Security research from the front lines

Ryan Sherstobitoff

Subscribe to Ryan Sherstobitoff: eMailAlertsEmail Alerts
Get Ryan Sherstobitoff: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: Security Journal

Blog Post

Zeus & SpyEye: Summary

New Targets
By Ryan Sherstobitoff
Article Rating:
September 4, 2011 04:25 PM EDT
Reads:
 1,202

For those who know how dangerous Zeus & SpyEye is to the financial services community, you can appreciate how difficult it is to determine methods and motives of an ever changing threat landscape; especially when dealing with the infamous Zeus banking Trojan. Thus, I provide a summary of some of the most recent changes and tactics used by fraudsters and some of their new targets. Zeus has been on the market for several years and has infected millions of PCs and has been associated with many high value losses in the business banking segment.

Summary

Community and regional banks and credit unions have come under the recent focus of Zeus and Spy-Eye banking Trojans. These malware families are no longer targeting the Bank of Americas of the world. Instead there is a dramatic shift in the type of targets fraudsters are going after. There are many Zeus/SpyEye variations deployed by fraudsters that target community-style banks, the really small banks that serve a local city as opposed to larger financial institutions.

The trend is that more fraud cases will occur in the lower end of the financial services market. There are a couple of reasons for this and why this strategy is working:

• Smaller banks are less likely to employ multi-factor, strong authentication.
• Smaller banks run common identifiable banking platforms with very little customization, making large scale generic attacks workable without much effort on the part of the fraudster.
• The larger banks have been a constant target for years; the strategy now is to focus on smaller banks that have fewer resources to combat fraud.

The banks observed in my research, according to evidence analyzed, will target two countries primarily when speaking about community-style banking: the USA and Australia.

Zeus/SpyEye variants discovered contain evidence that in their configuration files fraudsters are creating custom triggers to target the lower end of the market. For example several variations of Zeus contain custom triggers (target data) for smaller banks such as:

• [....] Citizens Bank
• [....] Bank & Trust
• First [....] Bank & Trust

The configuration file – the heart of Zeus/SpyEye – will determine specifically what targets to hit in addition to containing JavaScript code that will tell the malware how to steal the information. This file is built using the toolkit to create the infection binary, and targets are often custom defined by the fraudster before deployment to victims. Also keep in mind the configuration file is encrypted and the decryption key is unique per C&C server, therefore, making analysis of such data difficult for researchers. These triggers are being defined by the fraudster to steal information such as usernames, passwords, etc.

In some cases you will see specific pages referenced in the URL such as balances, which indicates the malware intends on grabbing the balance and storing it in its cache. Zeus uses the stored balance details to inject into the same page at a later time to persistently hide the fact that money was fraudulently transferred from the user’s account.

The configuration file can be updated dynamically by the C&C server to hit other pages or to add new custom triggers.This reference is evidence that this particular variant likely uses a process known as the Automatic Transfer Mechanism or Transaction Modification (ATM). This is where the malware automatically changes the recipient information in real time on a funds transfer so it ultimately ends up in the criminal’s account as opposed to the intended recipient.

Three credit unions targeted in a variant of malware contained account balance pages as the target to activate what is known as the balance grabber module, which exists in both Zeus and SpyEye as a component. Furthermore, because Zeus/SpyEye uses the stolen balance information to inject a fraudulent amount as the means of hiding the fact the account holder was a victim, this is probable evidence that these variants employ automatic transaction modification. Also, you will see that triggers for Bank of America and Wells Fargo still remain, but these are known to be what is called default triggers and in many cases were not intentionally added by the fraudster – these come with the purchase of the crimeware kit.

In summary It is estimated that 5 million PCs in the US based on sinkhole data and other industry sources are infected with Zeus and it would make perfect sense given the targets that they are focusing on now.

Published September 4, 2011 – Reads 1,202
Copyright © 2011 Ulitzer, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.

More Stories By Ryan Sherstobitoff

Ryan Sherstobitoff is an Independent Security Researcher. He formerly was the Chief Corporate Evangelist at Panda Security, where he managed the US strategic response for new and emerging threats. Ryan is widely recognized as a security & cloud computing expert throughout the country. He blogs at http://ryansherstobitoff.ulitzer.com.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.