Alliance of Bot Masters Called ‘Credible Threat’

 
 
By Robert Lemos  |  Posted 2012-12-16
 
 
 

Some researcher thought it was a law-enforcement sting. Others theorized that it was an elaborate joke. But a call for bot operators to collaborate on attacking the customers of 30 U.S. financial institutions appears to be a "credible threat," said security firm McAfee in a report issued Dec. 13.

The operation, known as Project Blitzkrieg, was announced in a semi-private underground forum in September, and described by security firm RSA in a blog post in October. The announcement is the "making of the most substantial organized banking-Trojan operation seen to date," the company stated in its Oct. 4 blog post.

In its own research, McAfee, a subsidiary of Intel, tracked down the command-and-control server used by the hacker vorVzakone, who made the forum announcement. The posting included screenshots that gave McAfee enough evidence to track down the bot software used by the hacker and what appears to be a test of the infrastructure for the attack.

"Although Project Blitzkrieg hasn't yet infected thousands of victims and we cannot directly confirm any cases of fraud, the attackers have managed to run an operation undetected for several months while infecting a few hundred," the McAfee report stated.

The group used a Trojan known as Gozi Prinimalka, a variant of the Gozi Trojan created in 2008, that has always been used to commit financial fraud. The program was not created by vorVzakone, but an early group that appears to no longer be actively developing the malicious software, said Ryan Sherstobitoff, a researcher with McAfee Labs.

While the Trojan is not new, the calls for collaboration and the improvement to the command-and-control (C&C) server are new, he said.

"Really, what is new is the collaboration and the innovative back-end (C&C server), where he supplies all the information as to the drop accounts, how to transfer money properly, and many other details," Sherstobitoff said. "What people thought was a joke has ended up being credible."

McAfee used two identifiers leaked by the images posted online to match the campaign pictured in the images to a specific binary caught by the company's automated analysis systems. The existence of the malware, which was caught by McAfee in April, suggests that at least some of the claims are real.

The Gozi Prinimalka variant discovered in April by McAfee was first seen in the wild on March 29 and may have infected hundreds of banking customers, according to the report. The latest variant, released in October, is controlled using a C&C server in Romania and has targeted financial institutions exclusively in the United States.

"On Sept. 9, in the post, he said that he would release the trojan to individuals a couple weeks after they passed an interview," said Sherstobitoff. "Well, we saw a new Gozi Primimalka campaign spring up in October and end on Nov. 30 with over 80 victims."

McAfee expects future attacks to also hit only a modest number of victims to stay under law enforcement's radar and make it harder to defend against.

"A limited number of infections reduces the malware's footprint and makes it hard for network defenses to detect its activities," the report stated.

Rocket Fuel