1 of 2 – WEB THREAT SPOTLIGHT

Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime.

ISSUE NO. 68 JULY 19, 2010

New ZeuS/ZBOT Variant Targets Russian Banks Good businesses are constantly evolving. Every change, no matter how small, is geared toward improvement. In the threat landscape, cybercriminal businesses undergo continuous development as well. The ZeuS botnet business is no exception. Considered as one of the most thriving cybercriminal enterprises today, it is an ever-evolving threat that continues to pose danger to users on the one hand, as it reaps profits for cybercriminals on the other.

The Threat Defined ZeuS: Making Cybercrime Easier ZeuS/ZBOT is best known for its information theft capabilities. Primarily created as a crimeware kit that steals online banking credentials, ZeuS has evolved to become one of the most widely used crimeware tools that enable both professional and amateur cybercriminals to make easy money.

While ZeuS malware variants may be complex and encrypted, the ZeuS toolkit is readily accessible that even someone with minimal technical knowledge can learn to configure and use it. As mentioned in the paper “ZeuS: A Persistent Cybercrime Enterprise,” ZeuS Builder and ZeuS Server, the basic ZeuS components, have become the de facto standard for cybercrime. In fact, cybercriminals can set up a fully functional and highly professional botnet in less than five minutes. Given these factors, it is easy to see why ZeuS remains a cybercriminal favorite in proliferating moneymaking schemes.

ZeuS Variant Targets Russian Banks Many of the changes that have been made to the ZeuS botnet were more subtle than drastic. Notable improvements made to the botnet include the use of more complex encryption methods and more up-to-date social engineering tactics and the expansion of its list of targets. Despite the addition of more popular social networking sites like Facebook to the list of sites the botnet monitors, however, its consistent targets remain online banking websites.

Nonetheless, these subtle changes are what threat experts look out for. While they may initially seem insignificant, they may turn out to be clear indicators of major shifts in the threat landscape in the long run. In fact, Trend Micro senior advanced threats researcher Loucif Kharouni recently reported the sudden inclusion of Russian banks in the list of ZeuS-monitored sites.

Detected as TSPY_ZBOT.ZCZ, the said ZeuS variant uses a very old toolkit version but targets several Russian banks and the popular Russian search engine Yandex. The same sample also targets banks found in Germany, the United States, the United Kingdom, Poland, the Netherlands, Italy, Spain, France, Belarus, Bulgaria, Australia, Ireland, the United Arab Emirates, Turkey, and New Zealand.

Like typical ZeuS variants, TSPY_ZBOT.ZCZ connects to a URL to download its configuration file, which contains information where it can download an updated copy of itself and where to send the data it steals. This configuration file also contains the list of target websites from which it should steal information, including Russian banks like one of the country’s largest private banks, MDM Bank.

Figure 1. TSPY_ZBOT.ZCZ infection diagram

2 of 2 – WEB THREAT SPOTLIGHT

Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime.

The Price of Online Banking As Kharouni notes, this is the first time that a ZeuS variant targeted a Russian bank. He adds that while he has seen a few samples targeting Yandex services, he cannot recall any previous variant that included MDM Bank or any other online Russian banking system as target.

Considering the fact that online banking is not necessarily popular in Russia, it could be surmised that more ZeuS variants targeting this region may be found in the wild once the platform gains popularity. It is also interesting to note that while the principal perpetrators of ZeuS are in Eastern Europe, particularly in the Ukraine and Russia, only this recent variant has been found targeting Russian banks thus far.

The inclusion of Russian banks in the list of target sites may be a small step that could prove to be an insignificant change in the long run. The more pressing concern is the continued evolution of the ZeuS botnet. Its persistent existence in the wild, combined with the increasing use of online banking sites around the world, make for a dangerous combination. In several cases, the convenience that comes with conducting transactions over the Web becomes a high price to pay whenever ZeuS is involved. ZeuS’ victims may save time and money when they bank online but may, unfortunately, also lose far more than what they bargained for.

User Risks and Exposure As banks and other financial institutions take to the Web to improve their services and to increase their market reach, the potential for online identity theft also increases. The increased awareness of cybercriminals’ various stealth tactics may be comforting but then again, there is also a great need to make this consciousness more widespread.

Knowing how to create an online account and to conduct transactions is not enough. Users also need to be educated about the various security threats that loom over online banking. Security measures should not be disregarded in exchange for convenience. As such, it is vital that users learn about the many ways by which they can protect their information and, consequently, their hard-earned money.

An important first step is to invest in a smart security solution. Abiding by safe computing practices such as deleting messages from unknown senders and avoiding unverified websites could possibly decrease the probability of system infection. The use of multiple secure passwords would also be immensely useful. More importantly, use a unique password for each online banking account. In the event that an information theft attack occurs, the likelihood that the same password can be used to access other online accounts can be avoided.

Trend Micro Solutions and Recommendations Trend Micro™ Smart Protection Network™ infrastructure delivers security that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network is a cloud-client content security infrastructure that automatically blocks threats before they reach you. A global network of threat intelligence sensors correlates with email, Web, and file reputation technologies 24 x 7 to provide comprehensive protection against threats. As the sophistication of threats, volume of attacks, and number of endpoints rapidly grow, the need for lightweight, comprehensive, and immediate threat intelligence in the cloud is critical to overall protection against data breaches, damage to business reputation, and loss of productivity.

In this attack, Smart Protection Network’s file reputation service detects and prevents the download of malicious files detected as TSPY_ZBOT.ZCZ. Its Web reputation service likewise prevents access to related malicious websites. The following post at the TrendLabs Malware Blog discusses this threat: http://blog.trendmicro.com/zeuszbot-targets-russian-banks/ The virus report is found here: http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.ZCZ Other related posts are found here: http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/62_security_threats_loom_over_online_banking__june_28__2010_.pdf http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/zeusapersistentcriminalenterprise.pdf http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/58_kneber_takes_the_zbotzeus_stage__ march_1__2010_.pdf