Months after the announcement, and weeks in production, the Megapanzer video is finally here, cut, processed and uploaded to youtube!
The video shows in seven simple steps how to take over an ebanking session of a victim and which tools you need to accomplish this stunt.
The weakest link in the chain is (obviously) not the bank itself but the trustful user, who executed the trojan horse he received by a patient attacker. Once an attacker is on the victim system, he has full control and power to deceive the victim and make him believe everything is just fine. Hostnames are redirected to the attackers proxy server and SSL certificates are injected in the certificate store. So in reality, nothing is just fine!
In the following video, the ebanking server was not hacked. Only my machine was infected which allowed me to intercept the encrypted data. Everyhing you see happened inside my local network and no foreign machines were affected.
Here the link to Rapidshare to download the video : Megapanzer 0.1
Both Youtube and Vimeo removed the video after some time so the next place to see for how long the video will stay online is Metacafe. But the quality is rather bad and probably it’s me who will move it to an other video portal.
Would be fantastic to check out, if YouTube hadn’t invented some previously unknown policy it supposedly violates
Did you try Vimeo, blip.tv or Dailymotion? Also, a list:
http://en.wikipedia.org/wiki/List_of_video_hosting_websites
I’m sorry but i don’t think to plunder a bank account will be a good idea. Do you know the so called new hacker ethic like “Above all else, do no harm” or “Protect Privacy”? It’s not wrong trying to proof a point of view like “Hacking Helps Security” or “Trust, but Test!” but to support scriptkiddies with one-click malware will be also not a good idea. Please don’t waste your knowledge like this. No offense.
Source: http://www.fiu.edu/~mizrachs/hackethic.html
Frank: It’s always the same issue, people need to learn to be less trustful of random executables being dumped on their machines.
The people are the problem here, not the technology!
rc: Would you also give a loaded weapon to a child? Same issue; technology itself is not bad but the impact caused by clueless could be.
You could also say that the child with the gun is the person who randomly downloads any random executables from the web or otherwise acts without thinking about security.
These people shouldn’t be using computers in that way in the first place. The plain old PC becomes the weapon in that case, and no, I wouldn’t let these people use a PC if I could choose.
But since it’s not “choose-my-perfect-world” day today, I guess I’ll just have to live with that.
I don’t mind having knowledge like the one used in Megapanzer out there. If it’s not out there, it’s simply hidden, but it’s still used by people with low morals. I’d rather that people (including the security industry and random script kiddies) know about all these tricks at the risk of some kiddie causing real havoc than not knowing that they exist at all.
According to http://research.ciphertrust.com/statistics.php for this months, 26.9% of EU computers have been zombified through Trojan horses. So thanks for this educative video: even if great part of the technical procedure is over my head, the basic message is loud and clear: as rc put it: ” It’s always the same issue, people need to learn to be less trustful of random executables being dumped on their machines.
The people are the problem here, not the technology!”
Thank U! I learnt something now. Monitoring the host file and closing any session very fast is essential!!!
nice song.
wher you get it?
anonymous : http://www.myspace.com/samplemind
And how is it possible to plunder a bank account? The video doesn’t explain it.
In my opinion money transfer is only possible with a transaction number. How do I get it?
BTW: Nice song
The banks name is in cleartext within the video, just look close. It would work with any other swiss bank though as well, as long as transaction numbers aren’t used….
Good video. It makes me think that bank websites could display the ip address of the machine currently browsing the website. It could an additional protection against those proxy attacks.
Perhaps MELANI http://www.melani.admin.ch might host the video in their “Demonstrationen und Lernprogramme” section? They should: after all, their last report http://www.melani.admin.ch/dienstleistungen/archiv/01086/index.html?lang=de was entitled “E-Banking vermehrt im Visier von Cyberkriminellen: Achter Bericht der Melde- und Analysestelle Informationssicherung”.
Sehr eindrückliches Video und der Beat ist spitze.
Allerdings gehe ich immer noch davon aus, dass ich allfällige Transaktionen von meinem gehackten Konto rückgängig machen könnte.
Ansonsten Daume hoch! Dein Blog ist nun in meinen Favoriten.
En Gruess Thomas
I was looking on the site and can’t find the “Megapanzer” source or binary. Any help would be appreciated!
Thanks…..I like the minipanzer works great!!! Keep up the good work
Tom
there is neither source nor binary available at the moment but i’ll release it at a later date. the priority has not SafeSide to bring your computer to a safer state. if the tool is there, the Megapanzer sources will be released.
Wo kann ich Megapanzer downloaden?
Ich mein das Video ist ja schon geil aber ohne das Tool?
ich hätte den code eigentlich an weihnachten hochladen wollen. hat aber zeitlich nicht gepasst, da das SkypeTap update noch dazwischen kam :/
aber der code wird folgen. in reduzierter form. das datum steht noch nicht fest.
how long will it take in your opinion until megapanzer is available?
hmm… it’s hard to say. i have exams until end of march and the hardest part will be done. from then on i’ll work on the digital bug and THEN on MP or the ebanking-thing.
Very educating video. Although, it wood be nice to see source code of megapanzer as it is (even in short form).