Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

Zeus Trojan Leverages IM Software to Forward Stolen Online Account Data

by RSA FraudAction Research Lab on 8/27/2009
Topics: Authentication | Identity Protection | Man in The Middle | Online Fraud, Fraudsters | Phishing

During its investigation of several Zeus Trojan attacks over the past three months, the RSA FraudAction Research Lab discovered and tracked a new online attack method employed by criminals that can quickly leverage compromised credentials.

RSA’s research of several Zeus Trojan variants revealed that some online criminals have started using the Jabber instant messaging (IM) open protocol as a quick delivery mechanism of compromised user credentials. Using Jabber, stolen information is sent to these particular fraudsters as soon as it is collected from computers infected with the Zeus Trojan. (Note: there is no direct relationship between this fraudster-generated technique using Jabber, and any usage of Jabber by legitimate online users.)

The Jabber IM modules that have been built into these particular Trojans were configured to extract stolen user credentials from the Zeus Trojan’s “drop” server database – and then immediately send those credentials to the online criminal, wherever he may be.

However, stolen credentials that reside on the drop server are not necessarily available in real-time to the online criminal. The criminal may reside within a region in another part of the world, or may not be connected to the server 24x7. Hence, criminals are using Jabber IM to automatically forward and receive stolen credentials as soon as they are collected. In this case, online criminals use two Jabber accounts; one for sending select, compromised user credentials from the drop server’s database; and the other for receiving those credentials.

Each of the Jabber IM modules detected by the RSA FraudAction Research Lab was configured to perform a different set of actions and was essentially "customized" according to the criminals' preferences. A typical Zeus Trojan drop server holds stolen information belonging to users with computers infected by the Trojan, and these users consist of customers of numerous financial institutions as well as other targeted organizations.

The first Jabber module traced by RSA was configured to extract compromised user credentials from a single U.S.-based financial institution, indicating a targeted Zeus Trojan attack. In another instance, a Zeus Trojan with a Jabber module was used by a criminal to send compromised user credentials pulled from five different financial institutions. (See Figure 1) RSA also found that this particular Trojan was also configured to forward stolen user credentials to this criminal via email. 

Figure 1: Zeus Trojan’s Jabber Notification of a Victim’s Attempt to Log In to Specific Entities


Click to view

The flow of events based on the Jabber IM delivery method of stolen online credentials is as follows:

  1. A variant of the Zeus Trojan infects legitimate users’ computers through an online attack instigated by a Trojan herder – an online fraudster who plays a key role in the online fraud supply chain.
  2. Credentials stolen by these herders are sent to the Zeus Trojan herder’s drop server.
  3. The Jabber IM module searches the drop server’s database for accounts belonging to users from specific organizations (usually financial institutions)
  4. The Jabber IM module transmits this specific account information through a Jabber ‘sender’ account.
  5. The criminal quickly receives the targeted, stolen user credentials obtained by the Jabber ‘receiver’ account.
  6. The Trojan herder now possesses the compromised user credentials, which enables him to log into the account and perform fraudulent money transfers. In some cases a transfer requires data generated by the legitimate user, such as one-time-passwords, that are leveraged by the online criminal in real-time.

The use of instant messaging applications for receiving notification of newly-collected compromised accounts or customers’ login attempts is not a new cybercrime technique. The Sinowal gang, for example, was known to have employed a Jabber module as early as 2008. The criminals behind Sinowal used Jabber instant messages to receive real-time notification of newly-collected credentials, as well as real-time notification of login attempts by infected users (See Figure 2). Real-time notifications enabled Sinowal's operators to leverage online banking credentials which the gang then leveraged to complete transactions during a live session.         

Figure 2: A Jabber Notification to the Sinowal Gang regarding a Victim’s Attempt to Log In to a Compromised Computer and its Online Account


Click to view

Real-time notification can further online criminals’ goals in some cases when certain variations of Man-in-the-Middle (MITM) or Man-in-the-Browser (MITB) attacks are launched. With such attacks, the online criminal may be acting in real-time as their intended victim logs in to his or her account. And while this technique is certainly not new to RSA (and has been well documented) it currently seems to be gaining popularity among Trojan herders who seek to manipulate stolen credentials in real-time. This is not an unexpected development on the part of fraudsters as they seek to work around certain online protection measures. The RSA Anti-Fraud Command Center prognosticated these types of trends in online fraud in a paper issued earlier this year.

However, online security is not limited to one single layer, such as users’ online credentials. In order to fight these threats organizations should adopt multi-layered online security techniques, such as those that shut-down Trojan attacks or authenticate users based on their distinct computer profiles and locations. One time passwords will always remain an effective layer as they provide a much stronger layer of protection than just a username and password. RSA’s Sam Curry recently posted a blog covering this topic.

---------

Note: Upon discovery of the information, all relevant financial institutions affected by these attacks were notified by RSA. In certain cases, RSA reserves the right to notify law enforcement authorities and/or other relevant agencies regarding information it has uncovered in the course of conducting business.

Comments
World's nastiest trojan fools AV software

One of the world's nastiest password-stealing trojans evades detection by the majority PCs running anti-virus programs, according to a study that examined 10,000 machines.

Zeus, a stealthy piece of malware that sits on a PC and waits for users to log in to bank websites, is detected just 23 per cent of time by AV programs, according to the study (PDF) released by security firm Trusteer: http://www.trusteer.com/files/Zeus_and_Antivirus.pdf Even AV programs with up-to-date malware signatures were unable to identify the infection a majority of the time, the authors said.

Zeus, which also goes by the name Zbot and PRG, escapes detection using sophisticated techniques such as root-kit technology, the Trusteer report said. The company is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC's browser process.

A recent report estimated that Zeus is the No. 1 trojan, with 3.6 million infections in the US alone, or about 1 per cent of the installed base of PCs. Trusteer's study, which found Zeus accounted for 44 per cent of the banking malware infections, was consistent with that finding. After sneaking onto a PC, it sits quietly in the background until a user logs on to a financial website. It then sends the login credentials to a remote server in real time, sometimes by use of instant messaging programs.Read more here http://scforum.info/

- HULIO

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication