## Who Hid My Desktop ###### DEEP DIVE INTO HVNC Or Safran, Pavel Asinovsky IBM Trusteer, Israel ----- ###### • Intro What is VNC. ###### • Part 1 Sessions, Window Stations, Desktops. ###### • Part 2 Financial malware. hVNC. ###### • Part 3 Reversing Gozi ISFB’s hVNC module. Demo. Detection/IOCs. ----- ##### VNC & hVNC ###### CAT hCAT ###### hCAT ----- ###### • IBM Security (Trusteer) Financial Malware Research Team • Or Safran • Pavel Asinovsky ----- ###### • Allows remote control of a computer across the network. • Originally was used for remote technical support. • Used for server administration, conference calls, file transfers, etc. • Has many implementations: RDP, VNC, Citrix, LogMeIn, TeamViewer etc. ----- ###### • Virtual Network Computing. • Graphical desktop sharing system that uses the RFB protocol (Remote Frame Buffer). • Composed of a server and a client. • Platform independent. • Default TCP port 5900. • The desktop is shared. • Used by many RAT (Remote Access Tool) Malware. ###### Keyboard & Mouse Input Screenshots ###### Server Server Server ###### Client / Viewer ----- #### Part 1 – Sessions, Window Stations and Desktops ----- ###### • Securable kernel objects (contain a security descriptor). • Used as containers to manage graphical objects, provide isolation and security. • Structured in hierarchy. • Each session contains only one interactive window station – WinSta0. ----- ###### • Represent a single user’s logon session. • Each user is assigned with a different session. • Session 0 is the base session (the system user session). • Session 0 is isolated from the user sessions. ----- ###### • A logical security boundary. • Contains a clipboard, atom table, and one or more desktop objects. • Contains the keyboard, mouse, and a display device. • Associated with a process. • The interactive window station (WinSta0) is the only that can display user interface or receive user input. • Used by Chrome to implement a “Sandbox”. ----- ###### • A desktop is a logical display surface that contains UI objects such as windows, menus and hooks. • Used as a container to create and manage windows. • Associated with a thread. • By default, there are few interactive desktops on windows: The default desktop: \Sessions\1\Windows\WinSta0\Default The Winlogon secure desktop: \Sessions\1\Windows\WinSta0\Winlogon And more… ###### • There can be only one interactive desktop at a time. ----- ----- ###### • Supported by Windows API since Windows 2000. • Have many legitimate uses: Security applications Multiple desktops Windows logon/logoff screens UAC Ctrl + Alt + Del screen Screensavers ----- ----- ###### • When a program calls a USER32 or GDI32 function, a window station is assigned to the calling process and a desktop is assigned to the calling thread according to the following rules: As specified using the SetThreadDesktop() / SetProcessWindowStation() APIs. Inherited from the parent process. As specified in the STARTUPINFO structure. The calling thread connects to the “\Default” Desktop. ----- ### Part 2 – Financial Malware and hVNC ----- ----- ###### • Web Injections • Form Grabbing • Cookie Grabbing • KeyLogging (kernel mode \ user mode) • SSL Proxy (with certificate installation) • DNS Pharming • Redirects ----- ----- ###### • Introduced to the world by the infamous Zeus malware. • Allows the attacker to use the exact same machine as the victim. • hVNC alone is usually not enough to commit a fraudulent transaction. • Most modern financial malware have an embedded hVNC module (Zeus, Gozi, Dridex and more). ----- ###### Password validation ###### Keyloggers/Form grabbers ###### IP/Geo-location validation ###### SOCKS Proxy Server ###### Browser/System fingerprint ###### hVNC ----- ###### • Has same capabilities like regular VNC. • Hidden (runs on a different desktop). • Cannot see the user’s desktop and can’t be seen by the user. • Makes sure the SwitchDesktop API is never called. • Has the same browser-system fingerprint as the user. • Uses BackConnect – the server sends the first connection request to the client. • Slightly modified RFB protocol to authenticate the malware. • Must implement all the user interaction by itself (Windows supports only a single interactive desktop at a time). • Can be used to log in to active web-sessions (shopping websites, Facebook, Gmail). ----- ###### Malware Process CreateDesktop() ###### Hidden Desktop created SetThreadDesktop() ###### The hidden desktop is assigned to the malware CreateProcess() ###### Explorer.exe (Taskbar, start menu and desktop icons) ----- ### Part 3 – Gozi ISFB hVNC case study ----- ###### • One of the most widespread financial malwares. • One of the best hVNC modules found in the wild. • Based on the hVNC code of Zeus. • Has debug versions – fd36d1e2be1f0079c7cb66288778ffa9. • Became an open source malware when an unknown player leaked it’s code (the hVNC module is missing from the source code). ----- ###### • The hVNC module is downloaded from a remote server. • The module is encrypted with two layers of encryption: Serpent cipher with a randomly generated key (appended to the encrypted module). The Serpent encrypted hVNC module and the Serpent key are encrypted again using an RSA cipher. ###### Encrypted hVNC, RSA key is stored in the binary RSA decrypt ###### Encrypted hVNC + Serpent key Serpent decrypt ###### Decrypted module ----- ###### CreateProcess Hooks ###### • The code injection technique is the same one the Gozi malware uses. ###### Modify target Resume thread Suspend Thread Resume thread ###### Injected process ----- ###### • Most hVNC modules send a unique identifier of the malware to the hVNC client in order to authenticate it. • A regular VNC client will not work out of the box, it has to be reversed and patched. • After the authentication phase is over, the regular RFB protocol is initiated. ----- ###### • Has code to deal with every common browser (IE, Chrome, Firefox, Opera). • One cannot open the same browser in two separate desktop under the same user profile. ----- ###### • For Chrome, hVNC copies the whole user profile (user data folder) to a different location and setting it as the user data directory for the new browser process. ----- ###### • The browser might render pages using the graphics card (GPU). • The browser uses a sandbox that might not play well with hVNC module. ----- ###### • hVNC doesn’t want to allow IE to merge different frames into the same process. • Virtual registry hooks Hook registry query functions to change settings only in the hVNC session without any permanent changes. ###### • IE settings Alter many IE settings virtually: protected mode for internet zones, enhanced protected mode and more. ###### • UAC adjustments: When UAC is on and off, IE uses different location to load session cookies. ----- ###### • Virtual registry hooks for changing system settings: Disable visual effects [Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects] Disable active desktop [Software\Microsoft\Windows\CurrentVersion\Policies] Removes wallpaper [Software\Microsoft\Internet Explorer\Desktop\General] ###### • Hook window events: EVENT_OBJECT_CREATE EVENT_OBJECT_HIDE EVENT_OBJECT_SHOW EVENT_OBJECT_DESTROY EVENT_OBJECT_LOCATIONCHANGE etc. ###### • Virtual keyboard and mouse (PostMessage to the topmost window). • Virtual Clipboard. • Screenshots (Using BitBlt and PrintWindow APIs). ----- ###### • We are able to watch fraudsters in action with two easy steps. • Open a handle by using the OpenDesktop API. • Switch to the fraudster’s desktop using the SwitchDesktop API. ----- ###### • Obtain and decrypt the hVNC module. • Inject the hVNC module into explorer.exe the same way Gozi does. • Direct the hVNC module to communicate with our machine instead of the one originally hardcoded into the binary. • Overcome the protocol differences between Gozi’s hVNC and the standard RFB. ----- ###### Server (Victim) Client (Attacker) ###### • Manually inject the Gozi hVNC module and make it run from explorer.exe. • Make it connect to our VNC client by replacing the IP address. • Establish a connection and bypass the bot identifier authentication. ###### • Set up a VNC client in listening mode. • Wait for an RFB connection from the server and obtain control over the victim’s machine. ----- ###### • Second explorer.exe holding a handle to an unknown desktop (Not the default one). • Usually has ctfmon.exe automatically running under it (text input services support). • Has processes running under it that you don’t see their windows, such as a browser. ----- ###### • The hVNC code is extremely complicated. • It is one of the top tools in the financial malware toolkit. • It uses many cool tricks and manipulations in order to achieve it’s purpose. • Although not new, it is still popular and common in online banking fraud today. ----- ----- # THANK YOU FOLLOW US ON: ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, -----