Trusteer Reports Hackers Improve Zeus Trojan to Retain Leadership in Crimeware Race
Version 2.1 of Leading Online Fraud Platform Evolves to Stay Ahead of the Financial Malware Pack
New capabilities in Zeus 2.1 include:
- URL matching based on a full implementation of the Perl Compatible Regular Expressions (PCRE) library. This allows much more flexibility for Zeus's configuration to define targets. For example, Zeus can now target all URLs that start with "https" and then zero in on those that contain specific digits and keywords. Earlier Zeus versions had a primitive regular expression implementation which provided very little flexibility in specifying target URLs.
- The injection mechanism (Zeus's main "work horse") now uses sophisticated regular expressions based on PCRE as well, which helps avoid detection. It can target individual web pages with elaborate injections, while not injecting into other pages. This surgical injection method creates more convincing pages and can target more banks using a single attack.
- Zeus now has a fine-grained "grabbing" mechanism, again based on PCRE, which can extract very specific areas of the page (e.g. the account balance) and report them to the C&C host. The grab mechanism provides an efficient way of collecting user data (such as account balance), as opposed to the cumbersome and wasteful way (supported by earlier Zeus variants) of having to copy the full page.
- As other researchers have already pointed out Zeus 2.1 completely changed the way it communicated with its Command &Control (C&C) servers with a daily list of hundreds of C&C hostnames, through which it cycles trying to find a live one which is a considerable improvement over the previous scheme.
- Zeus has added a 1024-bit RSA public key, which will probably be used for one-way encryption of data and authenticating the C&C server to Zeus clients.
"Since the Trusteer Secure Browsing software is installed on the PCs of millions of bank customers, automatically classifying, blocking, analyzing, and removing financial malware such as Zeus, our researchers can see enhanced attack vectors in real time," said Mickey Boodaei, CEO of Trusteer. "The improvements are similar to those seen in commercial software, but instead of enhancements being released on a monthly or annual basis, the timescales are now being compressed to just days and weeks, largely because of the immense fraudulent revenues involved. While commercial software needs to undergo extensive quality assurance processes before being released, Zeus has the luxury of pushing rapid updates without worrying too much about software quality."
Previous malware has risen in popularity, then been tweaked and then faded away, the enhancements in Zeus - which is currently into version 2.1 - show no signs of abating, largely because of the modular coding structure of Zeus. The modular approach, for example means that exploit hacks can be used to enhance the ability of Zeus to stage a real-time bank access attack, and so greatly extend its useful lifetime to the cybercriminals. As with any commercial application, software product maintenance and support are two of the more important reasons why users buy and use products, and Zeus has proven over the last three years that it does both very well for the cybercriminals.
The Zeus developers keep releasing new features - such as a highly granular browser injection facility - that allow them to stay one step ahead of the IT security community, as well as fixing bugs and other issues in previous versions. This level of commitment attracts the fraudsters' business and maintains interest in the Trojan amongst security vendors, banks and law enforcement officials. And this in turn re-enforces the security circle, with hacker coders constantly tweaking and improving the malware as time goes on.
"The big question is how long can Zeus stay in pole position in the malware fraud charts? Our researchers suggest that, given its ability to be morphed and enhanced, it's going to be some while yet before other malware gets a look in at the top spot. And this means that hackers have a vested interest to keep Zeus ahead of the game as far as its ability to defraud, forcing them to improve and increase their effort all the time to avoid losing the cybercriminal's business," Boodaei said.
IT security teams trying to defend against Zeus should:
1. Recognize that antivirus technology is only partially effective against modern malware such as Zeus, Bugat, and SpyEye. Many of these fly under the radar of antivirus solutions while targeting employees and stealing sensitive corporate information. This version of Zeus is extremely elusive and is virtually undetectable by antivirus products.
2. Recognize that the browser has emerged as the weakest link in the enterprise security infrastructure and is being exploited by malware authors and criminals to infect computers and steal sensitive information.
3. Protect employees, contractors, and unmanaged computers with secure browsing services, which can detect, block, and remove browser-borne malware from computers.
4. Put in place technology and processes that enable effective, and instant investigation of malware-related fraud incidents.
Trusteer, the world's leading provider of secure browsing services, helps secure computers against Man in the Middle, Man in the Browser, and Phishing attacks. Trusteer's Secure Browsing Service has been available since 2008 and is currently used by more than 70 leading financial organizations in North America and Europe and by more than 13 million of their customers to protect their online banking communication against sophisticated malware attacks and fraud. Trusteer's Secure Browsing Service is also used by fortune 100 enterprises to protect unmanaged computers entering their network. HSBC, Santander, The Royal Bank of Scotland, Standard Bank, and ING DIRECT are just a few of the banks using Trusteer's technology. Trusteer is a privately held corporation led by former executives from RSA Security, Imperva, and Juniper. Follow us on www.Twitter.com/Trusteer. For more information about our products and services, please visit www.trusteer.com.