The victim is then presented with a fake insurance account that claims to cover the total amount of funds in their bank account. This fake insurance account is actually a real bank account that belongs to a money mule. The victim is told that they will be protected against any losses from online fraud by this insurance coverage. In the final step, the victim is prompted to authorize a transaction that they believe is to activate the insurance coverage. In all likelihood, the victim does not expect any funds will be transferred out of their account.

To approve the transaction the victim enters a one-time SMS password that is sent to their mobile device. Unfortunately, the victim is actually approving a transfer of funds from their account to the fraudster’s money mule account.

via A New Twist: Fraudulent Fraud Insurance | Trusteer.

The FraudAction Research Lab has recently analyzed a Zeus 2.1.0.1 variant downloading an additional Trojan into infected PCs by fetching a Citadel Trojan think of the Borg on Star Trek. RSA is witness to many Zeus botmasters who upgraded and moved up to Ice IX neighborhoods, and now, to yet another summer home – Citadel infrastructures.

Zeus 2.1.0.1 is a commercially available upgrade[1] of the Zeus 2.0.8.9 banking Trojan which was the last “true” variant released by the original coder, Slavik and his developers team. This Trojan does not present any features much different than its predecessor.

RSA researchers have studied a Zeus 2.1.0.1 variant that runs on infected machines, seconds later calling for a download of an additional Trojan: a Citadel v1.3.2.0 variant. Although the Lab already saw Zeus botnets replaced by Ice IX botnets, this is one of the first instances analyzed of the Trojan calling for a Citadel replacement onto the infected PC

[...]

via Now You Z-eus It, Now You Don’t: Zeus Bots Silently Upgraded to Citadel « Speaking of Security – The RSA Blog and Podcast.

Below some of the most interesting new features:

Communication channel

P2P seems to be the new botnet architecture instead of the old central C&C which has been preferred until now.  This change will dreastically impact on all the monitoring techniques/tools  that are currently used nowadays to face Zeus and SpyEye. Takedown methodologies will also be affected to this new feature.

UDP instead of TCP

A proprietary UDP handshake (port-knocking) is used to establish the communication between the bot and its peers, AND (controversially to its previous version) exchange data between them i.e. configuration files.

Changes in the compression and encryption

The main encryption scheme has not changed from the Zeus 2.x versions ( XOR+RC4), however, a new encryption layer has been added which consist in  a byte-per-byte XOR applied to each block of the configuration.
The pseudo code follows:

XorKey = ((BlockSize << 0×10) | BlockId) | (XorSeed << 8 )

Lastly,  the usual Nrv2b compression has switched to the Zlib 1.2.5 one.

Any node can now provide malwares

Due to the nature of a de-centralized network, now every node can act as the main C&C thanks to a nGinx minimal webserver which every bot comes with.

To note that -controversially to previous Zeus and SpyEye versions- some of the bots observed by Symantec were distributing malware binaries too.

]]> http://www.honeynet.it/malware/new-p2p-version-of-zeusbotspyeye-spotted-in-the-air/feed 0 http://www.honeynet.it/uncategorized/zeus-variant-hijacks-phone-calls-trusteer-says http://www.honeynet.it/uncategorized/zeus-variant-hijacks-phone-calls-trusteer-says#comments Tue, 07 Feb 2012 09:56:46 +0000 marco.riccardi http://www.honeynet.it/?p=459

[..]

In addition to stealing bank account data, these Ice IX configurations are capturing information on telephone accounts belonging to the victims. This allows attackers to divert calls from the bank intended for their customer to attacker controlled phone numbers. We believe the fraudsters are executing fraudulent transactions using the stolen credentials and redirecting the bank’s post-transaction verification phone calls to professional criminal caller services (discussed in a previous Trusteer blog) that approve the transactions.

[..]

via Malware Redirects Bank Phone Calls to Attackers | Trusteer.

The image below (Picture 1) shows this CAPTCHA breaking malware’s ecosystem, which we’ll describe step by step. Step 1: The starting point of an infection is a banking Trojan variant known as Cridex. This variant is propagated via malicious email messages that hold shortened links leading to exploit kits (see this example), in our case the Blackhole exploit kit. Step 2: If the exploit is successful, the Cridex variant is downloaded to the machine. Step 3: Cridex runs on the machine. Step 4: Cridex is a data-stealing Trojan that is similar to Zeus in the way it operates: It logs content from Web sessions and alters them to harvest information from the infected user. The Cridex configuration file downloaded by this variant (safe to view and download and shortened here) shows which websites the variant monitors and steals data from, along with Web form injection points (data alteration injected into Web forms to harvest additional data like ATM PIN numbers). We have observed that Facebook, Twitter, and many banking services are targets. A partial list of targeted websites can be found here. Step 5: Any stolen data from the system is uploaded to a command and control server. [..]

via Trojan caught on camera shows CAPTCHA is still a security issue – Security Labs.

[..]

The online security giant reckons that Trojan bankers have been detected on an average of 2 000 unique users’ computers per day.The most notable Trojan discovered by the company is called Trojan Banker.MSIL.MultiPhishing.gen and is reportedly designed “ to steal account details from clients of numerous banks including Santander, HSBC Bank UK, Metro Bank, Bank of Scotland, Lloyds TSB, and Barclays”.

[..]

via 780+ viruses target online banking daily – top antivirus company | memeburn.

“Post transaction attacks, as the name implies, occur after the evil deed has already been done and the account holder has closed the online banking session. These are designed to conceal illegitimate activity for as long as possible to either allow money to transfer to its final destination – uninterrupted, or continue to control the account and perform further transactions.” said Amit Klein Trusteer’s CTO.

Malware post-transaction attack in detail

Step 1: Malware post-login attack – credentials stolen

a. Fraudsters infect the victim’s machine with Man in the Browser malware (any MitB malware, e.g. Zeus, SpyEye, Carberp), with a suitable configuration.

b. The malware is configured to ask the customer for debit card data during the login phase (HTML injection) – e.g. card number, CVV2, expiration month and year, etc.

Step 2: Fraudster commits fraudulent activity

c. With the customer’s debit card details, the cybercriminals then commit card-not-present transaction fraud by making a purchase or transferring money over the telephone or the internet.

d. The fraudsters immediately feed the fraudulent transaction details to the malware control panel.

Step 3: Malware post-transaction attack with fraud hidden from view

e. The next time the victim visits their online banking site, the malware hides (“replaces”) the fraudulent transactions in the “view transactions” page, as well as artificially changing the total fraudulent transaction amount to balance the totals. As a result, the deceived customer has no idea that their account has been ‘taken over’, nor that any fraudulent transactions have taken place

via SpyEye Trojan post transaction fraud schemes attack banks.

The malware is appropriately called “Gameover” because once it’s on your computer, it can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions. And once the crooks get into your bank account, it’s definitely “game over.”Gameover is a newer variant of the Zeus malware, which was created several years ago and specifically targeted banking information.

via FBI — ‘Gameover’ Malware Targets Bank Accounts.

[..]In the new version of the Trojan, the authors focus on eliminating the weakest link – a centralized system of information distribution.
Previous versions of Zeus were based on one (or few) predefined addresses which were used for botnet management. This allowed for relatively easy tracking and blocking of servers, thus rendering the botnet useless. However, the analysed variant of the Trojan used two new channels of communication to receive orders (figure on right):

1. Communication in a peer-to-peer network
2. Domain names Generation Mechanism

This variant has been analyzed to some extent by other researchers before – there is information on the web on the new variant of Zeus (eg abuse.ch ), however – based on our knowledge – previous research has focused on registering and monitoring traffic to Zeus domains. In our work we focus on understanding the P2P network communication mechanisms, mapping out the network, and monitoring the exchange of information in this particular network. [..]

via CERT Polska » Blog Archive » ZeuS – P2P+DGA variant – mapping out and understanding the threat.

This special variant further uses another obfuscation technique for cases where it fails to find a live update point. In order to make sure the botnet always ‘calls home’ Zeus 2.1.0.10’s operators programmed a randomized, on-the-fly domain name generator, based on a constant algorithm the Trojan’s configuration dictates. The algorithm creates 1,020 domain names URLs per day. Each new and unique domain name is a string of letters. The suffix “/news” or “/forum” follows the domain name when it is used for the Trojan’s update and drop communications.

via Organized Cybercrime: Nefarious Sophistication Featuring Zeus V2.1.0.10 « Speaking of Security – The RSA Blog and Podcast.