Banking Malware: New Challenger to Zeus?

Pandemiya Trojan Could Invigorate Commercial Malware Market

By Mathew J. Schwartz, July 2, 2014.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
Daniel Cohen of RSA
Daniel Cohen of RSA
(Page 2 of 2)

Many lightweight remote-access tools also got dressed up as crimeware, he says. "We saw a lot of stealers, like the Pony stealer, which is a very basic piece of software that steals the URL you're visiting, along with the user name and password."

See Also: Cloud Infrastructure: Same Security Needs, Dynamic New Environment

One-Week Attack: Luuuk

Still, barely a day goes by now without at least one security vendor issuing a warning about the latest potential banking malware threat. And to be fair, many of them are quite effective at separating consumers from their savings. (See: Malware: How to Prioritize the Alerts.)

On June 25, for example, Kaspersky Lab detailed Luuuk, a campaign, named for a server address found in the malicious infrastructure, that successfully stole more than 500,000 euros (about $680,000) from victims in Italy and Turkey who were the customers of a single bank, which hasn't been named. Kaspersky Lab says the attack began around Jan. 13, 2014, and the security firm discovered it a week later. Just 48 hours after that, though, attackers appeared to have shut down the campaign.

Attackers employed unknown malware to launch "man in the browser" techniques, which refers to Web injection attacks that allow attackers to transfer money out of a customer's account while they're logged in, while hiding that activity from the account holder. "[These] kind of injections are very common in all the variations of Zeus - Citadel, SpyEye, IceIX, etc. - and all of these are well-known in Italy," says Kaspersky Lab. Whatever malware variant used likely was likely "also capable of performing automatic transactions to preset money mule accounts."

The money transfer, in other words, was just the first part of the attack, since the gang needed to cash out the funds before authorities could find or freeze attackers' accounts. Accordingly, the money would have been withdrawn quickly by money mules, then shared with the gang behind the attacks.

Why Zeus Still Dominates

Beyond Luuuk, this year security researchers also spotted Qadars, which is a merger of Zeus plus Carberp, which was released in 2013. "Carberp was a very advanced piece of malware, and Qadars is taking Zeus to the next level," says Cohen.

For comparison's sake, however, Pandemiya and Qadars so far are only blips in the broader banking malware landscape. "For some perspective, we're analyzing about 400,000 binaries per week, and of that malware, about 92 percent is Zeus or Zeus-based," Cohen says. According to the Zeus Tracker, as of June 30, there were 1,149 known Zeus C&C servers being tracked. Meanwhile, only about 40 percent of Zeus malware was being detected by antivirus products, which is a selling point for fraudsters seeking a free crimeware toolkit.

Global Zeus Infections


Source: abuse.ch Zeus Tracker

Zeus, in other words, won't disappear anytime soon, says Cohen. "We might see more unique Trojans being developed, like Pandemiya, but the bottom line is committing cyber crime continues to remain really easy - and that's the challenge we're going to continue to see."

Follow Mathew J. Schwartz on Twitter: @euroinfosec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Industry News: Verizon Expands Managed Security

Leading this week's industry news roundup, Verizon enhances its managed security services...

Latest Tweets and Mentions

ARTICLE Industry News: Verizon Expands Managed Security

Leading this week's industry news roundup, Verizon enhances its managed security services...