For the past few years, criminals have been creating demonically devious pieces of malware designed to hijack online banking sessions.
One of the best known, the ZeuS (or Zbot) Trojan, has been wreaking havoc on financial institutions since 2007.
Another banking Trojan, SpyEye, appeared two years later. As is common among competing pieces of malware, it at first set out to destroy ZeuS.
But now, security companies have found that ZeuS and SpyEye have declared peace — and are joining forces to become a “super-Trojan.”
( Trojans are pieces of malware that hide inside otherwise innocuous applications or Web pages and install themselves without the victim’s knowledge.)
Online crime for anyone
ZeuS was originally associated with a small group of Brazilian banking fraudsters who used it to steal banking credentials, explained Fred Touchette, senior security analyst with AppRiver.
Shortly thereafter, ZeuS began appearing in underground forums as an easy-to-use pre-packaged “kit”. Its cost ranged from $500 to $2,000, with guaranteed support from its creators.
Soon the ZeuS code was reverse-engineered, and others began offering ZeuS kits for much less, sometimes even for nothing. It’s this proliferation that led to ZeuS becoming the force it is.
In late 2009, SpyEye arrived on the scene. Its creator bragged about its superiority over ZeuS, and the kits he sold in the same underground forums even came with a “ZeuS Killer” checkbox option, which would uninstall ZeuS on any infected machine that SpyEye would come across.
“Both of these Trojans contain keylogging functionality that focus on stealing banking credentials; SpyEye had a preference toward Bank of America accounts at one point,” Touchette said. “The attack vectors” — how Zeus and SpyEye would infect PCs — “include phishing attacks, e-mail attachment infections and drive-by downloads.”
Keylogging involves recording keyboard inputs and sending them to a remote receiver, who can use the logs to determine usernames and passwords. Drive-by downloads involve code hidden in an otherwise safe Web page; just viewing the page can infect a PC.
Late last year, law enforcement groups made news with the international arrests of dozens of cybercriminals who’d been using ZeuS.
“In the brief period immediately after the arrests, it seemed that many cybercrooks were thumbing their noses at the authorities by continuing to blast out ZeuS variants, almost daring them to find them,” explained Touchette. “Not too long after that, we began to see a little less of ZeuS.”
Around that same time, Touchette added, the creator of ZeuS — usually called “Slavik” in underground forums — turned over his source code to the creator of SpyEye — “Harderman” — who then took the strongest parts of both and pieced them together into a super-Trojan.
Other criminals likely helped develop the super-Trojan, according to security blogger Brian Krebs, who dubbed the hybrid creation Spy/ZeuS.
Spy/ZeuS works by injecting itself into Windows library files that allows it to remain hidden and communicate via http requests to its command-and-control servers.
What makes Spy/ZeuS a little different from other pieces of malware, Touchette said, is its ability to infect many hosts quickly while avoiding detection, and to grab credit-card numbers from infected PCs.
It also has a plug-in designed to attack Rapport, an anti-banking-Trojan tool designed by the Israeli online-banking-security firm Trusteer.
The Spy/ZeuS super-Trojan is often distributed through e-mail spam.
“Many of these campaigns pretend to come from UPS, USPS, DHL, or IRS and claim that recipients have a lost package, are due an income tax refund, or something along those lines,” Touchette said. “Valid communication from such delivery companies will be very specific. The IRS will not contact you through e-mail in this manner, so you can immediately delete any that claim you are receiving a refund or that a payment is due.”
How can you defend yourself against this new super-Trojan? First of all, if you don’t already have an antivirus program, install one or more — there are plenty of good free ones — and make sure they automatically update and scan regularly.
Second, reconsider your online banking habits. Never do it while using a public Wi-Fi network, and make sure your home Wi-Fi network has WEP encryption turned on. Better yet, use a wired connection to the Internet.
Business accounts are obviously even more exposed. Krebs put it bluntly in the comments to one of his own recent blog posts : “If you’re operating a business/commercial account and you’re banking online via anything but a Mac, a Live [bootable] CD, or at the very least a dedicated PC, you’re playing with fire.”
Third, see what kind of online security your bank offers. Some banks offer a free download of Trusteer’s Rapport security software; others force the user to log in with graphical-based mouse clicks in order to foil keyloggers. If you don’t see either of these on your bank’s website, demand them.