2012
02.27

Symantec has recently blogged about a new version of the P2P variant of the Zeus/SpyEye trojan.

Below some of the most interesting new features:

Communication channel

P2P seems to be the new botnet architecture instead of the old central C&C which has been preferred until now.  This change will dreastically impact on all the monitoring techniques/tools  that are currently used nowadays to face Zeus and SpyEye. Takedown methodologies will also be affected to this new feature.

UDP instead of TCP

A proprietary UDP handshake (port-knocking) is used to establish the communication between the bot and its peers, AND (controversially to its previous version) exchange data between them i.e. configuration files.

Changes in the compression and encryption

The main encryption scheme has not changed from the Zeus 2.x versions ( XOR+RC4), however, a new encryption layer has been added which consist in  a byte-per-byte XOR applied to each block of the configuration.
The pseudo code follows:

XorKey = ((BlockSize << 0x10) | BlockId) | (XorSeed << 8 )

Lastly,  the usual Nrv2b compression has switched to the Zlib 1.2.5 one.

Any node can now provide malwares

Due to the nature of a de-centralized network, now every node can act as the main C&C thanks to a nGinx minimal webserver which every bot comes with.

To note that -controversially to previous Zeus and SpyEye versions- some of the bots observed by Symantec were distributing malware binaries too.

2012
02.07

[..]

In addition to stealing bank account data, these Ice IX configurations are capturing information on telephone accounts belonging to the victims. This allows attackers to divert calls from the bank intended for their customer to attacker controlled phone numbers. We believe the fraudsters are executing fraudulent transactions using the stolen credentials and redirecting the bank’s post-transaction verification phone calls to professional criminal caller services (discussed in a previous Trusteer blog) that approve the transactions.

[..]

via Malware Redirects Bank Phone Calls to Attackers | Trusteer.

2012
02.07

The image below (Picture 1) shows this CAPTCHA breaking malware’s ecosystem, which we’ll describe step by step. Step 1: The starting point of an infection is a banking Trojan variant known as Cridex. This variant is propagated via malicious email messages that hold shortened links leading to exploit kits (see this example), in our case the Blackhole exploit kit. Step 2: If the exploit is successful, the Cridex variant is downloaded to the machine. Step 3: Cridex runs on the machine. Step 4: Cridex is a data-stealing Trojan that is similar to Zeus in the way it operates: It logs content from Web sessions and alters them to harvest information from the infected user. The Cridex configuration file downloaded by this variant (safe to view and download and shortened here) shows which websites the variant monitors and steals data from, along with Web form injection points (data alteration injected into Web forms to harvest additional data like ATM PIN numbers). We have observed that Facebook, Twitter, and many banking services are targets. A partial list of targeted websites can be found here. Step 5: Any stolen data from the system is uploaded to a command and control server. [..]

Cridex scheme

via Trojan caught on camera shows CAPTCHA is still a security issue – Security Labs.

2012
02.07

[..]

The online security giant reckons that Trojan bankers have been detected on an average of 2 000 unique users’ computers per day.The most notable Trojan discovered by the company is called Trojan Banker.MSIL.MultiPhishing.gen and is reportedly designed “ to steal account details from clients of numerous banks including Santander, HSBC Bank UK, Metro Bank, Bank of Scotland, Lloyds TSB, and Barclays”.

[..]

via 780+ viruses target online banking daily – top antivirus company | memeburn.