbanker
[3] Yagi, Junnosuke, Robert. (2014, December). Trojan.Bankrif.
https://www.symantec.com/security_response/writeup.jsp?docid=2014-120411-2913-99
[4] Yagi, Junnosuke, Robert. (2015, July). Infostealer.Boyapki.C.
https://www.symantec.com/security_response/writeup.jsp?docid=2015-070711-4915-99
[5] Naked Security. (2014, May). Infostealer.Boyapki.
http://nakedsecurity.com/malware/Infostealer.Boyapki/
[6] Symantec. (2014, December). Infostealer.Boyapki.B.
http://ae.norton.com/security_response/print_writeup.jsp?docid=2014-120510-3326-99
[7] Microsoft. (2015). About the Winsock SPI. https://msdn.microsoft.com/enus/library/windows/desktop/ms737522%28v=vs.85%29.aspx
[8] Levin, Jonathan. (2005). The Dark Side of Winsock. https://www.defcon.org/images/defcon-13/dc13presentations/DC_13-Levin.pdf
[9] Microsoft. (2015). WSAPROTOCOL_INFO structure. https://technet.microsoft.com/zhtw/sysinternals/ms741675%28v=vs.94%29
[10] xuebuyuan. (2012, May). phoenix Fire Wall. http://www.xuebuyuan.com/550005.html
[11] coolyewy. (2006). Sniffer Package Capture.
http://en.pudn.com/downloads61/sourcecode/hack/sniffer/detail212460_en.html
[12] Kimayong, Paul. (2015, September). Infected Korean Website installs Banking Malware.
http://www.cyphort.com/koreatimes-installs-venik
About ASERT
TheArborSecurityEngineering&ResponseTeam(ASERT)atArborNetworksdeliversworld-classnetwork
securityresearchandanalysisforthebenefitoftoday'senterpriseandnetworkoperators.ASERTengineers
andresearchersarepartofanelitegroupofinstitutionsthatarereferredtoas“superremediators,”and
representthebestininformationsecurity.Thisisareflectionofhavingbothvisibilityandremediation
capabilitiesatamajorityofserviceprovidernetworksglobally.
ASERTsharesoperationallyviableintelligencewithhundredsofinternationalComputerEmergencyResponse
Teams(CERTs)andwiththousandsofnetworkoperatorsviaintelligencebriefsandsecuritycontentfeeds.
ASERTalsooperatestheworld1slargestdistributedhoneynet,activelymonitoringInternetthreatsaroundthe
clockandaroundtheglobeviaATLAS®,Arbor'sglobalnetworkofsensors:http://atlas.arbor.net.Thismission
28
Proprietary and Confidential Information of Arbor Networks, Inc.
Arbor Security Report: The Big Bong Theory: Conjectures on a Korean Banking Trojan
andtheassociatedresourcesthatArborNetworksbringstobeartotheproblemofglobalInternetsecurityis
animpetusforinnovationandresearch.
Toviewthelatestresearch,news,andtrendsfromArbor,ASERTandtheinformationsecuritycommunityat
large,visitourThreatPortalathttp://www.arbornetworks.com/threats/.
© Copyright 2016 Arbor Networks, Inc. All rights reserved.
29