Attacks/Breaches
11/7/2012
11:11 AM
50%
50%

Malware Tools Get Smarter To Nab Financial Data

New versions of the Gh0st RAT Trojan -- believed to be used by China -- and the Citadel cybercrime kit both advance the malicious state of the art.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
If you've got $3,931 burning a hole in your pocket, speak Russian, and want to invest in a crimeware toolkit, you're in luck.

That's the price for the latest version of the Citadel malware, code-named Rain Edition (1.3.5.1), which includes all of the latest malware mod cons: advanced Firefox and Chrome data-stealing plug-ins, advanced Web injection techniques to modify code on targeted websites, and easier updating for Trojan files that have been used to infect PCs. The malware also sports an easy-to-use, browser-based interface for running the command-and-control (C&C) infrastructure that sends instructions to infected PCs in the botnet -- and retrieves stolen data -- as well as infection analytics.

Of course, that's assuming you could even obtain a copy of Citadel. "Getting your hands on Citadel is more difficult because of a stricter validation process within the Russian underground," said Jerome Segura, a senior security researcher at Malwarebytes, in a blog post. "The makers of Citadel are trying to keep a low enough profile to avoid gathering too much attention which could result in efforts to go after them -- as we have seen with Zeus." Accordingly, it's only available on selected Russian-language underground forums.

[ Read Windows 7 Malware Infection Rates Soar. ]

As with much of the malware that's in circulation today, Citadel is designed to commit financial crimes. "The main purpose of Citadel is to steal banking credentials," said Segura, noting that the malware includes built-in capabilities that allow attackers to search victims' PCs for credentials related to specific banks. Most of the infected PCs, meanwhile, get managed by attackers using so-called bulletproof hosting providers. Predominantly located in Russia and China, these services will turn a blind eye to any cybercrime committed using their services, typically as long as it doesn't affect anyone inside their country's borders.

Although financial malware and banking Trojans are in common use, another leading application for botnet-managed malicious code is for perpetrating click fraud, typically by using malware to generate fake advertising impressions. According to a report on malware trends released by Kindsight Security Labs, the most active botnet from July to September of this year was ZeroAccess, which is actively infecting an estimated 685,000 PCs in the United States, and 2.2 million worldwide.

Kindsight estimates that on a daily basis, ZeroAccess botnets alone generate "about 140 million fraudulent ad-clicks and 260 terabytes of network traffic," costing advertisers $900,000 in lost advertising impressions per day. Of course, the malware can also be used to steal financial credential, sniff keystrokes and steal BitCoins.

Although malware remains the preferred tool for online criminals who want to steal financial details, recent advanced in espionage malware highlight its use for more political purposes as well.

For example, the most recent version of the Gh0st malware, which is designed to steal sensitive data, has lately added in a repurposed version of the Russian-built DarKDdoser tool, which can steal any passwords stored in the Mozilla Firefox browser, as well as launch three flavors of distributed denial-of-service attacks -- UDP floods, SYN floods, and HTTP floods -- according to a blog post from Vinay Pidathala, a security content researcher at FireEye.

The addition of DDoS capabilities is interesting, given that Gh0st previously has been used to launch cyberespionage attacks against targets in Iran, India, Germany, Thailand and other parts of Asia regions, in the pursuit of military, diplomatic, political and economic intelligence. Based in part on its use in an attack against the Dalai Lama and pro-Tibetan groups, security experts have suggested that many Gh0st attacks can be traced to China.

Gh0st is part of a class of Trojan application known as the remote administration tool (RAT), which can be used to take complete control of an infected system, typically via an advanced persistent threat (APT) attack.

Although RATs have been used for years, they came to prominence last year after McAfee published details of a command-and-control website tied to a tool it dubbed Shady RAT. Alarmingly, the tool had been used for at least five years, to compromise at least 72 organizations, including 22 governmental agencies and contractors, over a period of five years. Based on the targets and techniques used, many security experts suspect that, as with Gh0st, the Chinese government was backing Shady RAT.

The continued updating of Gh0st, as well as banking Trojans such as Citadel, demonstrates that such software continues to remain highly effective at infecting targeted PCs, and obtaining data that offers economic or political upsides.

Faster networks are coming, but security and monitoring systems aren't necessarily keeping up. Also in the new, all-digital Data Security At Full Speed special issue of InformationWeek: A look at what lawmakers around the world are doing to add to companies' security worries. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
11/17/2012 | 12:18:59 AM
re: Malware Tools Get Smarter To Nab Financial Data
From the sounds of how hard it is to obtain Citadel, how much of a threat is it t the general public? Or is it large financial institutions that need to be worried here. Something that is that hard to obtain and has all sorts of stipulations, as speaking Russian and a chunk of cash, sounds like it would appeal to a very specific or select individuals or organizations. On the other hand it sound as if Gh0st malware is alive and attacking many systems out there today, sounds like this is more of a threat to the average everyday user where Citadel has targeted large financial intuitions.On the other hand it sounds as if Gh0st malware is alive and attacking many systems out there today, sounds like this is more of a threat to the average everyday user where Citadel has targeted large financial intuitions.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jamie, the darn Unicorn is back."
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.