Trusteer uncovers Zeus botnet that plunders over 100,000 UK Internet user credentials
"This is just one out of many Zeus 2 botnets operating all over the world," says Amit Klein, Trusteer's chief technology officer. "What is especially worrying is that this botnet doesn't just stop at user IDs and passwords. By harvesting client side certificates and cookies, the cybercriminals can extract a lot of extra information on the user, that can be used to augment their illegal access to those users' online accounts."
"Coupled with the ability to remotely control users' machines, download data and run any file on them, this means that the fraudsters can insert partial or complete Internet pages into a live Web session, enabling to inject transactions at will or extract even more data from the hapless victims," he added.
This is another example , he went on to say, of the growing trend of regional malware where the cybercriminals operate targeted and segmented attacks on users, harvesting revenue from one bank's users one day, and, as that bank's security systems ramp up, move on to another regional bank another day, in this case the UK has been targeted. A pie chart showing the countries in which victims are based is available on the following link http://www.trusteer.com/sites/default/files/Zeusbotnetbycountry.jpg
In short, says Klein, this is a fraudster's ultimate paradise, giving them hidden access to the users' online financial and allied activities, as surely as if they were sat at their shoulder watching their every keystroke, move and online action.
In addition to gaining access to the botnet's servers Trusteer has also been able to access the interface used by the fraudsters to manage the botnet. This allows a very unique view into the way fraudsters operate Zeus botnets. The interface allows three main functionalities. The first is the ability to monitor the growth and footprint of the botnet with very accurate statistics and graphs showing the total number of bots, their distribution, newly added bots, count of active bots, etc. One example is a pie chart showing the operating systems running on the affected PCs, available on the following link http://www.trusteer.com/sites/default/files/ZeusbotnetOSstats.jpg
The second is a search function on all traffic generated by the bots. The botnet captures all HTTP and HTTPS traffic from infected computers and store it in a central MySQL database. A search tool allows the fraudsters to easily extract any type of information from the database. For example if the fraudsters are looking for credentials for a specific institution they can just type a part of the institution's URL into the search box and will immediately receive all HTTP/S requests that contain this pattern. From there they can extract the relevant login information. The third functionality allows criminals to push updates and other executables to specific bots or to the entire botnet. For example, they can push other pieces of malware or they can push a remote access programs that then allow them to remotely access the infected machine and control it.
Mickey Boodaei, Trusteer's CEO, says that the revelations surrounding the Zeus 2 botnet are the result of hundreds of man hours of effort behind the scenes by his security team, who constantly monitor for this type of activity.
This effort is part of an ongoing intelligence operation Trusteer is running in order to investigate the various aspects of fraud. We try to learn as much as possible on any piece of malware that targets the banks we work with. This information allows the banks to better understand immediate threats and take various actions, many of which are behind the scene to protect their customers against these attacks.
"It's important to realise that, despite its size, this is just one of many Zeus botnets operating all over the world. Its size and controllable actions are a clear demonstration of the increasing sophistication of cybercriminal gangs and how they can harness the power of driveby downloads, spam and general phishing trawls to create such a large swarm," he said.
"Zeus has become one of the most prevalent botnet trojans in the history of online bank fraud. Fighting financial malware requires banks to have accurate intelligence and strong fraud detection and mitigation capabilities. Fighting financial malware requires banks and their customers to work together. Internet users need to follow their bank's instructions and when asked download online banking security software such as from HSBC, NatWest, RBS and Santander which is specifically tuned to detect and resist specific threats that the bank identifies such as Zeus. Banks need to continue implementing multiple layers to detect, resist, and deactivate malware attacks and tightly integrate these layers together.
For more on Trusteer: www.trusteer.com
Trusteer, the world's leading provider of secure browsing services, helps prevent financial malware attacks through its Rapport and Flashlight services. Trusteer Rapport enables banks and online businesses to protect sensitive data such as account holder credentials from malware by locking down the browser and creating a tunnel for safe communication between the web site and customers' machines. It also prevents phishing by validating site authenticity. Trusteer Flashlight allows remote, effective, and instant investigation of malwarerelated fraud incidents. Trusteer's solutions are used by more than 60 leading financial organizations in North America and Europe and by more than 8 million of their customers. Trusteer is a privately held corporation led by former executives from RSA Security, Imperva, and Juniper. Follow us on www.Twitter.com/Trusteer.
For more information about our products and services, please visit www.trusteer.com.