Subscribe

Zeus tops banking threats


Cyprus, 07 Jun 2010

Although it first appeared around 2006, the Zeus Trojan, also known as Zbot, Wsnpoem and Kneber, remains the most popular banking Trojan in the wild, and is making millions for cyber criminals around the world.

Costin Raiu, director of Kaspersky Lab's global research and analysis team, says there are now thousands of versions of this Trojan available. “The full pack with the generic version costs as little as $500, and the full pack with the unique exclusive version, that can be adapted to include custom features to suit various nefarious purposes costs between $3 000 and $5 000.

“Almost anyone inclined to do so can get their hands on a copy of Zeus. It is also really simple to customise it, to suit any specific needs, and also fairly simple to encrypt it, hiding it from the anti-virus solution installed,” he says.

According to Raiu, the number of victims is constantly increasing. “By the end of March, Kaspersky Lab saw over 16 000 infections per day. This is because it is implemented on the most successful infrastructure in the world, the botnet infrastructure.

“Zeus is particularly dangerous as it tracks everything that a computer remembers - be it login details, passwords, or other data. The Trojan also controls all the data that is transferred via the Web browser,” he explains.

What makes it worse, says Raiu, is that Zeus can also modify a Web site's code, to add new fields where the user is asked to enter personal information, such as PIN codes. Once the codes are entered, the Trojan intercepts it, and sends it to the person behind the Trojan.

“Even more frightening is what the Trojan does with financial transactions. Let's say a user wants to send money to someone. Zeus will see them attempt to do this and, as the user enters the recipient's account details and suchlike, the Trojan replaces it with it own details, and can even change the bank's response, so the confirmation appears to have the correct account information.”

However, Raiu says these scammers pick targets that are close by geographically, as banks began to get suspicious of sums of money being transferred over thousands of miles.

In terms of infected users with no money to steal, Raiu says even they are not safe. “Perhaps even more dangerous, the Trojan can use a remote computer for illegal activities, such as sending spam, or forming botnets.

The cyber criminal can control the infected machines that make up their network, without giving the victim the slightest reason to suppose this is happening. He says victims may go for months without having a clue they are being used for all sorts of nefarious activities.

According to Raiu, making money off Zeus is an extremely simple process. “A cyber criminal buys a toolkit, infects users, collects their information, and the information gets uploaded to servers, or drop-zones,” he explains. “A Trojan drop-zone is a server configured to receive stolen data, which can amount to several GBs daily, with an average size of 14GB, and an average number of files of 31 000. The information stored here ranges from jpeg files and text files, to logs from infected PCs. Each cyber crime group runs several drop-zones at a time.”

If you consider how much data this translates to, all of it easily accessible, and capable of making vast sums of money for the cyber criminals, it's a frightening thought, he opines.

To avoid falling foul of the Zeus threat, Raiu says certain processes must be followed. “Ensure you have modern hardware and software. Install a good security solution, and patch and update frequently. The right security mindset and education are also priorities.”

Share