DeepSec 2017 – Who Hid My Desktop – Deep Dive Into hVNC
https://www.ispeech.org/text.to.speech
Or Safran & Pavel Asinovsky (IBM Security Trusteer) held a presentation at DeepSec 2017 about the hVNC protocol and how a proprietary application is being used for computer fraud.
"Since the past decade, financial institutions are increasingly faced with the problem of malware stealing hefty amounts of money by performing fraudulent fund transfers from their customers’ online banking accounts.
Many vendors attempt to solve this issue by developing sophisticated products for classifying or risk scoring each transaction. Often, identifying legitimate account holders is based on detecting whether the transaction is made from the legitimate user’s machine or from an untrusted endpoint.
Going back 10 years, and still today, some checks are based on the IP/Geolocation of the machine performing the transaction and comparing it with the user’s typical whereabouts. In order to overcome this identifier, malware authors easily turned the user’s machine into a proxy, making the transaction appear to originate from the same IP address.
Device identification became increasingly sophisticated over the years, adding many parameters of the user’s environment to fingerprint trusted devices. But cybercrime is an arms race, and malware developers did not stay behind. To completely disregard device fingerprinting, they have devised their own circumvention technique: hidden VNC (Virtual Network Computing) that enables them to commit the fraudulent transaction from the user’s own machine without ever being noticed.
In this lecture, we will talk about hVNC in general, but also present and demo the specific use case of Gozi’s proprietary hVNC tool which we reversed and broke in our labs. Gozi is one of the most advanced financial crime tools. It is operated by a cybergang and sees constant innovation and upgrades."
source
Gloss