Cyber Crooks use DDoS

Attacks to Mask Theft of

Banks' Millions
- A Case Study

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Analyst says three unidentified US banks have been

hit with "low powered" DDoS attacks to cover
fraudulent wire transfers.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

DDoS Attack
Attacker Releases Low Orbit
Ion Cannon (LOIC) Tool on the Web

Web server
Hosting LOIC

Volunteers connect to IRC

channel and wait for
instruction from attacker

Anonymous Hacker

DDoS Attack

Volunteer
DDoS Attack

Volunteer
Hackers advertise LOIC tool
on Twitter, Facebook,
Google, etc.

DDoS Attack

Volunteer

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Distributed denial of service attacks have been used to divert

security personnel attention while millions of dollars were
stolen from banks, according to a security researcher.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Three US banks in recent months have been plundered by fraudulent

wire transfers while hackers deployed "low powered" DDoS attacks
to mask their theft, Avivah Litan, an analyst at research firm
Gartner, told SCMagazine.com.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

DDoS attacks last winter and spring that took down Web sites
belonging to JP Morgan , Bank of America, Citigroup,
HSBC, and others.

www.bankofamerica.com

www.citigroup.com

www.jpmorgan.com

www.hsbc.com
Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

DDoS toolkit called Dirt Jumper was being used to divert bank employees'
attention from attempted fraudulent wire transfers of up to $2.1 million.
Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

In July 2011, a fairly new and rather aggressive strain of botnet-for-DDoS

malware, named Dirt Jumper, was identified by Arbor Networks.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

The Dirt Jumper bot binaries (i.e., the actual malware) is usually spread
via spam, exploit kits, fake downloads (fake video codec, backdoored
pirated software), or can be pushed out to machines already infected with
other forms of malware, such as Zeus or Spyeye

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

SpyEye is a new malware toolkit (similar to Zeus malware) that steals money from
online bank accounts.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Malware Installation & System Changes

Depending on the version/variant of the malware, there are two ways how Dirt
Jumper gets installed on a system:

As a Windows Service.Bots with this type of installation

correspond to:

MD5=f29b1089b3f5e076d4d4bd2a3a02d3cb.
Changes that may signal the presence of this type of bot on a system include:
Presence of the following files:
<system folder>\drivers\svgtook.exe (or svflooje.exe)
<Windir>\keys.ini (only contains the 15 digit bot ID)
Presence of the registry modifications such as (file name may vary):
HKLM\SYSTEM\CurrentControlSet\Services\svgtook
HKLM\SYSTEM\...\Services\svgtook\Security
HKLM\SYSTEM\...\Services\svgtook\Enum
Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Malware Installation & System Changes (Contd)

System changes that may signal the presence of this

version of Dirt Jumper include:

As a binary executed with Winlogon. Bots of this kind correspond to

MD5=f7c0314fb0fbd52af9d4d721b2c897a2.
Presence of the following files:
<system folder>\svdhalp.exe
<system folder>\svdhalp.exe.ini
<Windir>\syskey2i.drv (only contains the 15 digit bot ID)
Presence of DATA explorer.exe, svdhalp.exe under
TYPE Shell in the following registry subkey:
HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Winlogon.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Send HTTP-POST message to

C&C server containing bot-ID
(k=684042360968524)
wait 200
seconds
Recieve HTTP response from
C&C server containing (e.g.)
01|150|200http:www.victim.com

attack(s)
instructed?

Communication
Lifecycle of Dirt
Jumper Bot

Send attacks peckets of specified

type to specified victim(s)

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

In a joint statement (PDF) issued last

September with the Financial
Services Information Sharing and
Analysis Center and the Internet Crime
Complaint Center, the FBI warned that the
$200 Dirt Jumper toolkit was being used
as a smokescreen to cover fraudulent
wire transfers conducted with pilfered
employee credentials.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

To know more about these

attacks and how to secure your Information
Systems become a Certified Ethical Hacker

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.