LinkedIn Attack Also Spread Bugat Trojan -- Not Just ZeusLesser-known financial fraud malware, such as Bugat and Carberp, are slowly making inroads and could give Zeus a run for its money, researchers say
All eyes have been on the prolific Zeus Trojan with its numerous attacks during the past year-and-a-half, as well as the recent high-profile international arrests of members from two separate cybercrime rings suspected of infecting machines with the Trojan and stealing a total of $73 million from their victims' bank accounts. But while Zeus, indeed, is the undisputed king of financial fraud malware today, a handful of other banking Trojans in the wings are slowly and quietly gaining ground.
The Bugat Trojan is one such malware family that has been overshadowed by Zeus, and it turns out it was also distributed in the recent LinkedIn phishing attack -- not just Zeus, as some experts had believed. Amit Klein, CTO at Trusteer, says his firm spotted Bugat spreading in the attacks. "There were a lot of malicious payloads being distributed, but the interesting one that we kept seeing was Bugat," Klein says.
The LinkedIn phishing attack last month, which was considered the largest-ever such attack, sent LinkedIn members email messages reminding them of messages in their accounts, and included a malicious URL that directed them to a phony site that installed the Bugat executable, according to Trusteer researchers.
was initially discovered in February by SecureWorks and has some features similar to those found in banking Trojans Zeus and Clampi, but with a few twists. It uses an SSL-encrypted command-and-control (C&C) infrastructure using HTTP-S, and also steals FTP and POP credentials in those sessions. It was originally distributed via the Zbot botnet that spreads the pervasive Zeus.
Then there's Carberp, a banking Trojan that was first spotted spreading in May and now appears to be morphing into an even more sophisticated piece of malware, according to researchers at TrustDefender Labs. It disables other Trojans on the machine it infects and can run without administrative privileges. It also goes after Windows Vista and Windows 7, as well as XP.
"The Carberp Trojan delivers almost all functionalities of a Zeus Trojan, but it is in some ways even more sophisticated," says Andreas Baumhof, CTO at TrustDefender. It can fully control any Web session and steal data or inject HTML to get around dynamic password schemes, he says. Carberp also contains a vast plug-in system, he says.
"Most worryingly, it can be installed with nonadministration rights. This is a feature that Zeus has only recently added," Baumhof says. "In regard to the HTML injection functionality, Carberp is now a part of a fairly 'elite' group of Trojans, such as Zeus, Silentbanker, Gozi, Mebroot, or Spyeye: All of these Trojans have been used for highly sophisticated fraudulent attacks against financial systems."
Carberp injects itself into Windows components and operates as a man-in-the-browser attack. It's also able to see and control HTTP-S and EV-SSL sessions, he says. "Whenever information is submitted over an encrypted HTTP-S session, including username/passwords and login details, Carberp will steal these and send them off to a C&C server in real time," Baumhof explains. "In addition to this, Carberp has the ability to change the current Web page to inject arbitrary HTML to perform more advanced tasks. This is typically used to steal dynamic passwords, such as one-time-passwords from two-factor authentication tokens."
That's bad news for online banking customers who feel relatively safe with their bank's two-factor authentication process. "One possible way is to steal one [one-time password] and simply reply back to the user that something was wrong and she/he should do it again. This would now give them [the attackers] a valid one-time password," he says.
TrustDefender witnessed some new Carberp samples yesterday, but is still awaiting its first big attack, Baumhof says.
The emergence of these and other rivals to the Zeus Trojan highlights how the bad guys are constantly reinventing the threat landscape to achieve their ultimate goal of making money. In this case, it's by creating new, less-detectable ways to steal the online financial credentials of mostly consumers and small to midsize businesses (SMBs).
"In some regard, the 'Dark Cloud' has its fixed players: big kids on campus. It's inevitable over time that new threats will evolve that can disrupt the threat landscape, challenge the old, innovate faster, and become more subtle. Carberp is an example of this ... and essentially it's shaking up the way the Dark Cloud is formed," says Sam Curry, chief technologist for RSA. "As with other businesses, the takeaway is that there are younger, hungrier, faster, and more competitive technologies that can and will challenge the status quo. Carberp isn't remarkable for its symptoms: It's remarkable for what it tells us about the people behind the scenes."
TrustDefender's Baumhof says Carberp has the potential to eventually overtake Zeus. "As Carberp is growing in sophistication at such a rapid rate, it potentially has the capabilities to outgrow and extend its reach beyond the Zeus model. We anticipate that Zeus will still be the No. 1 choice for quite a while, but the fact that there are new Trojans of similar quality popping up, shows just how lucrative this market is," he says.
Next: Zeus could ultimately fall to new family of Trojans
Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio
1 of 2