Discussion on:

Carberp: Quietly replacing Zeus as the financial malware of choice

Carberp has everything ZeuS has and more. Read about its sophistication and how to avoid it.

Bank of America uses a two part login - the home page is https and you enter your user name first. Then a new page appears showing a graphic you selected (you can even upload your own graphic file it you want). If you recognize the graphic, you go ahead and enter your password.

I believe this would be hard -very hard- to defeat since the attacker would have no way of knowing what your graphic image was so they would have no way of loading a fake page to trick you.

Would you agree?

Imagine what they could accomplish.

This is a rather interesting and apparently sophisticated malware suite. I'm interested to see the "in-depth report", but I am unsure whether I would "qualify" to view such a thing. I suspect it is put behind an email wall for a reason.

I would also very much like to see what the back end looks like. I wonder how long it will be until someone gets a copy of that to display. (Dancho Danchev always seems like a good bet for such things.)

I never ever log into my bank from Windows. I boot to a Live Ubuntu CD. To the best of my knowledge it is impossible for it to be infected once burned. Be sure and run checksum after burning.

I wrote an article about that very subject awhile back:

http://blogs.techrepublic.com.com/security/?p=2409

This seems like a good opportunity for banks or someone in the open source community to create a Financial Linux variant just for online transactions. Something that is very locked down and can only perform that function. In the mean time Live CD's will have to be used.

Prevx supposedly blocks all screen and keyboard sharing with the user. It is a lot more seamless than Snoopfree because it works deeper in the kernel space; from what I read on their web site. You don't have to believe them, but I'm seeing supported data more and more from other IT folks on security forums. So maybe it really does put a "bubble" around the browser. I think it works with Mozilla, IE8, Chrome, and maybe two other browsers.

So far it will even block me from accessing certain keyboard attempts at logging. I give it permission if I instituted the action.

I can't prove it blocks SSL session riding, but many banks are signing on to it, or Rapport - another session riding blocker.

I'm willing to experiment with my own situation, it is worth it to see if the malware can get away with it. I access only one account online, and lock away any other, and never access them with a PC. It seems the only way to really be sure my clients are safe, is to experiment with my own finances. Needless to say, I watch that little account like a hawk!

I have no vested interest with Prevx; the online protection is free to FaceBook users so far.

I will have to try the long venerated WinPatrol. I mistakenly thought it was just another anti-spy utility like Spybot or AdAware. It has to be one of the oldest applications out there! I seem to remember it back in the Win 3.1 days of DOS!!

It resides in memory, so does the latest variant of ZeuS.

So am I to understand that a HIPs and other facets of a good defence in depth are no good?

Presumably booting up from a PE/Live distribution is good enough to detect chkntfs.exe.

if the HIPs in Comodo Firewall Defense+, or Kaspersky, or even GDATA couldn't detect the file manipulating ways of any Zues variant.

I've used GDATA a little and it seems pretty wise to the ways of the Windows operating system(XP).

So far, all of them seem invulnerable to sabotage by the malware. Prevx is supposed to work while the system is infected with such malware.

Do those apps some how check memory? I guess I am not well-versed as to how that works.

is to offer a link to an "independant test" that was documented on a PDF on the Prevx website.

It is too long winded to offer here:

http://pxnowa.prevx.com/zerol/immunity.pdf

That report was written in early 2009. That was before ZeuS was residing only in memory.

A report written by the vendor has little value other than advertising. If NSS Labs reported that , then I would listen.

this is curious? They made several claims for a myriad of other modern attack vectors.

I think you need to read that PDF again.

The report was written in 2009. Zeus and its variants switched to residing in memory only early in 2010. So the report is behind as it does not mention anything about that.

What part does not make sense?

Thanks Michael! I guess I will just have to hope the updated kernel on the new versions have addressed this! :-}

most malware, instead of "the malware". That suggests that Zues cannot foil all my listed AM solutions, and only Prevx makes that claim.

On Comodo's Defense+ it generally checks files before they load to memory (and after they load to memory (and even after that sometimes)).

It also has cloud based behavior analysis of said files (not sure how well that works), and detects several other things (though again, I'm not sure how well it works).

Zeus and other financial malware morphs so often that reactive black lists are never up-to-date.

that morphing would not help the malware, because Defense + is geared for just that. If a file changes at all, Defense + will alert the user.

Trouble is - I'd probably OK the change if a Google search was non-indicative of a problem.

Not being totally aware of the file habits of Vista/Win7 can be a hindrance. On XP - I might just make it.

The app is looking for a specific file and when when the malware morphs it will be missed.

that looks at any file. I don't think it uses black lists; it may have a behavioral black list though(I stand corrected then).It will identify it, but it can't always match it with the white list; so it alerts anytime a file known or not is changed.

Maybe I'm clear off track, but Maverick Phantom pointed to some of what I understand goes on with it. Comodo is constantly upgrading it, and I keep pretty busy, just trying to keep up with all the new features it has.

Then again, maybe I'm all wet on just how a HIPs works it the first place.

with Snoopfree, which is supposedly obsolete; and ol' Snoopy won, every time. I've noticed there are several un-compatible programs that I'm told run in that space.

Defence+ -which is a Comodo Firewall feature, that has a kick ass HIPS that watches all file manipulation, and has a white-list against most popular applications, and a sandbox for untrusted processes.

SnoopFree Privacy Shield - which only blocks keyboard and video "hooks". I assume it does this at the start of the application level.

Prevx- as explained before, but supposedly doesn't rely on process hooks to monitor the keyboard and video, and runs just below the application area in the kernel space. Rapport does the same as far as session riding prevention. Both may have processes running in RAM, but all of them act to me like a root kit. They get real unstable while something is messing with them, and if you try to run more than one in the same machine, you can get boot loops, blue screens, etc.

Even root kits run things in memory, what would be wrong with that? I mean in the context of fighting fire with fire?

My scenario would go like this:

1. The user browses to the web site?s login page.

2. The user next inserts the appropriate login information and hits enter.(LastPass would do this encrypted from the cloud)

3. The financial malware intercepts the login POST request, obtaining the login user-name and password before it?s encrypted.
(Prevx denies any transmission from the browser except to the originating source)

The following in italics would be foiled - supposedly.
4. The malware sends the stolen information back to the attacker?s command and control server, usually over HTTP.
5. The user, none the wiser, is then logged into the account.
6. The attacker then can gain access to the account and transfer money at will.
7. General attacks are used against financial institutions that do not use multi-factor authentication.

Thank you for confirming my suspicions that there is little alternative but for defence in depth.

I used to use the Diamond CS HIPs, which was akin to a Rottweiler, plus also Regprot. Then I moved on, but always to things that work better. My impression of the Comodo package is that in 'safe mode' it is less overtly aggressive than before; newly saved installers do not come under 'safe'; I found both the portable and installed versions of Firefox did not elicit a response from it in safe mode. I'm looking for an alternative.

I am not good at interpretation of the file manipulations going on, and I'm not sure session riding would be prevented.

However Prevx is the only product that makes a bald faced challenge to Zues and its variants.

They intercept the browser attack at the kernel layer.

This isn't the only thing it does, but I consider it more important for newbies; especially ones that frequent FaceBook, where it is offered for free.

If it really works, I hope the Banks adopt it soon, as they claim to make it cheap enough the banks could offer their locked down service for customers for free.

Thanks for the tip. Offered for free at Facebook.. ..how I laughed.

Oh KERNELS, thank you also for reminding me of how busy the Linux machine to my right has been with updates, particularly to the kernel. I don't see much squawking about that in the jungle, and I honestly wonder why.

for now. I've talked at length with Linux users who claim to be in the know, and they say Linux is not invulnerable to this kind of attack. It may never happen, but none-the-less.

You also have to remember - the new Linux users are just as clueless as the newbie Windows and OSX users. All of which still get into trouble.

Thank you for confirming my suspicions that there is little alternative but for defence in depth.

I used to use the Diamond CS HIPs, which was like a Rottweiler, plus also Regprot. Then I moved on, but always to things that work better. My impression of the Comodo package is that in 'safe mode' it is less overtly aggressive than before; newly saved installers do not come under 'safe'; I found both the portable and installed versions of Firefox did not elicit a response from it in safe mode. Today it crashed 4 x, so I'm looking for an alternative.

I don't see it like you. Last pass encrypts it in route, but when it's entered into the web browser it's not encrypted.

You are also forgetting about the MitB attack.

that I linked to. It is pretty deep, even for me. They make a bald faced challenge to Zeus and its variants! That being Prevx, not LastPass of course.

I mentioned LastPass because some malware are not as sophisticated, and rely on keyboard signals and other browser or video activity to grab the customer's data. Where as LastPass provides it encrypted until the point of form entry.

I repeat the link here: http://pxnowa.prevx.com/zerol/immunity.pdf

...but as I've intentionally gone to find malware to test machines with on numerous occasions, that shouldn't be a surprise. Not to mention all the malware I've been exposed to on at what must be the least secure set of networks ever assembled.

I just read an article by FireEye that describes a new financial malware that focuses on MitB and subverting web pages. Here is what FireEye says:

1. Bot herders can supply a list of URLs (mostly of banking sites) so that the malware can start intercepting these web pages. What this means is that whenever a user tries to visit these web sites, the malware will start submitting the web form data back to its CnC. These web forms and the data inside them will be intercepted well before its gets encapsulated into HTTPS. All the information including login credentials will be in hands of bot herders in plain text.

2. It's fully capable of Man in the Browser (MITB) attacks. This means that it can intercept original web contents coming from legitimate servers in order to append its own crafted HTML. This is normally done to ask the user for more information than was originally requested by the actual server, like your PIN numbers, Social Security number etc.

3. It can also steal HTML pages from your browsing sessions. Sound strange? Well for any successful MITB attack, the attacker needs to know about the HTML being served by the legitimate server. Just imagine an attacker wants to modify HTML pages for the Wells Fargo "Add New Payee" web page. Unless the attacker himself has an account with Wells Fargo, he may not know the contents of this page. By stealing this private page while a legitimate user is browsing to it, the attacker is in a perfect position to prepare his future MITB attack.

Feodo is the first one to really focus on this aspect. FireEye also mentions how surprised they are and number of target URLs that is in the configuration files of Feodo.

http://blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html