Attacks/Breaches
10/12/2010
02:36 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

LinkedIn Attack Also Spread Bugat Trojan -- Not Just Zeus

Lesser-known financial fraud malware, such as Bugat and Carberp, are slowly making inroads and could give Zeus a run for its money, researchers say

All eyes have been on the prolific Zeus Trojan with its numerous attacks during the past year-and-a-half, as well as the recent high-profile international arrests of members from two separate cybercrime rings suspected of infecting machines with the Trojan and stealing a total of $73 million from their victims' bank accounts. But while Zeus, indeed, is the undisputed king of financial fraud malware today, a handful of other banking Trojans in the wings are slowly and quietly gaining ground.

The Bugat Trojan is one such malware family that has been overshadowed by Zeus, and it turns out it was also distributed in the recent LinkedIn phishing attack -- not just Zeus, as some experts had believed. Amit Klein, CTO at Trusteer, says his firm spotted Bugat spreading in the attacks. "There were a lot of malicious payloads being distributed, but the interesting one that we kept seeing was Bugat," Klein says.

The LinkedIn phishing attack last month, which was considered the largest-ever such attack, sent LinkedIn members email messages reminding them of messages in their accounts, and included a malicious URL that directed them to a phony site that installed the Bugat executable, according to Trusteer researchers.

Bugat was initially discovered in February by SecureWorks and has some features similar to those found in banking Trojans Zeus and Clampi, but with a few twists. It uses an SSL-encrypted command-and-control (C&C) infrastructure using HTTP-S, and also steals FTP and POP credentials in those sessions. It was originally distributed via the Zbot botnet that spreads the pervasive Zeus.

Then there's Carberp, a banking Trojan that was first spotted spreading in May and now appears to be morphing into an even more sophisticated piece of malware, according to researchers at TrustDefender Labs. It disables other Trojans on the machine it infects and can run without administrative privileges. It also goes after Windows Vista and Windows 7, as well as XP.

"The Carberp Trojan delivers almost all functionalities of a Zeus Trojan, but it is in some ways even more sophisticated," says Andreas Baumhof, CTO at TrustDefender. It can fully control any Web session and steal data or inject HTML to get around dynamic password schemes, he says. Carberp also contains a vast plug-in system, he says.

"Most worryingly, it can be installed with nonadministration rights. This is a feature that Zeus has only recently added," Baumhof says. "In regard to the HTML injection functionality, Carberp is now a part of a fairly 'elite' group of Trojans, such as Zeus, Silentbanker, Gozi, Mebroot, or Spyeye: All of these Trojans have been used for highly sophisticated fraudulent attacks against financial systems."

Carberp injects itself into Windows components and operates as a man-in-the-browser attack. It's also able to see and control HTTP-S and EV-SSL sessions, he says. "Whenever information is submitted over an encrypted HTTP-S session, including username/passwords and login details, Carberp will steal these and send them off to a C&C server in real time," Baumhof explains. "In addition to this, Carberp has the ability to change the current Web page to inject arbitrary HTML to perform more advanced tasks. This is typically used to steal dynamic passwords, such as one-time-passwords from two-factor authentication tokens."

That's bad news for online banking customers who feel relatively safe with their bank's two-factor authentication process. "One possible way is to steal one [one-time password] and simply reply back to the user that something was wrong and she/he should do it again. This would now give them [the attackers] a valid one-time password," he says.

TrustDefender witnessed some new Carberp samples yesterday, but is still awaiting its first big attack, Baumhof says.

The emergence of these and other rivals to the Zeus Trojan highlights how the bad guys are constantly reinventing the threat landscape to achieve their ultimate goal of making money. In this case, it's by creating new, less-detectable ways to steal the online financial credentials of mostly consumers and small to midsize businesses (SMBs).

"In some regard, the 'Dark Cloud' has its fixed players: big kids on campus. It's inevitable over time that new threats will evolve that can disrupt the threat landscape, challenge the old, innovate faster, and become more subtle. Carberp is an example of this ... and essentially it's shaking up the way the Dark Cloud is formed," says Sam Curry, chief technologist for RSA. "As with other businesses, the takeaway is that there are younger, hungrier, faster, and more competitive technologies that can and will challenge the status quo. Carberp isn't remarkable for its symptoms: It's remarkable for what it tells us about the people behind the scenes."

TrustDefender's Baumhof says Carberp has the potential to eventually overtake Zeus. "As Carberp is growing in sophistication at such a rapid rate, it potentially has the capabilities to outgrow and extend its reach beyond the Zeus model. We anticipate that Zeus will still be the No. 1 choice for quite a while, but the fact that there are new Trojans of similar quality popping up, shows just how lucrative this market is," he says.

Next: Zeus could ultimately fall to new family of Trojans

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6090
Published: 2015-04-27
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix...

CVE-2014-6092
Published: 2015-04-27
IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.6 requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause...

CVE-2015-0113
Published: 2015-04-27
The Jazz help system in IBM Rational Collaborative Lifecycle Management 4.0 through 5.0.2, Rational Quality Manager 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Team Concert 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Requirements Composer 4.0 through 4.0.7, Rational DOORS Next Generation...

CVE-2015-0174
Published: 2015-04-27
The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.5 does not properly handle configuration data, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

CVE-2015-0175
Published: 2015-04-27
IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 does not properly implement authData elements, which allows remote authenticated users to gain privileges via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.