Security

Crimeware: How it works

Michael Kassner speaks to Joe Stewart, a highly-regarded malware researcher with SecureWorks, to get more information on how crimeware works.

After I posted "On-line banking: How safe is it?", I realized I had more questions. I especially wanted to find out about the malware described in that article. My initial research narrowed the choices down to two trojans, Zeus and URLZone. Mr. Stewart was in agreement, but qualified his statement. He impressed upon me the fact that nothing is absolutely for sure, because it is in flux.

Ever-changing risk

The fact that both Trojan kits are successful has not stopped their developers from constantly improving the malcode. Mr. Stewart calls it: "Ever-changing risk". He further explained that cybercrime is a business and in order to maintain a revenue stream, the bad guys have to make sure their products work.

This fluidity makes identifying crimeware at best "after the fact" and why security researchers have a difficult task. They figure out how a piece of crimeware works. Yet, the next reported instance may use a slightly different approach. That said, I still would like to take a look at what we know about Zeus and URLZone.

Zeus: For hire

Zeus is a trojan, a modular kit, and for sale: The asking price varies, seeming to average around $700. Security experts at RSA's Anti-Fraud Command Center have detected hundreds of different variants of the Zeus Trojan kit, each version capable of infecting thousands of computers every day.

I'm not sure if we should be surprised or not, Zeus has a EULA. People at Symantec while researching Zeus found the EULA and were able to translate the following slide:

  1. Does not have the right to distribute the product in any business or commercial purposes not connected with this sale.
  2. May not disassemble / study the binary code of the bot builder.
  3. Has no right to use the control panel as a means to control other bot nets or use it for any other purpose.
  4. Does not have the right to deliberately send any portion of the product to anti-virus companies and other such institutions.
  5. Commits to give the seller a fee for any update to the product that is not connected with errors in the work, as well as for adding additional functionality.

Unlike most EULAs, this one is short and to the point. I must say that I have not seen point four on many normal EULAs. Wanting to show they are serious, the kit developers include a warning (inside the red box):

"In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to anti-virus companies."

Binary code

I did not quite understand the warning, until I learned that Zeus is considered a binary generator. That means each iteration of the Zeus trojan is different. That sure puts a damper on the use of anti-virus signature files.

Banking crimeware

It appears that Zeus is all about stealing money from people who bank on-line. That becomes apparent by the capabilities built into Zeus:

  • Detect when banking information is being entered.
  • View screen shots real-time and remotely control what is shown on the monitor.
  • Steal passwords and other log-in information using advanced key loggers.
  • Encrypt stolen information and use Jabber IM to transmit the information to the attacker's servers.

Mr. Stewart pointed out that using Jabber adds a new dimension to Zeus. It allows cybercriminals to obtain log-on credentials in real-time. That means it is possible for one-time passwords to still be valid. RSA's FraudAction Research Lab explains the process:

  1. A variant of the Zeus Trojan infects legitimate users' computers through an online attack instigated by a Trojan herder.
  2. Credentials stolen by these herders are sent to the Zeus Trojan herder's drop server.
  3. The Jabber IM module searches the drop server's database for accounts belonging to users from specific organizations (usually financial institutions).
  4. The Jabber IM module transmits this specific account information through a Jabber ‘sender' account.
  5. The criminal quickly receives the targeted, stolen user credentials obtained by the Jabber ‘receiver' account.
  6. The Trojan herder now possesses the compromised user credentials, which enables him to log into the account and perform fraudulent money transfers.

I originally thought Zeus was more automated. Mr. Stewart corrected my error, mentioning that Zeus requires significant user intervention. Ironically, that is why Zeus works so well. The cybercriminals have the flexibility to react to new formats or changes in the banking-transaction process. Screen shots plus key loggers give attackers everything they need to make illicit transactions.

Does Zeus seem like the crimeware used to exploit Ferma's banking account? Before you decide, let's take a look at URLZone.

URLZone: More complex

At the other end of the spectrum is URLZone. A trojan kit similar to Zeus in outcome, but very different in how it works. That difference makes URLZone more complex, probably why it hasn't been out in the wild as long as Zeus. That also may be why I wasn't able to find any information on how it is distributed or its cost.

With the URLZone Trojan kit, the cybercriminal gets a program called URLZone Builder. The attacker uses the program to create a configuration file containing information about the banking portal being targeted. Later on, we will see where the file comes into play.

To load URLZone on a victim's computer, attackers use a toolkit called LuckySploit. The malware leverages vulnerabilities in Firefox, Internet Explorer, and Opera Web browsers on computers running Windows operating systems.

Initial setup

Once URLZone is loaded on the computer, it creates a version ID and transmits that information back to a command and control server. The next step is to download the configuration file from the command and control server, encrypt it, and store the file locally. URLZone also adds itself to the startup registry, so it will be active whenever the computer is running.

How URLZone works

Once activated, URLZone checks in with the command and control server every few hours for updates. URLZone also constantly checks to see if an instance of any file or Web browser is open.

If URLZone finds an active browser, it immediately hooks on it and looks for HTTPS traffic. Here is where URLZone gets sneaky. It collects HTML data (related to the HTTPS traffic) that is sent using the POST method, which more than likely will be log-on credentials or transaction information.

If such data is found, the configuration file is opened and some interesting things happen. Let's follow the steps, as outlined by Finjan's malware analysis of URLZone:

  1. If the Web site matches the banking portal specified in the configuration file, the malware will capture screenshots from the victim's computer and send them to a command and control server.
  2. When the user confirms the financial transaction, URLZone changes the account number and amount to what the configuration file specifies.
  3. URLZone then sends that file to the command and control server.
  4. The banking portal receives the transaction information and completes the transfer.
  5. URLZone presents transaction information the user expects to avoid suspicion.

As far as the victim knows, the transaction was a success, which it was. It's just that the amount of money is most likely different and the money was transferred to a money mule account, not where the victim intended.

Mr. Stewart's thoughts

One over-riding principal kept surfacing as Mr. Stewart talked. I was reminded of an anecdote my grandfather told me many years ago:

"A bear was chasing two hunters. One hunter asked the other if he thought he could out-run the bear. The other hunter replied that he didn't have to, mentioning that all he had to do was out-run him."

Like the bear, cybercriminals will always go after the easiest target. Right now, that's us in the United States. Simply put, we are behind when it comes to securing on-line banking. That was obvious in the comments from European TechRepublic members.

Mr. Stewart did not stop there. He stated that when U.S. financial institutions get it together, the cybercriminals will figure out the next easiest target. With that in mind, he explained there are only two methods to prevent on-line financial transactions from getting hijacked:

  • Use a dedicated computer running only the operating system and Web browser application, no other applications (especially e-mail) should be installed. Make sure the operating system and Web browser are absolutely up-to-date. Finally, this computer should only be used to access the required financial Web portals, no other Web browsing.
  • Use an out-of-band communications method (SMS text messages from the user to the bank) to verify the transaction.

Mr. Stewart has me convinced of this now. Other methods may work, but for how long?

Final thoughts

In the previous article, we all seemed to think that virtual machine, LiveCD, or sandbox technology might be the answer. Does this new information change your mind about those being secure options? Also, which trojan do you think was used to steal 447,000 dollars from Ferma, Zeus or URLZone?

I want to thank Joe Stewart and Elizabeth Clarke from SecureWorks for taking the time to answer my questions, providing new insight on a complex subject.

"To improve is to change; to be perfect is to change often"

Winston Churchill (1874-1965)

About

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks