Tag: zeus

Bespoke 'web-inject' software-for-sale threatens bank chaos

Cyber criminals are offering low priced and customisable ‘web-injects’ for malware, which a security expert warns could wreak havoc with banks.

An evolving underworld market for malware has shifted to start offering more targeted and often bespoke updates to commonly found malware like Zeus and SpyEye.

Known as web-injects, they are generally used to create fake web pages which pop up when a victim infected with malware uses online banking or makes a transaction.

Just like any market, that of malware and web-injects is subject to changes, and Trusteer has found that, while bulk pricing has been popular in the past, web-inject software writers are producing code with specific features.

For example, the webinjects that Trusteer has uncovered as available for purchase include the Balance Grabber, which captures balance information and sends that data back to the malware command and control server. This will set back cyber criminals between $50 to $100.

A Balance Replacer can update the balance to hide the fraudulent transaction taking place – costing between $200 – $300.

The Additional Passwords mechanism asks for more passwords from a victim, costing up to $200, while the TAN Grabber can capture one-time passwords that are sometimes used by some banks to authorise online transactions.

According to Trusteer, cyber criminals are essentially aping traditional software vendors, offering an a la carte suite of pricing options.

While the move away from bulk buying to tailor made web-injects means more cost, the customised software is also becoming more readily available – and cheaper.

This greater availability and improved ability to narrow attack areas is threatening to cause upheaval with financial defences.

According to George Tubin, Senior Security Analyst with Trusteer, many banks could find themselves at considerably greater risk than before.

“It is very concerning for a lot of banks which maybe haven’t been targeted before,” he said, speaking with TechEye. “Typically the malware will target larger institutions.”

“Now you can target almost any bank you want, you could target banks that previously haven’t been target,” he said. “These are often the ones that don’t have as good defences in places.”

Big high street banks tend to have very sophisticated fraud protection capabilities in place, so they are harder to attack, but many are not prepared for the kinds of targeted attacks they could come under.

“Criminals can now say which attack they want to use for each institution,” Tubin said.  “It definitely makes things more difficult for the financial institution.   This opens up the market for criminals.”

“They can go for institutions that aren’t as well protected and prepared for these types of attacks,” he said. “It could be just a matter of time, and it could be disastrous.”

It is the banks and the customers who must take preventative measures, as it is extremely difficult to police web-inject sales, even if they do appear to be sold openly on forums.

Policing is an ongoing battle. A lot of the players in this market are in geographies which are difficult to get to and police.  

“It is difficult to go after them, so they are relatively safe,” Tubin said.

Microsoft takes on Zeus botnets

Microsoft has continued its war on the King of the Botnets, Zeus, by seizing command and control servers under something it has dubbed Operation b71.

Richard Domingues Boscovich, who is the Senior Attorney of Microsoft’s Digital Crimes Unit wrote from his bog that Redmond has been doing a lot of research into the worst known Zeus botnets and asking the courts to give it a good kicking.

He said that cybercriminals had built hundreds of botnets using variants of Zeus malware. Operation b71 was focused on botnets using Zeus, SpyEye and Ice-IX which makes up the new Oympus of the Zeus family.

Boscovich said that there were some problems with the complexity of these particular targets which meant that, unlike Microsoft’s previous botnet takedown operations, it did not permanently shut them down.

He said the idea was to strategically disrupt operations to limit the threat in order to cause long-term damage to the cybercriminals that use the botnets to make cash.

Zeus malware uses a tactic called keylogging, which records a person’s every computer keystroke to monitor online activity and gain access to usernames and passwords in order to steal victims’ identities.

Microsoft detected more than 13 million suspected infections of Zeus worldwide, with more than 3 million in the United States.

Microsoft filed a suit on 19 March 2012, asking the court for permission to cut the command and control of the Zeus botnets. Redmond used the Lanham Act in order to physically seize servers from hosting providers and preserve evidence. It also used the Racketeer Influenced and Corrupt Organizations (RICO) Act which is normally used for mobsters.

Boscovich said he did not expect to have wiped out every Zeus botnet operating in the world. However, it had disrupted some of the most harmful botnets, and he expected it will harm the cybercriminal underground for quite some time. 

Intel MIC, Dell and Nvidia prop up US supercomputer

Intel is sending the University of Texas a Knights Corner chip that sports over 50 cores.

Both the Texas Advanced Cumpiting Center and University of Texas will enjoy a supercomputer named Stampede that features 10 petaflops of performance altogether. The main reason is Intel’s Many Integrated Core Knights Corner, which counts for 8 petaflops. It will also sport thousands of Dell Zeus servers, each running dual eight-core processors from Intel’s E5 Xeons. Each will have 32 gigabytes of memory.

Nvidia enjoyed a contract win from the university, too, with 128 of its GPUs sitting in the machine. There are also 16 Dell servers with one terabyte of shared memory, and two GPUs for analysing big data.

Stampede’s total performance will be 10 petaflops, 272 terabytes of memory and 14 petabytes of storage, which, if you haven’t guessed already, is a lot. http://en.wikipedia.org/wiki/FLOPS

It will be the most powerful supercomputer in the US, and will have support for at least four years.

While it’s running, Stampede will contribute to over 1,000 projects in computational, data-driven science and engineering all across America. While it’s running, it will contribute to optimising Intel’s MIC architecture. There will be a new data centre for the system courtesy of the University of Texas, which should appear in November 2011. Stampede should be up and running in 2013.

Botnet hacker made $17,000 a day

Trend Micro has uncovered just how far one cyber criminal’s reach went. A man in his 20s, somewhere in Russia, used a slew of criminal toolkits to earn money attacking over 90 countries and pocketing $3.2 million in just six months.

Trend Micro believes Soldier used a network of money mules and had an accomplice residing in the states. Together, just since January 2011, the hacker was making $17,000 dollars a day.

Writing from the Trend Micro bog, threat researcher Loucif Kharouni outlines the antics of a hacker who goes by the name of Soldier. He used SpyEye and ZeuS binaries and blackhat SEO on his rampage across the web.

Soldier allegedly  traded in traffic with other criminals on the web, using malware to pinch money from countless accounts, with a large majority in the US, as well as thieving security credentials. It wasn’t only grandma opening a dodgy attachment that got hit by the worm – high security institutions and US corporations were among those hit.

Overall, Soldier managed to infect roughly 25,394 systems between late April and June. It will be good for Microsoft’s PR push in getting users to upgrade – the majority of the victims were running Windows XP on their machines.  About 4,500 Windows 7 PCs took the hit as well, according to Trend Micro.

The company is keeping the investigation open and is trying to figure out how to notify victims.

Spyeye source code made public

Insecurity outfit Damballa has warned that malware kit SpyEye Builder has had patch source code for release 1.3.45 leaked by hackers, the Reverse Engineers Dream Crew.

A crew member was able to locate a copy of SpyEye Builder 1.3.45 and create a tutorial that enables a reader with SpyEye Builder to crack the hardware identification.

The SpyEye builder tool, generates the SpyEye malware and the release of the source code means that security researchers can use the crack to start hunting for bugs.

But as Damballa’s Sean Bodmer pointed out to Security Week, it also means the malware’s authors will be forced to step up their game.

He said that it will make make newer versions harder to crack with enhanced security mechanisms. Already the SpyEye author team has already released 1.3.48 and has newer versions in-development, it appears.

But the leak makes the tool widely available to script kiddies, and is now being sold online for as little as $95 “for those not seasoned enough” to compile the code, he added.

Writing in his bog, Bodmer said that the leak throws a monkey-wrench into the business model of the Gribo-Demon crew behind SpyEye.

Aspiring cyber criminals can find a leaked version of the builder and use the RED Crew tutorial to break its embedded security and launch their own version of SpyEye.

Paid customers or other cyber-criminals can now strip out that attribution of the handle in the malware and this increases difficulty of identifying the operator or campaign group.

SpyEye has done rather well after the development team behind the malware merged it with that of the older Zeus code. It can even remove Zeus from an infected host machine. 

Gigabytes of government data stolen in fake e-card scam

Several gigbaytes of sensitive government data has been stolen from government and online security staff in a fake White House e-card scam, according to KrebsonSecurity.

An email circulated among a large number of public sector employees in the US on December 23 pretending to be a legitimate electronic greeting card from the government. The message read:

“As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.

Greeting card:


Merry Christmas!


Executive Office of the President of the United States

The White House

1600 Pennsylvania Avenue NW

Washington, DC 20500

When users accepted it, however, it installed data-stealing malware on their computers, including a ZeuS trojan variant that focused on nabbing documents rather than financial details, suggesting that this attack was primarily interested in taking advantage of the Christmas season to steal government information.

A large number of people fell for the scam, including an official at the Moroccan government’s Ministry of Industry, Commerce and New Technologies, an employee of the Millennium Challenge Corporation, a member of the Financial Action Task Force, and worst of all an intelligence analyst working for the Massachusetts State Police and a staff member of the National Science Foundation’s Office of Cyber Infrastructure, people who probably should have known better.

Information that was gathered in the 2GB data attack includes NSF technology and science grant applications, court-ordered mobile phone intercepts, classified national security documents, financial files, and other sensitive information.

ZeuS trojan won't infect low-end systems

A new version of the keylogging ZeuS trojan will not infect low-end computer systems, according to anti-virus software firm F-Secure.

The picky malware refuses to install on systems with a processor below 2GHz, not because it thinks the owners are clearly too poor to rob via online banking, but because it thinks the low speeds are part of a virus testing environment.

As part of a protection mechanism built into the malware it will terminate without infecting a computer if it believes it is being subjected to virus analysis. Part of this analysis may include slowing down computer speeds via a debugger.

An F-Secure malware analyst discovered that if less than 232 timer updates occur during a two second program pause, the trojan will think that a debugger is being run and will simply terminate in order to prevent analysts from learning too much about it.

What this means for the wider world is that any processor with a clock speed of less than 2GHz will be seen by the malware as a test environment, making that machine effectively immune to infection from this particular trojan.

To prove the theory F-Secure exposed an IBM T42 laptop with a 1.86GHz processor to the malware and it failed to become infected. Time to downgrade then.

Microsoft ill equipped for Zeus

A security firm has highlighted concerns over Microsoft’s protection against financial fraud, announcing findings that the Malicious Software Removal Tool is ill-equipped to defend against the Zeus Trojan.

Microsoft announced last month that its MRST now has the capacity to detect and remove malware such as Zeus, however private firm Trusteer has tested the tool which apparently has major flaws in its protection.

Trusteer claim to have tested MSRT against hundreds of Zeus files, detecting only 46 percent of Zeus 2.0 files, while the new 2.1 version of the financial Trojan failed to be picked up at all.

Mickey Boodaei, CEO of Trusteer, has stated that Zeus also has a significant advantage over MSRT as the tool does not operate in real-time and only disinfects a machine when it is running. Therefore hackers have a “golden window of opportunity” between the time of a Zeus infection and the next scan by MSRT to siphon off money from the victim’s bank account, writes SC Magazine.

“I believe that MSRT will actually serve to further shorten the time between a machine becoming infected and the time it is used to commit fraud. I also expect this will reduce the effectiveness of anti-virus solutions, since they typically cannot detect a new variant until a few days after it is released,” said Trusteer.

“Microsoft is working hard and making important contributions towards improving online security with MSRT and Microsoft Security Essentials. However, in the battle against Zeus, I believe Microsoft chose the wrong weapon. What’s needed are real-time, signature-independent solutions and more operating system improvements, if we want to defeat Zeus and others like it.”

“Zeus and other financial malware can accomplish this fairly easily since they have a distinct technical advantage over MSRT, as they are already running when MSRT starts scanning,” he added.

“This allows the Trojan to easily block MSRT from running altogether. Disabling MSRT will inflict even further damage, since it is effective at detecting and removing many other forms of malware.”

However it as a private security firm it does appear Trusteer could have a vested interest in knocking Microsoft’s security software.  According to Graham Cluley at Sophos it is no surprise that Trusteer have said this, and that while the results of Trusteer’s test may well be useful in the fight against malware it would be better to have an independent review.

“As a private firm like Microsoft, Trusteer may well have their own motives for conducting such tests.  It would certainly be of more value to the general public if an independent firm such as AV-Test or West Coast Labs was to look at the reliability of MRST instead,” Cluley told TechEye.

“It is a constant battle to provide defence against malware, with a new example coming up every one and a half seconds.  However Microsoft’s MSRT is essentially a scanning tool – it added detection and removal to the software almost in an altruistic sense.  Microsoft already has a free antivirus software that is available, Microsoft Security Essentials, that runs in real time and would be effective against Zeus. ”

Almost undetectable ZeuS variant discovered

A variant of the key-logging ZeuS trojan that is almost undetectable has been discovered by anti-malware researchers at Trend Micro.

The variant, known as TSPY_ZBOT.BYZ, uses a number of techniques to avoid automatic heuristics-based detection, such as importing a large number of external APIs, a characteristic not shared by other ZeuS trojans, and one that means there is a significantly lower chance of detection.

The trojan is also compressed in a different manner to other ZeuS variants, meaning that the calculable entropy is different. This is usually similar and allows anti-malware researchers and software to analyse and detect the trojan, but the difference in this variant helps keep it under the radar.

Trend Micro said the trojan is “designed to make analysis in sandboxed environments more difficult.” This makes things harder for anti-malware researchers who provide virus database updates to keep computer users protected, allowing for the spread of the trojan to many more machines.

The ZeuS trojan has been responsible for a string of major attacks throughout the year, including most recently on LinkedIn. The prevalence of the malware has led to multiple arrests around the world, including 19 people involved in a £6 million bank scam in the UK and further arrests in the US, which could see dozens of people jailed.

The problem is also getting worse. Trend Micro issued an update today that a further variant, named  TSPY_ZBOT.SMEQ, has been detected, and there could be many more of them, slipping under the watchful eyes of our anti-malware software.

“These new variants show the impact of TSPY_ZBOT.BYZ being able to avoid heuristic detection. Determining the relationship between TSPY_ZBOT.BYZ and the new variants would become harder; correspondingly the new variants would be more difficult to detect,” said Julius Dizon, Research Engineer at Trend Micro. 

“To properly guard against this threat, conventional antivirus [software] is not sufficient. Both improved detection techniques and proactive blocking of the websites, working together, can protect users.”

London police arrest 19 in cybercrime online banking scam

The London Metropolitan police e-Crime unit has broken up an elaborate cybercrime ring, arresting 19 people involved in a £6 million heist from online bank accounts.

The suspects are accused of hacking into thousands of computers using malware and then stealing money from people’s online bank accounts. The attacks utilised a Zbot trojan called ZeuS, malware that was recently used to attack business social networking site LinkedIn.

ZeuS is a notorious keylogging trojan aimed primarily at stealing bank details. It is usually installed through phishing campaigns, such as on websites like Facebook, or through forced or unauthorised downloads. It has become one of the top trojans, affecting millions of computers, many of which now operate as part of the virus’ extensive botnet.

The arrests, which include 15 men and four women, were made in London after a number of houses were raided on Monday. They are being held in custody and are currently being questioned over their involvement in the cybercrime ring.

The gang are accused of operating for over three months and face charges of suspicion of fraud, money laundering, and a number of offences listed under the Computer Misuse Act.

This is not the first time people have been arrested for using the ZeuS trojan to steal money. In November of last year a couple from Manchester were arrested for the same crime, revealing how dangerous the malware is and how many hackers are currently employing it.