|
|
|
Researchers Expose Sophisticated Banking Trojan Linked to Thefts
By: Brian Prince
2009-09-30
Article Rating: / 3
There are 6 user comments on this Network Security & Hardware story.
Security researchers at Finjan track a cyber-gang that pilfered German bank accounts in summer 2009. The gang uses a Trojan dubbed URLZone that represents the next generation of banking malware.Researchers at Finjan are shining a light on a sneaky banking Trojan
behind the theft of roughly $439,000 (300,000 euros) from German bank accounts
over a 22-day period.
Dubbed URLZone, the Trojan served as a digital lock pick for a sophisticated
cyber-gang Finjan tracked from Aug. 11 to Sept. 1. Unlike many typical banking
Trojans, URLZone goes beyond tricking victims into coughing up their banking
credentials by inserting text boxes into online banking applications. It calls
back to its C&C (command and control) server for instructions on how much money
to steal without causing suspicion at the bank, and to which money mule account
to send the money.
Click
here to read about the stealthy Clampi Trojan unmasked at Black Hat.
The URLZone Trojan also alters the victim's on-screen bank account
statements in an effort to cover its tracks.
"In this case, the specific criteria that the Trojan received from its command
and control center mark a whole new level of cyber-crime
sophistication in the techniques used by cyber-criminals," Yuval
Ben-Itzhak, CTO of Finjan, said in a
statement Sept. 30. "Using these methods they successfully evade
anti-fraud systems that banks deploywe dubbed it the 'anti-anti-fraud.'"
The cyber-gang used the well-known LuckySpoilt crimeware tool kit to exploit
victims' browsers and install the Trojan on their PCs. The gang did this via
both malicious and compromised Websites, ultimately attracting roughly 96,000
visitors. Of those, researchers found that 6,400 were infected. Once URLZone is
on a system, it logs credentials and activities of bank accounts, steals money
from the compromised accounts and hides its activity in the report screen of the
compromised account in real time.
"To avoid warning signs by anti-fraud systems at the bank, the money
mule accounts are only used ... a limited number of times within a certain time
frame," said the Finjan statement. "Since banks monitor large bank
transfers, the amount of money deposited in a money mule account is predefined
in order to stay under the radar."
Communication between the Trojan and the C&C server was conducted over
HTTP, with the data being XOR-encrypted. Law enforcement took down the servers
after being notified of the scam by Finjan, but the Trojan tool kits remain in
circulation in the cyber-underground.
"To avoid detection, cyber-criminals continue to improve their
methodologies for stealing money and going under the radar from the victims and
banks alike," Ben-Itzhak said. "With the combination of using
sophisticated Trojans for the theft and money mules to transfer stolen money to
their accounts, they minimize their chances of being detected."
 |
|
|
�������x}kw89�v2��zڎ#۲my,%d�-%B��!)�='7n��$IsbK�Q@�
B�w?I�ptôG1�%�t{>D;;?.P`�S�/9w; }��M-GW�*cOfn��a��Z.�9�1rx&Խ;�@�*YrD�ƞICsd"�LJA`w,#�����r<�r6)�|@��ɠ��ӱCأZ�r ˺7)h��m��PSK}(J��C
L{hT3y75o?|\(eU�es:Α�z}K�-%uP\oڝi\?5/.-�N���Hw&�LT)�Jj\(�NLCa�:�l9�:�P��%ݨJe_�P+(.A[zOa`%
�pfQUe�cq4Y`N�-. :zSt*t�ޯR7"TTUװ hc�2e8l�2nС>A05t�OC|>9m'!|Бd��mx�Z.s3�c�4!.iG�&
Ѐ`;Ah>[ pA}x��껵�&ztmP`�9�5$GCMߟ�L=�s#08�w�ɽ 5�y0%ݻ}`y1�&=��բ� !TgЧ ,z�u= @�
�X.Gs�6GT[MK�x�G�R�P|'sZ.(�wc��2(%�E2� E�EK�y3@� $h�Տ`��z����̀m�Iޑ�vZ*&R��P*m=!ԑtጜZ*=h3aGe�-n^
$�d6g2+IMi`l1!U�G�,D`v9J,L��.�[
ϴ�6�Vjԍe�bQ9Դr�>�Ҥ79���03��Һ8�MM
X� ȉ�&1#
K8Y �0�A�k2�'�yv�=&.Q>j7uϙ_O#k[}�M��߄T�9uC \D r}͚X� 4ؐ�|&Bw7:7O wj@ntɕe.F�(iJ�S%1�8�FL�zqO)'zcgBFJ�V��zh'ы>Eg�HlYRb-YV^KՕpz1(�:R�j'/�H�o��m_¼xeP4@VRk��υ%2�=2P,
Cx
E
7v{{=챧�k��0�T561)Kˌ0v�4EēXjgܱ%�6���%P���$7C~0���[1P.m�^OXޱ�y>�|$��=r;�6�8�
1�8zy4!%2$�?& �
sXO
MM|�%\�T e\�8�L XbO`f.#�NWաc&ʰs\\�Խa6OoM �V!҅��D3�0`��M��F5[E3Owm�)�D^AlX.)�Ui?K~�5<2.eX"PY=mQ��r�)'j9Yg$�Fi.z�4i�4pBkd&ND��[M3�YT+�pzNAQ xH1�kMxg��٧7�#_g��h0Aq�_8R"X @�4��
y} *��Oj�1�
[
(h
[zp�E��OabIt?H��M!rB��P;Í{c�?4�]E�j�4A3t!VB�[O�aQT*8Ya�7CUQ@H.��=g8�8�yw쾿'i�F~Rz6큽|[C�㑏..V˰1c6Z$ c?`W�� 탲3;OW�bL�[
)N<ڗ��L�XH*2�¹3�`��1}Y���M��Ak?�,���0YE4pN�
9o_QӲSL
jf h>
�GSDžR�2�Ͼ~`ׂ!�5Ma�&�k}�SS~ִuR/Z�5
(��u0
H��{@#vpNP8ɯ G�7kό��
+˦h�+RS�Jb/�$6a!uߛEv|}h~EoC�~
=O u�:1A��|��DV[A�9da:1AfRY�,�gB�AV�v�Y(7ϰ5�2
)�y=0&�ӥr�
3>e�A +f6r��b�
"9&K⃩q\�zGdD"93=!���XM_�7@aO[\JI)�`qUDZ)�c�].�k�|Yz~0qkGcl}SU�}Д1�Zeʌ�)Ь�ڴ���#�i@/J�x�N3 al�/��q�)T%ݴ�NX�C=O�\X�Z>��y3EU
}�9
�C?�7P�F[+N�$}=ղ,�A'�גHU(V
�$�}�U��r>)h�71e4X&(%\8 ,^��yi�mD`�1)[z
�2w�ʨTAy�SX" >D`�7Ϩ��xvc�.b�u�MYxG�#�f��R��vļuZ3Xd;β�ke��D@X)J7j}U9MJZZ$P`�ۗ�<��%�8M=J2��x��<"�I?;�?p]O7z|�}Q#9wڗEM+v@l+J9wW\(4��5���GG��eaE�O*'�-J_�0YH�/�s>P�9�k[BlpD74g!,9Je&%[
y2���=�QU��a��NV(ً+�\;���ٽ�~Ԫ�)��&�b�n*|!D�Nn}Ф�
�$K~u=? �Şiu�ϱ�0qsnvm���3!9oλY^Zr�wи6`>|ZW'�!ɇǫ�u8kw0[-@j2}�m&A)��RQ:rfWϋILu�i7R`�f{�ѰQm_
8֕q}Ï�USJ:m_[�r��tK�KA�C<�Mxi)q�ڌ7�M
,!L_>ֈ4�FD_�!m�BE\7'�,��<��XKr!�}&��=C٠<��Dq0f2,�!G[yRb]�QגZ4ҫoeW!9}��6�O�`J0w�9ϫb~�]X_6u{bԣ{e�ԝi�(6�;��GT@(NV1k-7�
,�:]W_{�_lGoIM2�1J}Ȉ��c>^Y��]s>�ͥ=�0�`8��;_�?PV-w9ģ9|s\u�Zp�l+RDžԳbp&i#�r&W.i\t7q{�j�5a~%XDR�{#|$j~>x�FM>xuS意G�
9�3r�e}[)=h�tKxەv{vOsn<�]1ni^gvlL'#I"ɫ�wח}�YpJUGVr;_+N`�c,n�%�P2�^;pO c�é=` �8_2{K7�x=Wl-3�����'KM;79wB#F�VާA#�<�՛�3\��k c{�*Y�v8�.�߮�ݘ�8)<�A~A<
vD�4�){7y^Z}hn3�d�⫆܆��U õcV�`j8-�OH$|#؈�'/G'?Z7�uv�pf:i��kMU�n2� |cM-�%&p$~��M{fr+������~-ɸ�!E%͖�x�M._�&�2>6,�ȺJ�А?>骪*ʾ+ɻ瘻!gSPH�Jtr���tjA3$W�OBt�#Ff�wt����!#�3h`45
N2ϒΒ˙FM
/>уTKWnPAb^/>F�<;�;f��-X#>] 7t~�?�qn؉8obti�]_�淦kϣ8=V�o,x2�z@K -0�p0ح?Pk�{mJU+&qxH`�c=�{On,NA'xzT$Xح?��;҈E)�1um�MH{8h`ܜ� W(���hD}t9o�P� {Y%��HՓ��T00$�C��H�yu;ṟ�o[cCFy1-q�KXBϤ+�}Be)n(Tt@Z"q-ħ�<��16h�ì
彯#S1�eW)0bg-�ӿ[cDV]�5R)�c7 �zDTm QZ
ż)�ii7Bʱˆ6K7!a4N`"Ig��KWA��� ;/G9&ڌ�m^E!F屨%\(6?j_)vxjɕW|9S�/'XA17&�$Q
n��+Y�ȭĨ[;�}d�呇phSop ���kõ5nQT*\J?m~5խ;¼.]�qP s��g,y7XY�.阶�D?��>,aņfs�/ALD0�DIK�����GEЏ0�/~kT
X"ߛ��_Э����;�r*%a]ºO~7@7t�ުUG G {jZ��ƥaɳצM"�_�?�8H-��k)i፨|9q-gF��X콶7me�i]6"�A�6�8�4�P+a@?:gX
3v3�3w6e~}qGut Rc?k=& j O%H#?�^okZs�S-N��\-�5�p�.1(�_��qܻڍ��
0��A�/D9:M�l� ۩كL4�m
Z!��ߤ�Lۀm_mױ�H(RU+?x�WյڈYޣ�. {Uʒf7Zv%�b>1oz�=W'�%4�CXubEڨ$t86J�g�&e< L-~ui#B
�nBL!��,'� z�towwv�{�2���(PTG�>a5?}b�闶Q��-D
F/W?�D{:�:\gIsnb+1]��VM �BaD0*�qa����BX���?D��}�8%NDp(�vSr@�e,E`bJb�F�yA y!�Fveҏ;�Kb+0J7�$qF�K�˖��AX��Ko"��Y�"�'"�KIE��./>�l?��.
dЁ#��m���ͤ<؎7ѭ�ta8FS�Y�hT!cbj�e_].O,6!9Bӊ,w)]�dDo=06�ꮐ֘1&h*B ǯ9-�Q�5��(�RU
B��-~0˅״��]�Ha:k�k�bo=!v5�8mmWn&+m'h�zBRKov{�O�%٫c5X6[}/�9q1~'E[Tx�vXj 1�5;�w�[?lw�A[�Э�鰫؉�r�"A�dӃQqq'Ä@�
eˡ0Ÿm44ّk襍ڵ˔xy&]@ᑳ_��{{i/1�~H++6&K�=LpOЉ�F;6CW57ATJ{3�EJMh>#Ծ7=FW�'b^n90��cH-,9+42s
ͬͱ-j%!F㬤�9�F-Rx�3�smSǔp)ǣ�t\a��6�~m��J�0+'��F�q{Zu���Rn�C..�;X|Z�#ZNHp��J=�bvݹ1�iL(xkCUL�x�a*1aF
eզٝ$7{g�Fk��ٽ[!VUv�&ru
Y��_DH�_�t�˝g�Z�Gt�Mxs6���)a�~c\Axp� RQѻ�
2[i'l9e`y5~x
?}7L>��
l�� \R-�r9GD�Ay檣+�FR2OЧ�枩 VTdL4B&(qTiK$<79|t:Liy�n�O�KZ�&�a� k(E�$�x�mDRPa��c�t05e3bwp]oyꦽ(�y|j�4['� T6CĊ�1�gGi>'@1�Z� Q�D:b)qj�(b��U��
7�T�-5���!��4:)%nmn$$d:�enS+%̄�c�,0Au�A"�\2},�GAa25:S��L��#%~�6t0VQ=1e&�L}�Ǯ %nN���K
b~L�
]ǒ�4�B1hp2@2`zw>0=(�-Ō��CZQJФ*�!dW`ǪZJYWuG^ϧxw2n?��4W
)WPx����r#CvFC�T)&#>͈ɵ;�Xz39mߐ�9i6IQumQ}'%}��\MGݪ;GϧM몛x"��R6/M&E`4�e�jӫe)SC9�-j6�"GdȀW.�}QtX�mؙ�_ϞDn{R(/�& F/}u7��&6+�S,=feS+~k!hu??{�b12;Ă6n���V
�Cpt܄q�P��"v�.i_5sФ�Ż�`Nj�P!�(
FFy��'@fF1�.?�f�Pquy+W?o.oꭓr_+i]eC[�?t2?C��"�>vˌ�/3�Y��\f��2?/?/3�e*�OP)�3�(ˌr�߫�ʐ+�kC�oig6v~�kQ�&:'���?�?�}OP)�'ߧ�BmV9m�B��f_ry���rָƅ)��QFy)W?R�EV
SV9,N3{'sg#�K}\W�KM0TntEg-5͉nZ+
ǸJuv�z^_@�%\e$2/M*+�#(���^>&c����˼$=)>w�槤I��x崝#&JRW喛O'i��kr(%s<2g.�g}=*��t�=}}Zϭ͈(c#hV��.Ñp[y?|�[2�S?a*8XQ^ =�P.�v9)nד�pK��SG0�%nsOkr>u<[~|^Yݱylc�[4יq@ޢD�)+F�yk@�YËb��>Rq6{ǛV3{�x5C7Wu�I>Y,p�|s&pN!3J8?0�
H-M�ԳpNR�?Ѱs7�30WCtzs@$~�9�,@
,��Hj$NRiE�rT)�ܑJn0l`=M�j�UUEVr�o9�VVK
D`q9#��RB�4|OӴW)]7tCsc<{�+4��аY-P���=��~L@LM6j"�1c ͛ˌ�N��^"_�v3*mc�(2��)�R1�s1@eN*q0*zg%Q<$9Sg��>&-\ʠaC�a,�sv[`��\;o�=2�gji }dy0\9�h�LxSU�ݣQ�GoxJtU�& [�o�t^�L{dB΄7п�s%(ULCz6����Q��;|Sspǭ�d<@T6߱
hxS:�mH-�;]�I_с�\=u{^;h0
8�[]^L :χ~2�
���q`a\m�8؊I�(�q�0Բ�H7�`$-K?X�v;iO��_w98�e��oo§On3A ��n0��m���`0N425~/#�PʷQ$�L{ˍϳ�A�slk
6-����`⎈Me��eR8DR�*El'f
,��� ~sf_N�樹}��WvmwY^|:y-.�E;
�h�Ӿey�i< ׁ]"�b��{KrX}P/)�:�OOg�sZ�%
��H�ʶ�"�@�,c��0У,20595q�-E6�܋;ξ!V��^f#1ͱ��Rd�GB^#L�n3m-�^2?g'�Q\�F$�30(�y��lH�K9��m5G0X�1'(���R�(t.&0 '�Ɣ
ϰ"�- s�fe�f�xDh\�wL_�P/V~LʹcaPҽA5F�ElT$bB��Ay4O>A@�`�V\3zf7Z�Ю�Sq7M�Ǝ�Cg�a+cPNXjcL1G�],@�<�փP��=`#hxl<���h1)�d'kI����'��60M��Är"5poq-ye��zЙJ
�pK�8
g!0X^�ZpTT��/>%hw2bo�_�3O{
|>"�:xqea�#�Vt*N�`wX;y�B(OW]qٺ|C*'�U��֗f>!2D!6�xf{}ѾO�wqD
_Pf�- N椙� $R�''xYο`(X�E�Ch�⍿C01�4ߛiTU�A$摭7yE1�um*d_)V��]jv[W셳QbmئdUi2�9?R{) q-/EiQ}"'
Cf'R܄;6�6BKFslx�6�1��1
�R(��
|
Network Security & Hardware 
