Slashdot Mirror

← Back to Stories (view on slashdot.org)

Next-Generation Banking Malware Emerges After Zeus

Posted by Soulskill on from the survival-of-the-fittest dept.

Batblue writes "The rumored combination of two pieces of advanced online banking malware appears to be fully underway after several months of speculation. What appears to be a beta version of a piece of malware that has bits of both Zeus and SpyEye is now in circulation, albeit among just a few people, said Aviv Raff, CTO and cofounder of Seculert. Seculert has published screen shots of the new malware, which has two versions of a control panel used for managing infected computers. One of those control panels resembles one in Zeus, and the other resembles that in SpyEye. Both of the control panels are connected to the same back-end command-and-control server, he said."

48 comments

  1. Safest Banking by Malnar · · Score: 2

    Oh no! They're gonna get at the wad of money buried in the back yard! It may only earn the interest of worms, but at least its not funding wall street

    1. Re:Safest Banking by HomelessInLaJolla · · Score: 1

      The safest banking is to follow the law of God which the bankers should themselves be following. Pick up only enough for today--maybe enough for tomorrow or a few days. If you find yourself picking up enough for next season, next year, years to come, generations to come, then you're already doomed.

      --
      the NPG electrode was replaced with carbon blac
    2. Re:Safest Banking by Lord+Ender · · Score: 1

      Your savings account money typically funds mortgages and small businesses. "Wall Street" runs on capital largely derived from the sale of stocks, and banks don't buy stock with their depositors' money.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  2. Secular seculert by Anonymous Coward · · Score: 0

    Is Seculert prominently secular or something?

  3. Alternative link by hellkyng · · Score: 4, Informative

    Kreb's writeup is pretty good as well, not that anyone reads tfa.

    http://krebsonsecurity.com/2011/02/revisiting-the-spyeyezeus-merger/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+(Krebs+on+Security)

    1. Re:Alternative link by Anonymous Coward · · Score: 0

      Thanks man! I like to go to the source of the information too, I generally just use slashdot to point me to the interesting links ;)

  4. I think it's pretty cool by Anonymous Coward · · Score: 0

    that you can rob a bank without having to kill or threaten anyone. Damn! I could retire tomorrow... Fuck the banks. I'm interested to see how this all plays out in the long term

  5. the need for US to create/protect blackwater co.s by Anonymous Coward · · Score: 0

    best of luck to our (former) 'clients' in cairo

  6. on to more important stuff that really matters by Anonymous Coward · · Score: 0

    almost nothing else of value can happen until the scared/hungry/sick babies (all of them) are cared for appropriately. damned pyramids. see you there?

  7. Comment from TFA by beschra · · Score: 3, Interesting

    Thought this was worth including in /. "Question (and not a rhetorical one): Do you think that if the US Congress issued a Letter of Marque and Reprisal to a licensed and bonded cyber privateer, and tasked that privateer to loot the bad guys, that the bad guys would think twice before plying their trade? In other words, is there a deterrent value?"

    --
    It is unwise to ascribe motive
    1. Re:Comment from TFA by Anonymous Coward · · Score: 0

      If you're any good at looting, maybe. It's like violence: if it's not working, use more. It's possible to seriously curb drug usage if you're brutal enough, like Mao was.

    2. Re:Comment from TFA by deKernel · · Score: 1

      Wow, that is a very interesting question. I would think that it would not be such a good idea to act in such an overt manor. The one issue I see is that some/most of the "command and control" servers are located in other sovereign countries...some of which are even friendly, so attempting to breach such machines could be construed as an attack on a sovereign nation.

      Now with that, I believe that it is something that organizations such as the CIA or NSA should be doing this in a covert manor.

    3. Re:Comment from TFA by Anonymous Coward · · Score: 0

      I've always wanted a covert manor, "batcave" and a covert few billion dollars.

  8. Rule of Thumb by Katsury · · Score: 2

    I think it should be expected that there will always be something better, more efficient, and equally if not more spooky than the malware that we know about. The unknown stuff is the malware you should be worried about.

  9. Banking malware - wha ? by doperative · · Score: 1

    I see, it's either computer malware, Internet malware or now banking malware. How much PR effort must have gone into inserting that particular viral marketing meme into the blogosphere ..

    1. Re:Banking malware - wha ? by maxume · · Score: 2

      It's just English. "Banking malware" is shorthand.

      --
      Nerd rage is the funniest rage.
  10. Re:Why don't computer users by Anonymous Coward · · Score: 2, Insightful

    why does Microsoft even allow malware to be installed on Windows 7 in the first place?

    Your stupidity astounds me.

  11. Use a Live DVD? by DaveGod · · Score: 1

    I'm starting to think I should try modifying an Ubuntu live DVD so it's preconfigured to ignore HDD and block out everything but my bank. I'd still have to save files to USB though.

    Anyone have experience with Rapport? Is it some lightweight thing you just run when you want to access internet banking or is it some nuisance running all the time?

    1. Re:Use a Live DVD? by Anonymous Coward · · Score: 0

      Try "Puppy Linux", I am actually running it at this very moment. It boots from a CD, and all of your settings and installed programs can easily be saved onto a USB memory stick.

      By default, it does not mount your hard disk. You can easily mount it if you need it.

    2. Re:Use a Live DVD? by purpledinoz · · Score: 1

      In Germany, this malware would not work at all. Every transaction requires you to input something called an iTAN, which is a one-time-use 6 digit code that the bank sends you by mail. So you get a paper with 100 iTAN numbers, and when you almost use them up, they send you another list. When you switch to the new list, you have to enter an iTAN from the old list. I feel much more secure with this system than what's implemented in the US and Canada.

    3. Re:Use a Live DVD? by orange47 · · Score: 1

      but the virus could steal that 'itan' code the moment you type it and make another transaction instead..

      i think the only good solution so far has been livecd (assuming bios is ok).
      or using seperate, locked down, firewalled, etc.. computer only for banking.

    4. Re:Use a Live DVD? by Anonymous Coward · · Score: 0

      I'm starting to think I should try modifying an Ubuntu live DVD so it's preconfigured to ignore HDD and block out everything but my bank. I'd still have to save files to USB though.

      Anyone have experience with Rapport? Is it some lightweight thing you just run when you want to access internet banking or is it some nuisance running all the time?

      Rapport runs all the time, however it hardly uses resources and rather have it than not.
      I have it running and havent had any internet banking problems and I use numerous
      banks's online banking facilities. That sais I'm keep the a/v and patching up to date
      everyday as wel...

    5. Re:Use a Live DVD? by DaveGod · · Score: 1

      The malware defeats your bank's measures by performing a man-in-the-middle attack. When you point your browser at your bank's website the malware steps in and it accesses your bank and sends you a copy of the page. You enter the details of your supplier but the malware substitutes their own account details. You then dutifully go through the security routine, unwittingly authorising the wrong account. iTAN is completely defeated by both phishing and man-in-the-middle, all it is any good for is against key loggers.

      My bank uses a card+reader system. Every time you set up a new supplier you have to enter into the website their account number and account holder's name, which the bank checks in real time. You then put your card in your reader (which looks like a little calculator) and enter a code of which half comes from the bank website and half are digits of the payee's account number. Your reader then responds that the bank website is genuine, then generates a code which you enter into the bank website, so the bank knows you are genuine.

      Let's be clear, I'm only ever giving them a code that should only work with the payee account details I already knew. How can even man-in-the-middle beat that? Yet apparently it can. The best I can think of is that at the first stage with the reader, the fake website prompts the user with the full code to enter into the reader and deletes the text reminding you that some of it should match your intended account number. Or maybe it's cracked the reader codes, I don't know.

    6. Re:Use a Live DVD? by purpledinoz · · Score: 1

      Yikes, I never thought of that. That is some scary stuff! The live CD is a good idea, but a linux VM might provide the same security, unless the malware knows how to perform a man-in-the-middle attack through a VM.

    7. Re:Use a Live DVD? by WarmNoodles · · Score: 1

      Not true at all. All that is is cross site request forgery protection. Wont help you a single bit if the attacker substitutes his or her self as a payee and substitutes your remaining balance as the amount.

      It Also would not help you if the transaction reponse page was a fake and the attacker collected a week's worth of your ITANS, how often does the average Germal banking customer call thier Bank? If the bank delivers electronic statments then, you will never see one showing fraud, and if they deliver physical monthly statments, an attacker can collect and use nearly 30 days of ITANS before you have a clue your screwed.

      Have a nice day now knowing your just as screwable as an other Banking customer :)

    8. Re:Use a Live DVD? by WarmNoodles · · Score: 1

      Man in the middle no no, you mean buffer overflow, Like this critical exploit from from 2005? http://www.eweek.com/c/a/Security/VMWare-Virtual-Machine-Security-Flaw-Very-Serious/

      Or the 300 exploits starting on this page ? http://www.securityfocus.com/cgi-bin/index.cgi?o=0&l=30&c=12&op=display_list&vendor=VMWare&version=&title=ESX%20Server&CVE=

      Vming doent help, install patches, have intrusion prevention and early detection, have a measurement and hardening practice, have an AV and firewall, dont run as Admin, or root, don't let your kids or admins install applications willy nilly, dont allow servers to browse the internet, dont play games on the same computer as your banking.
      But the best single piece of advice is to physically segregate your banking from all other activities and Keep all your off line files encrypted by password and key. Think PGP virtual disk, or true crypt volume, NOT full volume bit locker type encryption. Worth less crap for on line security.

      But nothing and no security measure will surpass "You should have known better 20 20 hind sight attack."

      Using a live CD? really? How secure is that CD, who made it, who if anyone vetted it? why do you trust it, may be it IS the attack, how would you know? Security is more about being informed and making yourself a hard target and measuring your security posture. Primarily by not doing stupid things you know are wrong, you will and can skip being seen by most of the attack surface which is looking for you.

    9. Re:Use a Live DVD? by WarmNoodles · · Score: 1

      Right! just what the world needs, another *nix variant. Slaps forehead.

    10. Re:Use a Live DVD? by tlhIngan · · Score: 1

      I'm starting to think I should try modifying an Ubuntu live DVD so it's preconfigured to ignore HDD and block out everything but my bank. I'd still have to save files to USB though.

      Anyone have experience with Rapport? Is it some lightweight thing you just run when you want to access internet banking or is it some nuisance running all the time?

      Or, why not just get a netbook, completely erase the hard drive and install your favorite Linux? Lock it down, image it and use it only for banking.

      Banking only needs a little CPU power, and netbooks are cheap and disposable so you can use it just for banking only. Shut it down when you're done and that's it. That way your main PC doesn't have to be rebooted continually (it gets old, fast!). You just boot up the netbook, do your banking, then shut it down and put it back on the shelf.

    11. Re:Use a Live DVD? by Anonymous Coward · · Score: 0

      they are one time passwords.
      one transaction and no more, sniff away virus.

  12. Use a Live USB by doperative · · Score: 1

    You can install a full working system to a USB device using the Ubuntu Live USB creator. You can configure it so save your configuration to a separate partition and make it readonly using a physical read-write switch. Your session runs from memory and so is flushed at each reboot. There are various desktop environment available, one of the lightest is Lubuntu. Any business out there doing online Banking should produce their own customized Live CD and hand them out to their employees, there are various systems out there that can be customized such as the Knoppix distro ..

    1. Re:Use a Live USB by denis-The-menace · · Score: 2

      USB sticks with "physical read-write switch" don't exactly grow on trees.
      As far as I know only Kanguru and Imation(aka 3M) make them and Imation's USB Sticks are slow. Kanguru Sticks are hard to come by.

      Is there such a thing as an inline USB write protect switch?

      --
      Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
    2. Re:Use a Live USB by Anonymous Coward · · Score: 0

      Yes, you can get hardware write blockers - they've used in digital forensics.

    3. Re:Use a Live USB by denis-The-menace · · Score: 1

      I looked them up.
      $300 and total overkill.
      If Kanguru can do it without bulk or a External power supply, isn't there something about the size of a USB stick that can do the same?

      --
      Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
    4. Re:Use a Live USB by b0bby · · Score: 1

      USB sticks with "physical read-write switch" don't exactly grow on trees.
      As far as I know only Kanguru and Imation(aka 3M) make them and Imation's USB Sticks are slow. Kanguru Sticks are hard to come by.

      Is there such a thing as an inline USB write protect switch?

      Would an SD card in a reader respect the write protect switch? Both SD cards & USB readers for them are cheap & easily available.

    5. Re:Use a Live USB by orange47 · · Score: 1

      actually, I remember that many USB sticks had the readonly switch, back then, with sizes like 128Mb.

  13. Good thing I use a Credit Union by jafiwam · · Score: 1

    They are immune from fees and all that other banking stuff!

  14. Re:Why don't computer users by Anonymous Coward · · Score: 0

    ...and your stupidity seems to keep on going...

    Microsoft doesn't allow malware any more than OSX or Linux... Microsoft is just the one that people go for as it is by FAR the most used operating system!

  15. Re:Why don't computer users by Anonymous Coward · · Score: 0
    RTFA: Zeus / SpyEye are windows malware.

    Furthermore, look at the best-of-class spyware tools:
    http://www.malwarebytes.org/mbam.php -- no OSX or Linux versions
    http://fileforum.betanews.com/detail/Spybot-Search-Destroy/1043809773/1 -- no OSX or Linux versions
    http://www.lavasoft.com/products/ad_aware_free.php?t=techspecs -- no OSX or Linux versions

    Why could that be? Maybe because OSX and Linux don't allow malware to be installed, and the MicroIdiots have their heads up your ass.

  16. Re:Why don't computer users by Anonymous Coward · · Score: 0

    Please stop talking, your stupidity might be infectious.

  17. Due process by Anonymous Coward · · Score: 0

    Congress can't do that, because it violates due process. We have to give "the bad guys" a trial. They are presumed innocent, until proven guilty.

    Otherwise, the privateers just attack whoever they want, and falsely claim that their victims were "the bad guys" in the letter of marquee.

    1. Re:Due process by Hamoohead · · Score: 1

      Congress can't do that, because it violates due process. We have to give "the bad guys" a trial. They are presumed innocent, until proven guilty.

      Agreed. Violating due process is best left to the professionals.

      --
      "If your parents never had children, chances are you wonât either." -Dick Cavett
  18. Re:Why don't computer users by Anonymous Coward · · Score: 0

    "The term rootkit or root kit originally referred to a maliciously-modified set of administrative tools for a Unix-like operating system that granted "root" access."

  19. Re:Why don't computer users by Anonymous Coward · · Score: 0

    "The term rootkit or root kit originally referred to a maliciously-modified set of administrative tools for a Unix-like operating system that granted "root" access."

    "Originally", as in the past, as in not allowing the installation of rootkits is something that OSX and Linux, i.e.: modern Unix-like operating systems, do right.

  20. Tan Rue Nomad by Anonymous Coward · · Score: 0

    the Changeling....
    http://en.wikipedia.org/wiki/The_Changeling_(Star_Trek:_The_Original_Series)

  21. Well, obviously by Anonymous Coward · · Score: 0

    “Well, obviously we have malware in Lincoln Park. He's climbing in yo windows, he's snatchin yo money up..'