Zeus Trojan Rules World of Online Bank Fraud

Alleged cyber-criminals around the world the week of Sept. 27 were scooped up by police after a 16-month investigation that stretched from the United States all the way to the Ukraine.

The cyber-crime ring is accused of stealing $70 million from bank accounts, with targets ranging from individuals to small and midsize businesses to municipalities. The weapon of choice in these heists was a variant of the infamous Zeus Trojan, a reminder that the malware is still prevalent in the underworld.

According to security researchers, the price of the Zeus Trojan can range from a few thousand to possibly as high as $10,000. Additional features and services such as Windows 7 support or "Firefox form grabber" can be purchased for $2,000, Ivan Macalintal, senior threats researcher at Trend Micro, told eWEEK.

"It is the most popular Trojan tool kit going today," said Dave Marcus, director of security research and communications at McAfee Labs. "It's also the highest priced and most effective."

In the years since it was first seen in the wild, Zeus has been linked to numerous criminal operations and botnets. Trusteer, for example, earlier in 2010 found a 100,000-strong Zeus botnet that was tied to the theft of a wide range of user data, including credit card numbers and browser cookies.

To read about how social networking data is used by hackers, click here.

The malware is spread by a variety of means, including drive-by downloads and spam attacks. The constant development of variants allows Zeus to evade antivirus software, researchers said.

"The tool kit is very well developed and of professional grade," Marcus noted. "It's probably the most popular, because it's hands down the most effective. Cyber-criminals love it because it's a money-maker."

However, Marc Fossi, manager of research and development for Symantec Security Response, said Zeus is not as broadly advertised as it once was because of the attention it attracts.

"In fact, one Website we recently observed had a rule banning sales and downloads of Zeus through their forum because of the attention it was drawing to them," Fossi said.

Recently, Zeus operators made an attempt to trick users of mobile devices into giving up their mobile phone numbers so they could infect those devices with an SMS (Short Message Service) monitoring program that can be used to steal transaction authentication numbers sent to users by banks to authenticate online banking transactions.

"The banking industry needs to be doing more," said Alex Cox, principal analyst for NetWitness. "In the past, online fraud losses were looked at as a cost of doing business as long as they didn't exceed whatever the expected loss percentage was, and U.S.-based banks have historically lagged behind European banks as far as online banking safeguards go, too."

Cox recommended that banks develop a threat intelligence strategy that actively tracks criminal elements known to attack their line of business, either via in-house or third-party intelligence services, and educate customers as to common risk factors associated with Zeus. Multifactor authentication can also help, he added.

"The popularity and power of Zeus is that it offers a very low barrier to entry, with a high possibility of return," Cox said. "As such, the use of Zeus is prolific to the point that we see it in the vast majority of organizations who call us in to assess them—either via infected hosts inside the corporate network, or being used to commit fraud via the business online portals. Infection mechanisms in [the recent arrests] were likely a combination of exploits, phishing and second-stage malware payload. This works so there is no need to change it or do anything different."