Security

Crimeware: How it works

Michael Kassner speaks to Joe Stewart, a highly-regarded malware researcher with SecureWorks, to get more information on how crimeware works.

After I posted "On-line banking: How safe is it?", I realized I had more questions. I especially wanted to find out about the malware described in that article. My initial research narrowed the choices down to two trojans, Zeus and URLZone. Mr. Stewart was in agreement, but qualified his statement. He impressed upon me the fact that nothing is absolutely for sure, because it is in flux.

Ever-changing risk

The fact that both Trojan kits are successful has not stopped their developers from constantly improving the malcode. Mr. Stewart calls it: "Ever-changing risk". He further explained that cybercrime is a business and in order to maintain a revenue stream, the bad guys have to make sure their products work.

This fluidity makes identifying crimeware at best "after the fact" and why security researchers have a difficult task. They figure out how a piece of crimeware works. Yet, the next reported instance may use a slightly different approach. That said, I still would like to take a look at what we know about Zeus and URLZone.

Zeus: For hire

Zeus is a trojan, a modular kit, and for sale: The asking price varies, seeming to average around $700. Security experts at RSA's Anti-Fraud Command Center have detected hundreds of different variants of the Zeus Trojan kit, each version capable of infecting thousands of computers every day.

I'm not sure if we should be surprised or not, Zeus has a EULA. People at Symantec while researching Zeus found the EULA and were able to translate the following slide:

  1. Does not have the right to distribute the product in any business or commercial purposes not connected with this sale.
  2. May not disassemble / study the binary code of the bot builder.
  3. Has no right to use the control panel as a means to control other bot nets or use it for any other purpose.
  4. Does not have the right to deliberately send any portion of the product to anti-virus companies and other such institutions.
  5. Commits to give the seller a fee for any update to the product that is not connected with errors in the work, as well as for adding additional functionality.

Unlike most EULAs, this one is short and to the point. I must say that I have not seen point four on many normal EULAs. Wanting to show they are serious, the kit developers include a warning (inside the red box):

"In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to anti-virus companies."

Binary code

I did not quite understand the warning, until I learned that Zeus is considered a binary generator. That means each iteration of the Zeus trojan is different. That sure puts a damper on the use of anti-virus signature files.

Banking crimeware

It appears that Zeus is all about stealing money from people who bank on-line. That becomes apparent by the capabilities built into Zeus:

  • Detect when banking information is being entered.
  • View screen shots real-time and remotely control what is shown on the monitor.
  • Steal passwords and other log-in information using advanced key loggers.
  • Encrypt stolen information and use Jabber IM to transmit the information to the attacker's servers.

Mr. Stewart pointed out that using Jabber adds a new dimension to Zeus. It allows cybercriminals to obtain log-on credentials in real-time. That means it is possible for one-time passwords to still be valid. RSA's FraudAction Research Lab explains the process:

  1. A variant of the Zeus Trojan infects legitimate users' computers through an online attack instigated by a Trojan herder.
  2. Credentials stolen by these herders are sent to the Zeus Trojan herder's drop server.
  3. The Jabber IM module searches the drop server's database for accounts belonging to users from specific organizations (usually financial institutions).
  4. The Jabber IM module transmits this specific account information through a Jabber ‘sender' account.
  5. The criminal quickly receives the targeted, stolen user credentials obtained by the Jabber ‘receiver' account.
  6. The Trojan herder now possesses the compromised user credentials, which enables him to log into the account and perform fraudulent money transfers.

I originally thought Zeus was more automated. Mr. Stewart corrected my error, mentioning that Zeus requires significant user intervention. Ironically, that is why Zeus works so well. The cybercriminals have the flexibility to react to new formats or changes in the banking-transaction process. Screen shots plus key loggers give attackers everything they need to make illicit transactions.

Does Zeus seem like the crimeware used to exploit Ferma's banking account? Before you decide, let's take a look at URLZone.

URLZone: More complex

At the other end of the spectrum is URLZone. A trojan kit similar to Zeus in outcome, but very different in how it works. That difference makes URLZone more complex, probably why it hasn't been out in the wild as long as Zeus. That also may be why I wasn't able to find any information on how it is distributed or its cost.

With the URLZone Trojan kit, the cybercriminal gets a program called URLZone Builder. The attacker uses the program to create a configuration file containing information about the banking portal being targeted. Later on, we will see where the file comes into play.

To load URLZone on a victim's computer, attackers use a toolkit called LuckySploit. The malware leverages vulnerabilities in Firefox, Internet Explorer, and Opera Web browsers on computers running Windows operating systems.

Initial setup

Once URLZone is loaded on the computer, it creates a version ID and transmits that information back to a command and control server. The next step is to download the configuration file from the command and control server, encrypt it, and store the file locally. URLZone also adds itself to the startup registry, so it will be active whenever the computer is running.

How URLZone works

Once activated, URLZone checks in with the command and control server every few hours for updates. URLZone also constantly checks to see if an instance of any file or Web browser is open.

If URLZone finds an active browser, it immediately hooks on it and looks for HTTPS traffic. Here is where URLZone gets sneaky. It collects HTML data (related to the HTTPS traffic) that is sent using the POST method, which more than likely will be log-on credentials or transaction information.

If such data is found, the configuration file is opened and some interesting things happen. Let's follow the steps, as outlined by Finjan's malware analysis of URLZone:

  1. If the Web site matches the banking portal specified in the configuration file, the malware will capture screenshots from the victim's computer and send them to a command and control server.
  2. When the user confirms the financial transaction, URLZone changes the account number and amount to what the configuration file specifies.
  3. URLZone then sends that file to the command and control server.
  4. The banking portal receives the transaction information and completes the transfer.
  5. URLZone presents transaction information the user expects to avoid suspicion.

As far as the victim knows, the transaction was a success, which it was. It's just that the amount of money is most likely different and the money was transferred to a money mule account, not where the victim intended.

Mr. Stewart's thoughts

One over-riding principal kept surfacing as Mr. Stewart talked. I was reminded of an anecdote my grandfather told me many years ago:

"A bear was chasing two hunters. One hunter asked the other if he thought he could out-run the bear. The other hunter replied that he didn't have to, mentioning that all he had to do was out-run him."

Like the bear, cybercriminals will always go after the easiest target. Right now, that's us in the United States. Simply put, we are behind when it comes to securing on-line banking. That was obvious in the comments from European TechRepublic members.

Mr. Stewart did not stop there. He stated that when U.S. financial institutions get it together, the cybercriminals will figure out the next easiest target. With that in mind, he explained there are only two methods to prevent on-line financial transactions from getting hijacked:

  • Use a dedicated computer running only the operating system and Web browser application, no other applications (especially e-mail) should be installed. Make sure the operating system and Web browser are absolutely up-to-date. Finally, this computer should only be used to access the required financial Web portals, no other Web browsing.
  • Use an out-of-band communications method (SMS text messages from the user to the bank) to verify the transaction.

Mr. Stewart has me convinced of this now. Other methods may work, but for how long?

Final thoughts

In the previous article, we all seemed to think that virtual machine, LiveCD, or sandbox technology might be the answer. Does this new information change your mind about those being secure options? Also, which trojan do you think was used to steal 447,000 dollars from Ferma, Zeus or URLZone?

I want to thank Joe Stewart and Elizabeth Clarke from SecureWorks for taking the time to answer my questions, providing new insight on a complex subject.

"To improve is to change; to be perfect is to change often"

Winston Churchill (1874-1965)

About

Information is my field...Writing is my passion...Coupling the two is my mission.

75 comments
Slayer_
Slayer_

Any virus scanners aware of these?

santeewelding
santeewelding

Nope. My pants are not digital. God help me when, even they, become so.

Michael Kassner
Michael Kassner

I talked to Joe Stewart, malware researcher with SecureWorks about banking crimeware. On-line banking is not hopeless, but certain steps need to be taken to remain safe.

Michael Kassner
Michael Kassner

GMER and MBAM have successfully located some variants. Please remember that each new installation of Zeus is a new binary. So malware scanners are using heuristics to locate these. I would not trust them to be honest. I would reload a clean OS, especially Windows. Also, Zeus has not been found on Apple or Linux OSs, so that is another option.

Breezer85
Breezer85

I just find it a hell of alot easier to go down to the bank to deal with a human face to face. That said not even they can be trusted with your money! LOL!

MattPW
MattPW

I didnt realise that both these trojans reported screen capture information, good research work Michael. The screen capture data would be the most direct attack on the PassWindow authentication system allowing the attackers to begin analysing the key pattern but it still wouldnt crack the user key in a useful amount of time / interceptions as it is with the Electronic tokens in the single interception outlined above. If implemented properly on the new outgoing account authentication the predictable path of the analysis still wouldnt yield enough information to the attacker in less than a year (maybe more depending on usage) of the attacker waiting and analysing the victims machine.

davidt
davidt

Walk to the bank and deal directly with the teller.

howiem
howiem

The best way to beat this problem, as with any malware, is to not get infected in the first place. Does anyone know all the attack vectors for these trojans?

tundraroamer
tundraroamer

With all the money and resources spent on anti-everything, wouldn?t it be less expensive to stop the source? If you can buy these programs across the internet, then why can't those transactions be detected and stopped? Block the source and they will have to use other methods to deliver product. Make it hard enough and they will go and pursue the "slower hunter" of opportunity elsewhere. Do the buyers use a credit card or a bank transfer to pay for it? Surly those mule accounts can be detected and tracked to the sellers. Stop the problem at the source or at least use their own technology to get the money back and diverted into crime prevention. Similar to the DEA seize and sell program.

FatNGristle
FatNGristle

What are the possibilities of making a code generative browser, where browser code/functions are employed differently for each installation? Fight fire with fire.

rkoenig09
rkoenig09

My bank requires a second user to log in, review and approve all outgoing transfers. You CAN login as the second user on the same pc - I think that somewhat defeats the purpose. This is a pain and may not be practical in some cases but I think it would catch transactions that had been tapmered with.

twarsins
twarsins

what if I setup linux and do my online banking on that?

RookieTech
RookieTech

hmmm i need to go get me a trojan kit lol thats messed that you can buy malware kits.

Slayer_
Slayer_

Their must be some way to tell if your infected...

Ocie3
Ocie3

is returned from the dry cleaning shop, you'll have to re-install Windows and all of the applications that you're running on it, i.e., "a completely clean re-install". :-) :-) :-)

JCitizen
JCitizen

when you already own the form session. The browser is fully pwned with the Zues method. They even get the user to put in second factor data like that mentioned. Please correct be if I'm wrong Michael, but that Silver Tail webinar suggested it.

Michael Kassner
Michael Kassner

I talked to Mr. Stewart about PassWindow and I will fill you in.

Ocie3
Ocie3

if either you never "set up" online banking for an account(s), or the bank is willing to remove any online banking capability for that account(s). Of course, you would have to do that not just for your bank account(s), but for each and every other "financial account" that can be used in any way to transfer funds to another entity's account (e.g., PayPal). From what I've read in the articles to which Michael referred, both ZeuS and URLZone are perfectly capable of being used to steal money from any account that has some, even, I suppose, to effect a fraudulent credit-card transaction (e.g., a "cash advance").

Michael Kassner
Michael Kassner

Zeus is using LuckySploit and browser vulnerabilities. But that could change tomorrow. The trojans could be wrapped in any kind of dropper program.

Michael Kassner
Michael Kassner

They are trying to, but this malware is ever-changing as are the money mules. The people in charge usually are in countries that do not extradite as well. It's a tough problem with a a highly variable scope.

Michael Kassner
Michael Kassner

Key loggers and screen capture applications make any of those types of approaches invalid.

Ocie3
Ocie3

Quote: ".... You CAN login as the second user on the same pc - I think that somewhat defeats the purpose." At least with URLZone, IMHO, that could defeat the purpose, because the second user would be logging-on from an exploited machine, and the malware is able to alter numbers which are on the banking web page that the browser displays. Perhaps they would catch the first attempt, because the web page displayed for the confirmation by the second user could be different and not included in the URLZone configuration file. The bot herder is probably apprised of that page because screenshots are sent, so they could change the configuration in the future if it isn't already configured to alter the confirmation page.

Michael Kassner
Michael Kassner

Think that approach is effective against keyloggers and screen capture applications. Also URLZone is capable of mimicking the Web page, change the account number and amount and have you verify it, because as far as you know everything is correct.

Ocie3
Ocie3

looks for both OS and browser vulnerabilities. So, if you're running Firefox on Linux, your system could still be vulnerable until a Firefox vulnerability that is known to LuckySploit is recognized and corrected. However, according to the article about LuckySploit, it obfuscates its routines which it uses to find and exploit vulnerabilities, which makes it (reportedly) impossible to identify the vulnerabilities for which it is searching. Edit: I don't know which other browsers run on Linux; there is a list of the ones that LuckySploit seeks in the MCRC blog post about URLZone. It doesn't include Opera or Chrome, but perhaps I overlooked something in the article about LuckySploit itself.

Michael Kassner
Michael Kassner

Of my knowledge, Linux is not been involved yet. Remember though, the bad guys want to keep their secrets from us. I would try to use a read-only OS as on a LiveCD, if a dedicated computer is not an option. Remember the two hunters and the bear.

rbees
rbees

It would seam to me that the bank having and maintaining a dial-in banking service would work better. It is not like there is huge amounts of data (read graphics) that would seriously bog down the dial-up connection. How many machines don't have an on-board modem these days? Is it not virtually impossible to highjack that kind of connection if there isn't another networking source? Short of eavesdropping on the phone line somehow, and encryption should take care of that easy enough. Of coarse all other online services would need to be disabled. And there would probably need to be site specific software but, hey, if it is unspyable what is wrong with that?

Michael Kassner
Michael Kassner

That just about any sophisticated malware can be purchased. In fact there is a shift in direction by malware developers. They are really not the users any more. They build and sell. I suspect that makes it safer for them.

JCitizen
JCitizen

although it is infant in its formulation. Mitigating factors are fully updated browsers; and it don't hurt to have a full update of everything Secunia PSI has covered. If you have these IM AV/AS solutions they cculd help, although Symantec seems to be bragging without substantive grounds to back up their claims. 1. Comodo with Defense + (XP will be fixed) 2. On XP systems - Snoopfree Privacy Shield 3. Avast - has the most advanced heuristic defense I've ever witnessed next to NOD32! Great IM controls, which Zeus uses to send pwned data. 4. Trend Micro - if they did a damn thing to fix their new Internet Security Suite! Used to have the BEST IM and email controls ever! Even the CEO and originator of the company expressed her misgivings about the AV market! 5. New third (or more) factors that can obfuscate the cracker's plan. Any good one would have to have a plan that couldn't be intercepted like the usual. Symantec says in one of THEIR Utube videos that they can thwart the control part of the attack, but I got my misgivings. Even though I've been evaluating NIS 2009 & 2010, I've not trusted them as far as I can spit, and have been watching them every inch of the way. Before you cast me off as a nut, I have been running a honeypot without consideration for my own safety for about three years now, and every stitch of defense you can muster will help mitigate these insidious threats. Quite frankly even though NIS 2009/2010 have performed admirably, during this period, I have been using AdAware Plus to double check the validity of their claims. I can't use Awill to do this as their on line scanner is not ready for 64bit action yet. I am NOT ready to count my self safe to this kind of threat, just because I'm running in 64bit mode as much as I can. I would still feel much safer if there were a utility such as SnoopFree Privacy Shield where keyboard and video hooks could be thwarted by their venerable Input/Output firewall. This would help mitigate any threats outside of browser vulnerabilities, which we all know could be zero day any day of the week on Vista/Win7! Three things; OS/browser updates, best heuristics, IM blocking, and I assume former crypto solutions are a waste of time with the way the browser can be totally cracked and form data pwned. But then I await an explanation that cancels these factors in my concerns!

JCitizen
JCitizen

they don't care how YOU use it! They can do what they want as you use it and after you leave 24/7/365 days a year! Perhaps I am not understanding the exact communication tech you are talking about, is Quicken using SSL or not?

Ocie3
Ocie3

.... dunno whether to laugh or to cry.

Ocie3
Ocie3

Exhaustion at the break of dawn, probably. After reading just about everything to which Michael referred in his article, and in a few links in replies since, I seem to be posting under the influence of adrenaline. If the capabilities of ZeuS and its horde of variants, along with those of URLZone, are indeed as broad and well-developed as they have been described, then .... oh well, I'm still thinking about them in spite of myself. FWIW, so far, I've configured Sunbelt Personal Firewall to block outbound and inbound TCP and UDP packets via the default ports that ZeuS uses. More remains to be done. As Michael has mentioned: http://rcsservices.multiply.com/journal/item/6/ZEUS_The_Banking_Info_Stealing_Trojan_that_Antivirus_Can_Only_Stop_23_of_the_Time...and_How_to_Protect_Yourself But both ZeuS and URLZone are rapidly moving targets.

Ocie3
Ocie3

can be changed to external transfers ([i]i.e.[/i], by changing the account number of the receiving account), at least by ZeuS, and they would probably be done unless the credit union blocks them from occurring. Disabling transfers to external accounts might be configurable [i]via[/i] the web site. If that is so, then I believe that someone using ZeuS or URLZone might be able to change the configuration, thus enable transfers to external accounts, when they gain access to your account. It could be affected by the authentication (if any) that is required by the credit union to change the configuration. It would be best if the credit union's customer service staff can ask their techs to implement blocking transfers to external accounts from your account, if it is possible. If it is done, then don't plan to send any money to your family and friends, by electronic transfer directly from your account to theirs.

Michael Kassner
Michael Kassner

When you are talking to Quicken, are you able to setup a new account that you want to transfer money to? If so what is required to accomplish that. Zeus is all about screenshots and keyloggers. It could possibly get enough information to create new accounts for the money mules. It depends on how the new accounts are verified.

ShortStock
ShortStock

I basically use my CU logon just to transfer to internal accounts at the CU only...savings,money market,checking... When I pay my bills I am logged in to Quicken on my desktop. When I pay my bills, only encrypted commands are sent to Quicken's BP service (or server) as to which bills to pay and how much. Account #s are sent to them when I initially setup. They receive the commands and the rest is done through their servers and a server at say...my credit card holder. It is not banking on-line

Michael Kassner
Michael Kassner

The accounts that are at credit union? If so, I think so. At least for this type of malware.

RU_Trustified
RU_Trustified

...because it certainly looks like you'll be needing to jump through quite a few of them.

ShortStock
ShortStock

Since '94 or '95 I have been using Quicken Bill Pay, a service that pays your bills when you schedule them to be paid. I don't have to xfer moneys directly from my credit union. All my xfers are internal accounts when I log into the CU. Once a week I log into Quicken, schedule my payments to accounts already in their database, and basically upload commands to their service, which is between them and my CU. Very cheap, less than $10/mth and all is reconciled each week in about ten minutes. If one of my accounts doesn't accept electronic xfers, they mail them a check and notify me to schedule extra lead time. Am I blind or does this seem pretty safe?

Breezer85
Breezer85

Thereby going back to your earlier mention of having a dedicated PC.

Michael Kassner
Michael Kassner

Only help, if you shut off access to the Internet for everything else, while you were banking.

Breezer85
Breezer85

But do we know who the Bad Guys are? What would be a good idea is if banks provided an environment similar to VPN connectivity. While it may not be 100% secure it would certainly 'urinate' the bad guys off! It will be a headache to banks to provide this service to customers but heck they've got Techs and plenty of my money to do it!!!

Michael Kassner
Michael Kassner

It is hard to pin down exactly how Zeus works, due to the constant binary change. Since the bad guys have enough time to enter one-time passwords, I suspect Zeus is filtering the screen capture and key logger data. Maybe it is like URLZone, and focuses on POST information.

JCitizen
JCitizen

but the Silver Tail webinar did mention them. In the past, Avast and/or NOD32 seemed to be infinitely competent at blocking unnecessary outgoing/incoming IM traffic. I suppose disabling IM is fruitless, as it seems Windows is always in need of it for God knows what! As I mention before elsewhere Trend used to be eminently competent at this too; however I've not used it since IS 2006. I'm pretty sure my Gateway can fully block ALL IM traffic, and I do need to set this soon. I'm also sure one variant or another will find a way around this, in fact many spyware variants have been encrypting the data themselves and shipping it out on port 80! This would have defeated the private data protection of IS 2006 as well, as it relied solely on protecting unencrypted private data. I think Norton dropped this capability for the same reason, and now only use a RoboForm type of encryption to fill password and User ID information. But I'm assuming Zeus doen't need to process this, as it simply looks at(controls) the form data and copies it to the crackers console. Am I correct in this assumption?

Michael Kassner
Michael Kassner

Are not the default ones. They are variable.Remember each instance of Zeus is a different binary.

JCitizen
JCitizen

would block this, of course you could do it manually with your router, blocking the four ports Jabber uses in this instant. But like you said - it depends of variant. Avast, Trend IS 2006, Comodo, and NOD32 should be able to block the outgoing IM communication, if it is done this way. I've never seen Norton block an IM message for years, but I don't read the history that much either.

Michael Kassner
Michael Kassner

At least that is my understanding. Some versions use real-time screen capture and key logging. Sending the information via Jabber to a person that then uses that information in a duplicate Web site.

JCitizen
JCitizen

The Silver Tail link explains it; the browser logon prompts for SMS authentication, and the unwitting user enters it into the window, solving the problem for the crime cracker! It could be any coded authentication like this though. Unless a better authentication system comes in play. I really think it is high time to use voice prints, or finger print scanning to introduce a third factor. However it would have to be trojan proof also; the capture of data by the criminal is the problem. I assume forms don't need keyboard hooks or video hooks to do this once the data is in the form, it is too late, if the cracker pwns the browser session.

Ocie3
Ocie3

to the account without having the woman's user name and/or her account password? Just having the "bank card" alone should not have allowed access to the account. That would be a robbery waiting to happen. Some "bank cards" have a pseudorandom number generator in them; press a button and they display a number in a small narrow screen, like a calculator. They are used for two-factor authentication: something that you know (a password), and something that you have (the number proves that you have the card). Just having that card, and knowing how to use it, is not enough to gain access to the account. Another example of two-factor authentication is the typical "ATM card" or "Debit Card". It can only be used at an ATM or a point-of-sale terminal, and in both cases, the person who accesses the account must know and enter the PIN (usually a four-digit number). So there is something they know (the PIN) and something that they have (the card, which contains data that the ATM or point-of-sale terminal sends to the bank). Of course, there are banks that have rudimentary security, and banks that have "very tight" security. There are many ways that a bank can endeavor to discern whether someone who wants access to an account probably does not have authorization to do that. Often the problem is that once someone gains access to an account, there are no further safeguards for the actions that they are authorized to take, such as transferring money to other banks. With regard to my own bank's online banking, there is no advantage to my "setting it up" (or not) because it is already "set up". Worse, it appears to me that entering the data (account number, amount of payment or transfer, etc.), then using the Submit button is all that is required. As far as I have been able to determine, once someone has gained access to the account, they can steal everything in it. Aside from that: yes, the account is currently protected by a strong password, as well as by a user name which is nothing like my actual name. The bank's marketing department views this as "convenient" for the customer, although it is quite convenient for the bank, too. If they cannot disable online banking for my account, I will be compelled to find another bank, perhaps a credit union, that is just as concerned about security as I am.

martian
martian

I'd recommend to either set it up, or if the option is there, to get it disabled, unless you reverse that decision in person at a later time. Even if you NEVER intend to use online banking, please DO go on and set it up with at minimum a strong password. Then you can at least have a bit of peace of mind. Let me explain... An acquaintance of mine had someone walk in their house while they were in the back yard, and they grabbed the wife's purse that was just sitting on the dining room table. What happened next is that they used her bank card, and immediately checked if online banking was used, since it wasn't, they conveniently set it up for themselves and basically cleaned out their account. All because it hadn't been setup yet. What a wonderful world we live in eh?

Ocie3
Ocie3

Dobermann Pinscher is easier to aim, and has reflexes faster than mine. :-) (I did not suggest the "analog solution", I was just replying to it.)

santeewelding
santeewelding

I don't think that many here realize analog solutions to this. Security? A 45 auto.

RU_Trustified
RU_Trustified

...how inherently insecure operating systems are. An inherently secure system would be able to self-check for its own integrity and security with every process request in reference monitor fashion, to prevent unauthorized privilege escalation. That is a given for a system to be inherently secure at the OS LEVEL. In order to qualify as inherently secure, more would be required. It would also be necessary to have make it so nothing in user-space (people, applications, code using systems interfaces, processes or libraries etc.) would be able to bypass behaviour enforcement at the OS kernel. The system would be able to use any and every parameter within the operating system to specify a rule within its ruleset. It could not, however, just be limited to the OS parameters. It would also require the ability to query sub-applications and external values in order that there was virtually no limit to the kinds of rules that can be created for use with, and enforced, by the system. With these capabilities it becomes possible to make rules that easily map to the business operations and those rules have to be enforced at the kernel level as well. With such a system it would be easy to compartmentalize(sandbox) any application and set limits to the system and network calls that they were able to execute. You could allow an application to bind to a network process only the initial instance for example, so that injected code trying to take advantage of an app level bug would be denied. Any behavior that violated the business operational rules would simply be denied. All that would be necessary to ensure this would be to have the proper rule in place. The utilization of mandatory access controls and whitelisting control of system and network calls, data access etc. would allow the evolution of systems and networks to least privilege default-deny systems that would simply not allow crimeware to execute no matter what iteration it appeared in.

Ocie3
Ocie3

is called that because no one except the black hat(s) knew that the vulnerability existed before their malware exploited it. Quote: [i]".... But as I understand them, trojans don't have to take advantage of a vulnerability, they just have to be allowed to execute on the host computer. But I am not sure why there is not more self-executing malware."[/i] First, I'm not sure what you mean by "self-executing malware" because I've never heard of [i]any[/i] "self-executing" computer program that runs [i]via[/i] a Windows or UNIX OS. That is a pretty broad subject, since there are many types of computers and methodologies for using them besides the ones that have been the most commonly adopted. With MS Windows, programs are always loaded by the operating system, which then tells the CPU to execute the instructions that comprise the program. There are several methods to tell the operating system to do that. For example, a program which is already being executed can tell the OS to launch other programs and/or an executable component(s) ([i]e.g.[/i] a .DLL). For another, while the command shell's "batch processor" is running, it can tell the OS to run a program when a command to do that is included in a batch file that it is processing. Of course, the person who is using the computer can also command the OS to load and run a program. [i]Malware is properly called a "trojan" when the user commands the OS to run it because they believe that the program does something beneficial, and has not been deliberately designed to seize control of the computer system, and/or to harm the computer system, and/or to serve as a tool in the commission of a crime.[/i] One context in which that happens is when the recipient of an e-mail message "opens" an attachment which is either (1) executable, so the act of opening the attachment commands the OS to run it; or (2) contains an executable that exploits a vulnerability in software that is launched by opening the attachment because that software reads the attachment as input. So, you are right that a "trojan" does not have to exploit a vulnerability in a browser or in an OS in order to run. But there is no way for a program to tell Windows to load and execute it unless it is already loaded and running. :-) However, a running program can create a Registry key that instructs Windows to load and run either itself or another program either as a service, or after the system boot. There are also other ways that a program can be automatically loaded during the boot process and enabled to run afterward. That said, neither ZeuS nor URLZone has a specific method of distribution. The ZeuS software creates a unique executable each time that it is run. That executable is the malware which the "bot herder" distributes. At last report, researchers have estimated that there are several hundred ZeuS variants in existence so far. It is likely that the same "signature" can only identify a few, or even just one, of the variants. A person who purchases ZeuS or URLZone from their developers must decide how to distribute the malware so that it will be installed on other people's computers. It can be distributed as a trojan, but both ZeuS and URLZone often have been found to use an auxiliary program called LuckySploit, which finds and uses vulnerabilities in both OS[i]es[/i] and browsers to install the malware without the user being aware that it is occurring. These variants typically install their malware payload from a malicious website during a "drive-by download".

RU_Trustified
RU_Trustified

..."did they have the latest signature files which did not include the trojan signatures?" I was just responding to Howie's point: "if one knows how to guard against getting infected, online banking is safe...for those who keep their guard up". You are correct though, that your odds are better if you are diligent. That is beyond the average home user though. You are never completely safe, the best you can really do is risk mitigation by removing yourself from the list of low hanging fruit by your due diligence, so that attackers go after easier targets. If someone really wants into your system, they can buy a zero day attack or a custom trojan just to target you with.

howiem
howiem

Even if the anti-virus is up to date, a zero-day attack is when a vulnerability is exploited before a patch is issued. But as I understand them, trojans don't have to take advantage of a vulnerability, they just have to be allowed to execute on the host computer. But I am not sure why there is not more self-executing malware. Perhaps because users get warned by DEP, HIPs UAC or other protection? No anti-malware program, e.g., antispyware, anti-virus, etc., is bullet proof. Take a look at the Comparatives report at www.av-comparatives.org to see how bad some of the AV programs are at detection. So it is not clear what Trusteer means by up-to-date, i.e., did the anti-virus programs have the capability to detect the trojans and didn't, or did they have the latest signature files which did not include the trojan signatures?

RU_Trustified
RU_Trustified

A recently published report from Trusteer (Measuring the in-the-wild effectiveness of Antivirus against Zeus) showed that 55% of 10,000 machines infected with the trojan Zeus had antivirus that was up-to-date.

Michael Kassner
Michael Kassner

I understand, I absolutely need to bank on-line as well. That is the whole reason for this article. To get people at least aware of the possibility. I feel that user knowledge/awareness is half of the battle.

howiem
howiem

Michael, By attack vectors, I mean the sources of infection, i.e., IM, email links, web links?, flash drives?, CDs/DVDs?, etc., and is the malware self-executing, or does it require user intervention? From what I've read, it seems that it only runs automatically from a flash drive (and probably CD/DVD) if autoruns is not completely disabled. My point is that if one knows how to guard against getting infected, online banking is safe...for those who keep their guard up. I think that perhaps we need to keep the perspective that the odds of any single individual getting targeted are pretty small. Unfortunately I can't walk 6,000-10,000 miles to some of my banks, and the traditional methods of transferring money are cumbersome, slow and even pose the risk of at least temporarily being out of funds.

Michael Kassner
Michael Kassner

To think those premises will never be possible. Nice thought though.

RU_Trustified
RU_Trustified

Michael, Prevention can be achieved by eliminating (preventing) the means of transmission at web sites, or making systems that will not allow malware to execute if they violate a business operational rule. This applies to the business operations of the home user as well.

JCitizen
JCitizen

Very interesting Silver Tail webinar! Some thoughts & assumptions: [b]Assumptions:[/b] 1. Zeus literally has the information put in the form, so RoboForm crypto is negated 2. For the same reason SnoopFree Privacy Shield cannot block screen capture, because data is already captured through form and snapshots are not needed. [b]Mitigation:?[/b] Trend Micro used to include a privacy control that would prevent unencrypted data that was protected by the ID vault from being sent out on Port 80, IM traffic, and email. However what is the state of the data being sent over JabberIM? Is it still SSL encrypted? If so Zeus could defeat even this protection feature.(IS 2006) Of course, I haven't tested PC-cilline or Trend's Internet Security product since 2007, so I have no idea what they have now. Of course we all know keeping things updated is the greatest mitigating factor here, but it would be nice to know we could improve multi-factor authentication to defeat this. This may be spam I found in a previous article, but interesting, if true: http://www.sentry-com.net/Transaction.html

Ocie3
Ocie3

would have no effect on the operation of either ZeuS or URLZone. A Virtual Private Network prevents someone from sniffing the traffic and from becoming a "man in the middle". It does not stop "man in the browser", a description of ZeuS (also applicable to URLZone) that has been introduced by Laura Mather of Silver Tail Systems. An "webinar" video disclosing their discoveries about ZeuS is available at: http://www.veeple.com/link/48wBrdiCKJg%253D If you have the time, it is well worth it. I've read your other comments on this thread and agree that much more could be done to diminish the ability of criminals to use the Internet to commit their crimes "at a distance". For a start, we should campaign to deny Internet access to any country which refuses to sign an extradition treaty that allows people who are found to be committing crimes to be arrested and brought to the victim's country for trial. That said, International Law, such as we have, is still in the womb. Soon it may be time for it to be born.

tundraroamer
tundraroamer

That's the whole issue or can of worms I mentioned. With the results of the last national election, its palin to see we can't make proper choices at that level either. It would take some real backbone to set that filter up and do what we all know is right. Certainly, there are obvious filters that can be used today but a secure method of transactions will still be required. Perhaps a software fix is not the total solution but includes a hardware fix that encrypts your secure traffic through a vpn of some sort.

Michael Kassner
Michael Kassner

I am not sure where I stand on that issue. I am concerned about who decided what is considered good traffic and what is bad traffic.

tundraroamer
tundraroamer

Yes, but we have borders and cables which internet traffic flows on cross them. We can pinch those points if we want to and open that can of worms in the process. Do we need to impede certain traffic in order to protect the masses? Do you think our military is not preparing to do so in event of a "cyber war"? Surely some sort of compromise can be achieved. Big task.

Michael Kassner
Michael Kassner

But, the dropper program could attack any one of the known vulnerabilities. I suspect the bad guys know of some vulnerabilities that we aren't aware of yet.

Curious00000001
Curious00000001

How would keyloggers and such get on the machine in the first place? Most likely through the browser. Browsers are the most widely exploited software on most PCs so if you start with a clean box and get a "perfect" browser the odds against getting infected from a non-specific attack are pretty unlikely. If anyone ever finds that perfect browser please let me know :)

Neon Samurai
Neon Samurai

I can guess at a few things needed: - phone wire quality is still sketchy outside of larger towns. Even with a 56k modem, one may not be getting half that transfer rate if the lines are noisy. The trick here used to be telling the phone company that the line was going to be used with a fax machine and then they'd take the time to clean the line during install. - uncontrolled networking may still be an issue as phone companies run more information over IP networks. Those who have a VOIP phone from there highspeed internet provider will also be transferring data over public networks although it's going over a wire. This puts one back into the issues with encryption. - listening in to calls happened easily long before everyone got all Web 1.0 (couldn't resist). It's probably still easier to join a call loop than it is to MITM the public IP network. The expense is probably more than the cost of covering what moneys are currently lost through these types of fraud and theft.