“Post transaction attacks, as the name implies, occur after the evil deed has already been done and the account holder has closed the online banking session. These are designed to conceal illegitimate activity for as long as possible to either allow money to transfer to its final destination – uninterrupted, or continue to control the account and perform further transactions.” said Amit Klein Trusteer’s CTO.

Malware post-transaction attack in detail

Step 1: Malware post-login attack – credentials stolen

a. Fraudsters infect the victim’s machine with Man in the Browser malware (any MitB malware, e.g. Zeus, SpyEye, Carberp), with a suitable configuration.

b. The malware is configured to ask the customer for debit card data during the login phase (HTML injection) – e.g. card number, CVV2, expiration month and year, etc.

Step 2: Fraudster commits fraudulent activity

c. With the customer’s debit card details, the cybercriminals then commit card-not-present transaction fraud by making a purchase or transferring money over the telephone or the internet.

d. The fraudsters immediately feed the fraudulent transaction details to the malware control panel.

Step 3: Malware post-transaction attack with fraud hidden from view

e. The next time the victim visits their online banking site, the malware hides (“replaces”) the fraudulent transactions in the “view transactions” page, as well as artificially changing the total fraudulent transaction amount to balance the totals. As a result, the deceived customer has no idea that their account has been ‘taken over’, nor that any fraudulent transactions have taken place

via SpyEye Trojan post transaction fraud schemes attack banks.

The malware is appropriately called “Gameover” because once it’s on your computer, it can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions. And once the crooks get into your bank account, it’s definitely “game over.”Gameover is a newer variant of the Zeus malware, which was created several years ago and specifically targeted banking information.

via FBI — ‘Gameover’ Malware Targets Bank Accounts.

[..]In the new version of the Trojan, the authors focus on eliminating the weakest link – a centralized system of information distribution.
Previous versions of Zeus were based on one (or few) predefined addresses which were used for botnet management. This allowed for relatively easy tracking and blocking of servers, thus rendering the botnet useless. However, the analysed variant of the Trojan used two new channels of communication to receive orders (figure on right):

1. Communication in a peer-to-peer network
2. Domain names Generation Mechanism

This variant has been analyzed to some extent by other researchers before – there is information on the web on the new variant of Zeus (eg abuse.ch ), however – based on our knowledge – previous research has focused on registering and monitoring traffic to Zeus domains. In our work we focus on understanding the P2P network communication mechanisms, mapping out the network, and monitoring the exchange of information in this particular network. [..]

via CERT Polska » Blog Archive » ZeuS – P2P+DGA variant – mapping out and understanding the threat.

This special variant further uses another obfuscation technique for cases where it fails to find a live update point. In order to make sure the botnet always ‘calls home’ Zeus 2.1.0.10’s operators programmed a randomized, on-the-fly domain name generator, based on a constant algorithm the Trojan’s configuration dictates. The algorithm creates 1,020 domain names URLs per day. Each new and unique domain name is a string of letters. The suffix “/news” or “/forum” follows the domain name when it is used for the Trojan’s update and drop communications.

via Organized Cybercrime: Nefarious Sophistication Featuring Zeus V2.1.0.10 « Speaking of Security – The RSA Blog and Podcast.

[..] Dmitry Tarakanov, a researcher at Kaspersky Lab who has studied the two families said that there was a code transfer from Zeus to SpyEye in the immediate aftermath of the source code being transferred to the SpyEye author. For example, the SpyEye author grabbed a Zeus feature that allowed the malware to force Web browsers on infected systems to load malicious HTML served by the botnet, even in cases where the host had a recent version of the page in question (say, an electronic banking site) stored locally in its browser cache. “SpyEye could not intercept the cached html-code,” Tarakanov wrote in an e-mail. “So the author of Spyeye had seen that part of the code where Zeus replaces the cache as well and added that part of code into his own source code of SpyEye. [..] “

via SpyEye and Zeus Malware: Married Or Living Separately? | threatpost.

[..]

This new version, which Trend Micro detects as TSPY_ZBOT.SMQH, spread around late September through spam that claimed to be from the Australian Taxation Office (ATO). The spammed messages contained a malicious link that when clicked directed users to a malicious website that served the BlackHole Exploit Kit. The exploit kit, in turn, downloads a variant of the new ZeuS version.

[..]

As we can see, unlike ZeuS 2.3.2.0, which uses Advanced Encryption Standard (AES), the decryption algorithm did not change much compared with the modified ZeuS 2, which uses RC4.

As I mentioned earlier, like LICAT and ZeuS 2.3.2.0, this new variant also seems to be crafted by a private professional gang, probably the same ones who created LICAT or who may be affiliated with them at the very least. In fact, the configuration file for TSPY_ZBOT.SMQH has the same format as that of the configuration file of LICAT.

via Another Modified ZeuS 2 Variant Seen in the Wild.

On September 7, 2011, Trusteer announced they are investigating new financial malware they called Shylock that “uses unique mechanisms not found in other financial malware toolkits, including: an improved method for injecting code into additional browser processes to take control of the victim’s computer; a better evasion technique to prevent malware scanners from detecting its presence; a sophisticated watchdog service that allows it to resist removal attempts and restore operations”

via contagio: Sept 21 Greedy Shylock – financial malware.

We have found a new type of financial malware with the ability to hijack customers’ online banking sessions in real time using their session ID tokens. OddJob, which is the name we have given this Trojan, keeps sessions open after customers think they have “logged off”’, enabling criminals to extract money and commit fraud unnoticed. This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users’ digital – and online monetary – assets. We have been monitoring OddJob for a few months, but have not been able to report on its activities until now due to ongoing investigations by law enforcement agencies. These have just been completed.

[..]

The most interesting aspect of this malware is that it appears to be a work in progress, as we have seen differences in hooked functions in recent days and weeks, as well as the way the Command & Control (C&C) protocols operate. We believe that these functions and protocols will continue to evolve in the near future, and that our analysis of the malware’s functionality may not be 100 per cent complete as the code writers continue to refine it.

[..]

via New Financial Trojan Keeps Online Banking Sessions Open after Users “Logout” | Trusteer.

Basically, the scam works like this: The botmaster acquires some freeware utility or legitimate program, renames it, claims it as his own and places it up for sale at one of several pre-selected software sales and distribution platforms, including ClickBank, FastSpring, eSellerate, SetSystems, or Shareit. The botmaster then logs in to his SpyEye control panel picture above, feeds it a list of credit card numbers and corresponding cardholder data, after which SpyEye opens an Internet Explorer Window and — at user-defined intervals — starts auto-filling the proper fields at the botmaster’s online store and making purchases.

via SpyEye Botnet’s Bogus Billing Feature — Krebs on Security.

[..]

- Encrypted connection. Both the downloading of the configuration file and access to the control panel are made through SSL connection. This is new; both 1.x and 2.x perform an HTTP connection in plain text, sending the encrypted data along with their respective algorithms.

- Change of encryption. The encryption used is the RC4 seen to date, but with a slight change in its “step”. It doesn’t use the xor encryption layer used by versions 2.x

[..]

S21sec Security Blog: ZeuS: The missing link.