[email protected] +603-2181 3666
Malware That Can Empty Your Bank Account
August 24, 2015
0

In June last year, US and European enforcement agencies and security firms worldwide, blocked the spread of Gameover Zeus botnet and brought it under control. This put a damper on Cryptolocker ransomware, as it relied on the servers used in the Zeus botnet.

zeus

 

Gameover Zeus and Cryptolocker are some of the well-known malware that target financial data, but there are many other variants that are equally or more dangerous than these two.

The Zeus family is one big family – happy one to the criminals, but a curse to the victims.

Let’s take a look at some of the most dangerous financial malware.

 

1.  Zbot/Zeus

This is a notorious Trojan which infects Windows users and tries to retrieve confidential information from the infected computers, such as system information, passwords, banking credentials or other financial information. It ca also be customized to gather specific banking details from specific countries. Once the cybercriminals have retrieved the necessary details, they can then log into banking accounts and make money transfers.

Zbot/Zeus which has many names including PRG and Infostealer, has already infected 3.6 million systems in the U.S. Back in 2009 it was found that the Zeus had spread on more than 70,000 accounts of banks and business including NASA and Bank of America.

 

2.  Zeus Gameover (P2P) (Zues family)

This is a variant of the Zeus family, which relies on peer-to-peer botnet infrastructure. Zbot/Zeus relied on a C & C (Command & Control) servers to wreak havoc, but Gameover removes the need for this. As it resorts to P2P botnet, the generated peers act as Independent Command and Control servers and are able to download commands and configurations files between them, stealing them and sending them back to malicious servers.

Cybercriminals use Zeus Gameover to collect financial information, targeting credentials such as credit card numbers and passwords, including other private information which might be useful in retrieving a victim’s bank information.

To date, this malware has infected more than 1 million users around the world.

 

3.  SpyEye (Zeus family)

A data-stealing malware created to steal money from online bank accounts. It is capable of sealing bank account credentials, social security numbers and financial information that can be used to create a zero balance in your bank account. This malware also contains a keylogger (see Definition) that retrieves login credentials of online bank accounts. It is popular among cybercriminals because it can be customized to attack specific organisations or target certain financial data.

As soon as a targeted user initiates an online operation from his/her bank account, SpyEye will start a financial transaction.

 

4.  Ice IX (Zeus family)

One of the most sophisticated malware out there is Ice IX. It has similar malicious intent as the malware just described, like stealing personal and financial information such as passwords or login credentials. Like Zeus it can control the displayed content in a browser used for online websites.

Though this malware has improved capabilities as compared to Zeus, the most significant one is the ability to avoid defense mechanism to evade tracker sites, which monitor most Command and Control servers controlled by Zeus.

 

5.  Citadel (Zeus family)

This Trojan came about after the source code for Zeus was leaked in 2011. This Trojan has an open source character, and has been reviewed and improved by cybercriminals for various malware attacks.

This is an advanced toolkit that can be used to trick users into revealing confidential information and steal banking credentials, to be used by cybercriminals for fraudulent transactions.

 

6.  Carberp (Zeus family)

This Trojan has similar behavior to other financial malware in the Zeus family. This is one of the most widely spread financial stealing malware in Russia. Its main targets are primarily banking systems and organisations performing a high number of financial transactions.

It is distributed typically through malicious e-mail attachments, drive-by downloads (see Definition) or by clicking a deceptive pop-up window. What makes this malware different is the high number of legitimate web resources used to collect information and make fraudulent transactions.

 

7.  Bugat (Zeus family)

Bugat targets an infected user’s browsing activity and retrieves information during online banking sessions. It has the ability to upload files from an infected computer, download and execute a list of running processes or steal FTP credentials.

This Trojan receives instructions from a command and control server, including updates to the list of financial websites it targets. The collected information is then sent to the cybercriminal’s remote server.

It propagates when unsuspecting users click on malicious links in e-mails. The user is then directed to a fraudulent website where the Bugat executables downloads onto the system.

 

8.  Shylock (Zeus family)

This Trojan also communicates with remote C & C servers. It uses a domain generation algorithm which can generate a number of domain names that receives commands between the malicious servers and the infected systems.

The malware is delivered mostly through drive-by downloads on compromised websites and via malvertising, where malicious codes are inserted in adverts that are then placed on legitimate websites.

Another technique it uses is to insert malicious JavaScript into a web page. This in turn will produce a pop-up which pushes the user to download a plugin, apparently necessary for media display on the website.

 

9.  Torpig (Zeus family)

The Torpig botnet is used to send spam e-mails or steal personal information or credentials from online banking accounts. Users are typically infected by drive-by download. The infected computers run phishing campaigns to obtain sensitive data from is victims.

 

10.  CryptoLocker

The infamous ransomware that encrypts your data and displays a message that you can decrypt your data for a sum of money that is to be paid within a specific time. Failing to do so, the ransom would be increased. A point to note is that CryptoLocker can be removed by various security solutions, there isn’t a way to decrypt the encrypted locked files.

This ransomware is of the nastiest of malware ever created. Once your data is encrypted there is no way to decrypt those files. What makes it dangerous is that users have their private data exposed and then stand to lose their files without any chance of recovering them, if the ransom is not paid. With all ransomware, there is no guaranty that the criminals will release your data if the ransom is paid. They may just asked for a bigger sum.

CryptoLocker usually infect a system by way of apparent legitimate e-mail attachments, which is purportedly from a well-known company or institution. It targets potential victims through phishing attacks.

 

 

Recommendation

1.  Install a specialized security solution.

2.  Be careful of e-mails you receive and don’t download or run e-mail attachments from unknown. Also, don’t click the links in these types of e-mails.

3.  Back up your important documents and files. Create backup copies of your data in multiple locations.

4.  Keep your software up to date, using the latest security patches available.

 

Definition

1.  Keylogger – a surveillance software that is able to capture all keystrokes on your computer keyboard. Can also be used as a spyware.

2.  Drive-by download – a program that is automatically downloaded to your computer without your consent or knowledge.

 

Source

1.  Heimdal Security.

2.  Techno Nxt (image 1).

 

The Week That Was

1.  Kaspersky Labs denies allegations of inducing false positive AV detections. The company has been accused of sabotaging competitors’ antivirus for nearly 10 years with false positive malware detection.   It was reported that employees were assigned to reverse engineer competitors’ AV software in order to devise a way to trick t into marking good files as malicious. Kaspersky has denied such claims.

2.  Windows 10 remotely disables pirated games and software. If you one of the millions of people who upgraded their system to Windows 10, Microsoft could be scanning your PC for pirated games and unauthorized software.

3.  Microsoft issues emergency patch for IE flaw. The patch fixes a critical memory corruption vulnerability that is being exploited in attacks in the wild. All versions of IE v7-11 are affected. Users of the new Edge Browser on Windows 10 are not affected.

4.  Cybercriminals are becoming more creative. Hackers are taking a more strategic approach and targeting more selective victims to improve their infection rate. This is reflected in in several traditional attack methods – a 50 percent integration of the Angler exploit kit, a 67 percent in overall exploit kit-related threats, and CryptoWall ransomware becoming highly targeted with 79 percent infections occurring in the U.S.