A slew of Zeus Trojan variants and a merger between the two largest botnets have security researchers worried about future banking malware attacks.
The developers behind the Zeus and SpyEye Trojans have joined forces to
create one major botnet, with sophisticated capabilities to attack user bank
accounts, according to security researchers.
Malware authors aren't sitting still as law enforcement
stealing millions of dollars from compromised
. There is a lot of financial incentive to target bank
accounts, said Randy Abrams, director of technical education at ESET, more so
than gaming Trojans, which are actually the most common type of malware that
"The heat is getting strong on Zeus," said
Abrams, referring to the recent streak of arrests shutting down Zeus
worldwide. "Zeus and SpyEye have definitely merged," he
However, the merger "is not the big story,"
said Abrams, pointing out there are other Zeus variants that are as dangerous,
such as Feodo, which has the ability to deliver a payload that attacks over a
dozen banking institutions.
Security researchers are alarmed about URLZone, which can
transfer money out of an account and manipulates the browser to keep showing
the user the original balance. A Trojan called Ares is also making the rounds,
with the developer claiming "it has the same banking capabilities as Zeus
according to German anti-malware company G-Data Software.
According to novirusthanks.org
SpyEye works in stealth mode, is invisible from the task manager and other
user-mode applications, hides the files from the regular explorer searches, and
also hides its registry keys. It can grab data entered in a Web form and
automates getting money from stolen credit cards.
There are a lot of "insiders cooperating, and lots
of mind power," said Abrams. It is difficult to speculate whether the
merger is a joint collaboration or if it was a political move where the Zeus
author was forced to merge because Zeus
was under attack
, he said.
Banking malware relies on stealth and sophisticated
techniques to compromise users. The gaming Trojans, in contrast, steal
passwords using simple social engineering methods, he said.
However, there is nothing remarkably new in the merged
variant, as it employs tactics such as social engineering, the
man-in-the-middle-attack or combining mobile malware with PC malware, said
Abrams. The man-in-the-middle attack refers to malware authors getting around SSL
encryption by infecting the user's PC. Despite strong encryption, if it's the
user PC that is infected, then whatever the user sees, the criminals can also
see, he said. The combined attack can take the form of intercepting SMS
messages from banks on the mobile phone.
The older, original Zeus Trojan is not going away, Abrams
said. Botnets running the older Zeus code will continue their attacks alongside
the new Zeus/SpyEye variant. While it was possible that the Zeus Trojan would
be updated with new capabilities, "like any software company, they will
focus on the new version," he said.
There has to be "more rigorous" security around
online banking and a focus on regulations worldwide, not just the United
States, said Abrams. But as long as small
businesses and users bear the brunt of these attacks, banks are not likely to
make the significant security investment required, he said.
Abrams suggested that users dedicate a separate PC for
online banking, one that is never used for e-mail or surfing the Web. The
operating system and browser should be regularly patched and kept up to date to
foil any remote attacks looking for open vulnerabilities as well as running a
firewall, he said.
Many users are planning to upgrade to brand-new computers
during the holiday season, so instead of throwing away the old computers, users
should think about turning them into dedicated banking PCs, he said. "Older
computers, Pentium 2 machines are enough for banking, as long as they can run
an operating system and a supported browser," said Abrams.
A Linux bootable CD would be the most secure, but many
banking Websites rely heavily on Active X and won't work properly, he said.