Tuesday, April 1, 2014

Newest Zeus banking Trojan is Born, ZeusVM

NOTORIOUS BANKING TROJAN Zeus is back in another variant, security firm Malwarebytes has warned.
Dubbed ZeusVM, the modded version of the infamous Trojan is being distributed in many different ways, but typically through phishing emails or web-based attacks, including "malvertising", whereby people are infected by visiting websites containing malicious ads.
"The Zeus/Zbot Trojan is one the most notorious banking Trojans ever created; it's so popular it gave birth to many offshoots and copycats,"

"The particularity of Zeus is that it acts as a 'man in the browser', allowing cyber-crooks to collect personal information from its victims as well as to surreptitiously perform online transactions.
"A new variant of this Trojan, dubbed ZeusVM, is using images as a decoy to retrieve its configuration file, a vital piece for its proper operation."
Malwarebytes senior security researcher Jerome Segura explained that there are various parts to this piece of malware. While the main executable - the bot - will bury itself into your computer and ensure it is reactivated every time you reboot, at regular intervals it also checks with its command and control server for new instructions while monitoring user activity.
"The JPG contains the malware configuration file which is essentially a list of scripts and financial institutions - but doesn't need to be opened by the victim themselves," Segura said.
"In fact, the JPEG itself has very little visibility to the user and is largely a cloaking technique to ensure it is undetected from a security software standpoint."

This enables a "man in the browser' attack where everything the victim does while browsing can be intercepted and modified at will.
"Visiting certain URLs, such as a bank website, will trigger an alert and the Trojan will start interacting in real-time. For example, it will alter the login page and ask for additional personal details, which it does using a technique known as 'webinjects', where code is injected directly into the browser, changing the webpage in real time," he added.
It can also perform wire transfers while the victim is logged in, Segura said, and even alter the appearance of the current account balance to ensure that it remains unnoticed.
although most anti-malware products should detect banking Trojans, traditional anti-virus software products might not.

"It only matters if the detection is timely. There's little use if you have been infected for two days and your account has already been depleted," the firm said, advising that observing basic security tips like "not opening email attachments unless you are absolutely sure it is safe" will help.
However, while Malwarebytes recorded a new variant of the popular Zeus trojan, security firm Fireeye has said that hackers are dropping standard malware like Zeus in favour of more advanced but harder to use remote access Trojans (RATs) such as Xtreme RAT.

Xtreme RAT is a notorious RAT that has been freely available on a number of cyber black markets since June 2010. The RAT is dangerous as it can be used for a variety of purposes, including interacting with the victim machine via a remote shell, uploading and downloading files, interacting with the registry and manipulating running processes and services
Posted by at No comments:

Neverquest banking malware Partners Zeus trojan

New Neverquest malware steals bank account logins and lets attackers access accounts through victims' computers.
For over five years, Zeus has been the undisputed king of banking malware. Once this trojan was loaded onto a victim's machine, it could:
  • Detect when the owner entered banking information into a web browser.
  • Steal passwords and other pertinent login information.
  • Encrypt the stolen information and send it to the attacker's specified servers.
Zeus was also one of the first pieces of malicious software to be sold under a license. For the right price, anyone could use it.
Zeus remains active today, but its source code was published online in 2011 and this cyberscourge has about run its course. Unfortunately, Security experts are already sounding the alarm about a new piece of malware that makes Zeus look like a simpleton. Neverquest significantly raises the bar for online banking malware.

How Neverquest works

Like Zeus, Neverquest is a Trojan. Bad guys introduce Neverquest to the victim’s computer via social media, email, or file transfer. According to the security blog Threat Post, Neverquest replicates in a manner similar to the Bredolab botnet client:
"Bredolab malware used the same methods of distribution that Neverquest is currently using. Bredolab would eventually become the third most widely distributed piece of malware on the Internet."
Before it was shuttered, the Bredolab botnet consisted of 30 million computers. Why not use something that works?
If the victim’s computer is vulnerable to an exploit targeted by Neverquest’s trojan loader; the malware is installed. Then Neverquest starts paying attention to what the user is typing into their web browser. If a predetermined financial term is recognized, Neverquest checks the website domain name. Since, Neverquest has hundreds of banking and financial institutions in its database; there’s a better than average chance Neverquest will be familiar with the banking website.
Once Neverquest recognizes a banking site, it will relay the login information back to the attackers’ command and control server. Once the victim's credentials are in the hands of the attackers, they will remotely control the victim's computer using VNC, log into the victim's banking website, and do one of the following:
  • Transfer money to different accounts
  • Change login credentials, locking out account owner
  • Write checks to money mules
And to make matters worse, banking sites are unable to distinguish the victim's login from that of the attacker using Neverquest.
One capability Neverquest has that Zeus doesn’t, is the ability to cultivate new banking sites for its database. If the malcode recognizes certain financial terms, but not the domain; Neverquest will send the information back to the command and control server which then creates a new identity, and updates every compromised computer under its control.

Neverquest in the wild

One sobering reality is that Neverquest is already for sale. Zeus, being “first of its kind” malware, required skilled controllers. Not so with Neverquest, script kiddies and malware non-experts are able to make use of the potent malware as soon as they buy it.
Posted by at No comments:
Subscribe to: Posts (Atom)