Return of Zeus. A New Wave of Malware that will Empty Your Bank Account.

Courtesy of Flickr

In a report by security company M86 Security, organized crime is using a new trojan variant called Zeus v3 to infect unsuspecting web surfer’s machines, then steal their online banking credentials.  Once the credentials are obtained, they are then used to drain your account.  This is a very sophisticated and organized attack.  It’s not something that the kid down the street who hasn’t come out of his basement in three years is capable of pulling off.  M86 has posted an in depth whitepaper on the matter which can be found here.   The report is both fascinating and disturbing.

For those who don’t wish to commit the time to understand all of the fine details about how the attack works, I’ll lay out the short version here.  First, the bad guys infect legitimate ad servers.  These are machines that serve the advertisements to websites you regularly visit.  From there, the infected servers start pushing out the trojan to computers visiting LEGITIMATE websites.  The trojan is delivered via advertisements through the infected ad servers.  That’s really the beauty of delivery.  They deliver the payload to infect your computer through regular websites because the advertising on them comes from somewhere else.  The ad servers are infected the same way your home computer gets infected.  Somewhere along the line, a vulnerability wasn’t addressed.  This can happen for a number of reasons.  The operating system wasn’t patched, a firewall rule wasn’t enforced, etc.  Once the trojan is delivered to the home users computer, it simply waits until the unsuspecting user logs into their bank account via a web browser.  That’s when it sends the credentials to a command and control (C&C) server.  Later, after it analyzes the information (bank name, country, etc) the C&C server communicates back to the victim’s computer and has it initiate a bank transfer.  It will drain the victim’s account, siphoning it off and covering tracks along the way.  Then, to put the cherry on top, when the victim logs back into their bank, the traffic is diverted to the C&C server where a fake statement is generated, thereby fooling the user into thinking they have money in their account.

This is a brilliant and complicated scheme.  The money trail is like following a single noodle through a bowl of spaghetti.  Thus far, attacks have primarily been on UK bank accounts, but don’t let that make those of you outside of the UK feel good.  This could very easily be perpetrated elsewhere.  To compound the matter, this particular attack seems to be very good at getting past the major virus scanners.

That’s the bad news.  The good news is, we can make it very hard to fall victim to this type of attack.  If you don’t bank online of course, you are immune.  If the benefits of online banking outweigh the risks, you can still protect yourself.  First, you should be following ALL of my advice in my recent post Lock Down!.  This alone will dramatically reduce your chances of infection by the trojan.  Another option is to switch to a Mac or use Linux.  While not immune, these operating systems are much more difficult to infect because of their Unix heritage and because they just aren’t as popular as Windows.  Windows is the low hanging fruit for virus writers.  Linux has become very easy to use and most versions of it are free.  I have my computer setup to give me a choice of booting to Linux or Windows.  That’s pretty easy to do.  Third, you could use a boot CD as I described in my post A Temporary Solution for your online banking activities.  While not as convenient, you won’t be at risk of infection.  This is the safest option next to just not banking online at all.

Advertisements

One response to “Return of Zeus. A New Wave of Malware that will Empty Your Bank Account.

  1. Thanks Mike, no IT guy on this end but I do like the extra eyes and ears out there. Thanks Again!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s