Attacks/Breaches
10/12/2010
02:36 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

LinkedIn Attack Also Spread Bugat Trojan -- Not Just Zeus

Lesser-known financial fraud malware, such as Bugat and Carberp, are slowly making inroads and could give Zeus a run for its money, researchers say

All eyes have been on the prolific Zeus Trojan with its numerous attacks during the past year-and-a-half, as well as the recent high-profile international arrests of members from two separate cybercrime rings suspected of infecting machines with the Trojan and stealing a total of $73 million from their victims' bank accounts. But while Zeus, indeed, is the undisputed king of financial fraud malware today, a handful of other banking Trojans in the wings are slowly and quietly gaining ground.

The Bugat Trojan is one such malware family that has been overshadowed by Zeus, and it turns out it was also distributed in the recent LinkedIn phishing attack -- not just Zeus, as some experts had believed. Amit Klein, CTO at Trusteer, says his firm spotted Bugat spreading in the attacks. "There were a lot of malicious payloads being distributed, but the interesting one that we kept seeing was Bugat," Klein says.

The LinkedIn phishing attack last month, which was considered the largest-ever such attack, sent LinkedIn members email messages reminding them of messages in their accounts, and included a malicious URL that directed them to a phony site that installed the Bugat executable, according to Trusteer researchers.

Bugat was initially discovered in February by SecureWorks and has some features similar to those found in banking Trojans Zeus and Clampi, but with a few twists. It uses an SSL-encrypted command-and-control (C&C) infrastructure using HTTP-S, and also steals FTP and POP credentials in those sessions. It was originally distributed via the Zbot botnet that spreads the pervasive Zeus.

Then there's Carberp, a banking Trojan that was first spotted spreading in May and now appears to be morphing into an even more sophisticated piece of malware, according to researchers at TrustDefender Labs. It disables other Trojans on the machine it infects and can run without administrative privileges. It also goes after Windows Vista and Windows 7, as well as XP.

"The Carberp Trojan delivers almost all functionalities of a Zeus Trojan, but it is in some ways even more sophisticated," says Andreas Baumhof, CTO at TrustDefender. It can fully control any Web session and steal data or inject HTML to get around dynamic password schemes, he says. Carberp also contains a vast plug-in system, he says.

"Most worryingly, it can be installed with nonadministration rights. This is a feature that Zeus has only recently added," Baumhof says. "In regard to the HTML injection functionality, Carberp is now a part of a fairly 'elite' group of Trojans, such as Zeus, Silentbanker, Gozi, Mebroot, or Spyeye: All of these Trojans have been used for highly sophisticated fraudulent attacks against financial systems."

Carberp injects itself into Windows components and operates as a man-in-the-browser attack. It's also able to see and control HTTP-S and EV-SSL sessions, he says. "Whenever information is submitted over an encrypted HTTP-S session, including username/passwords and login details, Carberp will steal these and send them off to a C&C server in real time," Baumhof explains. "In addition to this, Carberp has the ability to change the current Web page to inject arbitrary HTML to perform more advanced tasks. This is typically used to steal dynamic passwords, such as one-time-passwords from two-factor authentication tokens."

That's bad news for online banking customers who feel relatively safe with their bank's two-factor authentication process. "One possible way is to steal one [one-time password] and simply reply back to the user that something was wrong and she/he should do it again. This would now give them [the attackers] a valid one-time password," he says.

TrustDefender witnessed some new Carberp samples yesterday, but is still awaiting its first big attack, Baumhof says.

The emergence of these and other rivals to the Zeus Trojan highlights how the bad guys are constantly reinventing the threat landscape to achieve their ultimate goal of making money. In this case, it's by creating new, less-detectable ways to steal the online financial credentials of mostly consumers and small to midsize businesses (SMBs).

"In some regard, the 'Dark Cloud' has its fixed players: big kids on campus. It's inevitable over time that new threats will evolve that can disrupt the threat landscape, challenge the old, innovate faster, and become more subtle. Carberp is an example of this ... and essentially it's shaking up the way the Dark Cloud is formed," says Sam Curry, chief technologist for RSA. "As with other businesses, the takeaway is that there are younger, hungrier, faster, and more competitive technologies that can and will challenge the status quo. Carberp isn't remarkable for its symptoms: It's remarkable for what it tells us about the people behind the scenes."

TrustDefender's Baumhof says Carberp has the potential to eventually overtake Zeus. "As Carberp is growing in sophistication at such a rapid rate, it potentially has the capabilities to outgrow and extend its reach beyond the Zeus model. We anticipate that Zeus will still be the No. 1 choice for quite a while, but the fact that there are new Trojans of similar quality popping up, shows just how lucrative this market is," he says.

Next: Zeus could ultimately fall to new family of Trojans

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.