Zeus Trojan hitting banking customers hard

[Ban Hammer 13,342]

A Trojan that steals online banking credentials is proving to be a particularly insidious and successful piece of malware, according to security experts.

Zeus is the "biggest banking Trojan out there," Laura Mather, co-founder and vice president of marketing at Palo Alto, Calif.-based fraud prevention company Silver Tail Systems said during a recent company webcast. "It's the nastiest, most sophisticated Trojan I've ever seen. It's a money-stealing machine."

Also called Zbot, Zeus and its variants surfaced last year but began trying to infect machines at a steady clip this spring, said Ben Greenbaum, senior manager in the security response unit at Symantec Corp. The malware is easy to configure and widely available on the Internet, with prices ranging from a couple hundred dollars to free, he added.

"Zeus is unusual in the level of success it's achieved. It's more widespread than most," he said. "It combines the best-of-breed features of other crimeware packages into one easy-to-use software suite, so to speak."

About 1.6 million infected machines make up hundreds of Zeus botnets, which target 960 banks, Mather said. Criminals have wreaked a lot of havoc with the bank Trojan's advanced capabilities, she said, citing a case reported by the Washington Post, in which cybercriminals stole $415,000 from Bullitt County, Ky., where Zeus infected the county treasurer's computer.

Mather, managing director of operational policy for the Anti-Phishing Working Group and a former director of fraud prevention at eBay Inc., said the malware can be customized to gather credentials from banks in specific geographic areas and has various means of distribution, including email attachments and malicious Web links. Once it infects a machine, it typically sits dormant, springing to life when the user visits a webpage with a form to fill out.

The Zeus Trojan has a capability that allows criminals to add fields to the form, such as fields for additional authentication information for a bank website; those credentials are sent back to the criminal, she said. Fraudsters also can alter the display to fool users into thinking all their money is still in their account.

The way Zeus alters a form on a genuine bank website as it's displayed on the victim's computer -- instead of showing an entirely fake banking website -- is one of its most powerful features and sets it apart from other banking Trojans, said Richard Wang, manager of the U.S. research labs at Sophos Plc.

"What versions of Zeus might do is see that page as it's being displayed, and at the browser level instead of at the bank level, add an extra box that might ask for your Social Security number," he said. "It looks like the bank has changed its login procedure."

Wang said Zeus is not just a single Trojan, but a toolkit that allows criminals to build their own Trojans that have added functionality. "It allows someone who doesn't have the technical skills to just buy the technology they need to do the banking data theft," he said.

One new Zeus Trojan functionality allows criminals to quickly use stolen credentials, and in some cases, circumvent two-factor authentication. In studying several Zeus variants, researchers at RSA, the security division of Hopkinton, Mass.-based EMC, recently discovered that some criminals were using the Jabber instant messaging open protocol in order to receive stolen information as soon as it was collected from infected computers. The first Jabber IM module RSA researchers studied was configured to extract credentials from users of a single U.S.-based financial institution; another was used by a criminal to target user credentials at five institutions, researchers wrote in a blog post.

"Real-time notification can further online criminals' goals in some cases when certain variations of man-in-the-middle (MITM) or man-in-the-browser (MITB) attacks are launched," RSA researchers wrote. "With such attacks, the online criminal may be acting in real-time as their intended victim logs in to his or her account."

The technique is nothing new, but seems to be gaining popularity, they added.

Symantec's Greenbaum noted that the Zeus Trojan targets more than banking credentials; criminals also are looking to steal social networking site logins and gaming site credentials. Also, Zeus isn't just a bank Trojan, Sophos' Wang said. The malware is used to create "full-featured botnets" that like other botnets, can be used to send spam, launch denial-of-service attacks, and provide hosting services for malicious websites.

The best tactic banks can take against the malware is to educate their customers about computer security, Wang said: "It is very much about user education and making sure people are using good security practices and that they have security software installed and kept up to date."

In a recent interview, Michael Benardo, chief of the cyber fraud and financial crimes section at the Federal Deposit Insurance Corporation, advised banks to help educate their business customers about PC security in light of the increase in fraudulent wire and ACH transfers . Most of the fraudulent electronic funds transfers (EFTs) involved business customers whose online banking credentials were compromised by criminals using Trojans, keyloggers and other spoofing techniques, the FDIC said.

RSA researchers said online security isn't limited to user credentials, although one-time passwords are still an effective layer of protection.

"In order to fight these threats, organizations should adopt multi-layered online security techniques, such as those that shut down Trojan attacks or authenticate users based on their distinct computer profiles and locations," they wrote.

link

an email i've received warning about this particular trojan:

A RECENT SPAM CAMPAIGN is now the world’s leading cyber-attacker. The message appears to come from the Internal Revenue Service (IRS), and with its fake subject line warning that it’s a “Notice of Underreported Income,” it preys on taxpayers’ fears of being audited. The e-mail directs recipients to click on a link to view their “tax statement,” which takes victims to a phony Web site or instructs them to download and view an attachment. But instead of a tax report, they are opening a stealthy virus known as the Zeus Trojan, which hacks into their bank accounts and drains them of money.

Researchers estimate that the Zeus thieves were emptying more than $1 million per day out of victims’ bank accounts as part of a widespread financial fraud scheme. Small businesses have been particularly hard-hit, because banks often hold them accountable for the losses.

You can’t trust your computer’s anti-virus software to detect or disinfect this virus. Experts say that the malicious scammers behind Zeus are changing the program code a few times almost daily to evade detection, which prevents anti-virus companies from breaking the code and protecting their customers against the evolving threat.

The only way to avoid being contaminated is to avoid being hit. The IRS never sends personal notification via e-mail, so immediately delete any such message as spam. And remember, you should never click on a link or download an attachment from an unknown source.

[DARUMA07 25]

Damn,not another one! Thanks for the info Charles!

[Niels Bohr 72]

They can't really change the code and have it being undetected due to that, someone will be able to eliminate it.

I mean the memory address is constantly being monitored by the OS. The antivirus software will know the routine of the trojan easily if the code is changed daily.

[HAL 9000 96]

Moral of the story for you pervs:

Don't use the same browser session between online banking and porn sites mkay??

[scandal 951]

A Trojan that steals online banking credentials is proving to be a particularly insidious and successful piece of malware, according to security experts.

Boy, I had no idea condoms could be so devious!!

[Chica Yeyé 41]

The only way to avoid being contaminated is to avoid being hit. The IRS never sends personal notification via e-mail, so immediately delete any such message as spam. And remember, you should never click on a link or download an attachment from an unknown source.

Exactly right. In this day and age, I cannot but be surprised when people fall for this stuff. Really. The internet =and specially banking sites= are so user friendly that well, what can I say?

thanks for the info

[Niels Bohr 72]

Number one reasons why people fall into computer scams = computer un-savvyness.

Even those Geek Squad employees, they think they're all savvy. I got real news, being able to install applications, load applications, work with applications is not savvy. Best Buy supplies them with the Geek Squad Utility disk that just supplies the basic diag. tools such a mini-av, msconfig optimization, memory checker...They have no idea how to the inner workings of the HD works, cpu, northbridge & southbridge chipset, the TLB or CAM memory controllers, etc...works. No friggin idea.

Well, Geek Squad are just those people that rips you off. I used to work for them by the way. I was one of them before I graduated from college.