Attacks/Breaches
10/12/2010
02:36 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

LinkedIn Attack Also Spread Bugat Trojan -- Not Just Zeus

Lesser-known financial fraud malware, such as Bugat and Carberp, are slowly making inroads and could give Zeus a run for its money, researchers say

All eyes have been on the prolific Zeus Trojan with its numerous attacks during the past year-and-a-half, as well as the recent high-profile international arrests of members from two separate cybercrime rings suspected of infecting machines with the Trojan and stealing a total of $73 million from their victims' bank accounts. But while Zeus, indeed, is the undisputed king of financial fraud malware today, a handful of other banking Trojans in the wings are slowly and quietly gaining ground.

The Bugat Trojan is one such malware family that has been overshadowed by Zeus, and it turns out it was also distributed in the recent LinkedIn phishing attack -- not just Zeus, as some experts had believed. Amit Klein, CTO at Trusteer, says his firm spotted Bugat spreading in the attacks. "There were a lot of malicious payloads being distributed, but the interesting one that we kept seeing was Bugat," Klein says.

The LinkedIn phishing attack last month, which was considered the largest-ever such attack, sent LinkedIn members email messages reminding them of messages in their accounts, and included a malicious URL that directed them to a phony site that installed the Bugat executable, according to Trusteer researchers.

Bugat was initially discovered in February by SecureWorks and has some features similar to those found in banking Trojans Zeus and Clampi, but with a few twists. It uses an SSL-encrypted command-and-control (C&C) infrastructure using HTTP-S, and also steals FTP and POP credentials in those sessions. It was originally distributed via the Zbot botnet that spreads the pervasive Zeus.

Then there's Carberp, a banking Trojan that was first spotted spreading in May and now appears to be morphing into an even more sophisticated piece of malware, according to researchers at TrustDefender Labs. It disables other Trojans on the machine it infects and can run without administrative privileges. It also goes after Windows Vista and Windows 7, as well as XP.

"The Carberp Trojan delivers almost all functionalities of a Zeus Trojan, but it is in some ways even more sophisticated," says Andreas Baumhof, CTO at TrustDefender. It can fully control any Web session and steal data or inject HTML to get around dynamic password schemes, he says. Carberp also contains a vast plug-in system, he says.

"Most worryingly, it can be installed with nonadministration rights. This is a feature that Zeus has only recently added," Baumhof says. "In regard to the HTML injection functionality, Carberp is now a part of a fairly 'elite' group of Trojans, such as Zeus, Silentbanker, Gozi, Mebroot, or Spyeye: All of these Trojans have been used for highly sophisticated fraudulent attacks against financial systems."

Carberp injects itself into Windows components and operates as a man-in-the-browser attack. It's also able to see and control HTTP-S and EV-SSL sessions, he says. "Whenever information is submitted over an encrypted HTTP-S session, including username/passwords and login details, Carberp will steal these and send them off to a C&C server in real time," Baumhof explains. "In addition to this, Carberp has the ability to change the current Web page to inject arbitrary HTML to perform more advanced tasks. This is typically used to steal dynamic passwords, such as one-time-passwords from two-factor authentication tokens."

That's bad news for online banking customers who feel relatively safe with their bank's two-factor authentication process. "One possible way is to steal one [one-time password] and simply reply back to the user that something was wrong and she/he should do it again. This would now give them [the attackers] a valid one-time password," he says.

TrustDefender witnessed some new Carberp samples yesterday, but is still awaiting its first big attack, Baumhof says.

The emergence of these and other rivals to the Zeus Trojan highlights how the bad guys are constantly reinventing the threat landscape to achieve their ultimate goal of making money. In this case, it's by creating new, less-detectable ways to steal the online financial credentials of mostly consumers and small to midsize businesses (SMBs).

"In some regard, the 'Dark Cloud' has its fixed players: big kids on campus. It's inevitable over time that new threats will evolve that can disrupt the threat landscape, challenge the old, innovate faster, and become more subtle. Carberp is an example of this ... and essentially it's shaking up the way the Dark Cloud is formed," says Sam Curry, chief technologist for RSA. "As with other businesses, the takeaway is that there are younger, hungrier, faster, and more competitive technologies that can and will challenge the status quo. Carberp isn't remarkable for its symptoms: It's remarkable for what it tells us about the people behind the scenes."

TrustDefender's Baumhof says Carberp has the potential to eventually overtake Zeus. "As Carberp is growing in sophistication at such a rapid rate, it potentially has the capabilities to outgrow and extend its reach beyond the Zeus model. We anticipate that Zeus will still be the No. 1 choice for quite a while, but the fact that there are new Trojans of similar quality popping up, shows just how lucrative this market is," he says.

Next: Zeus could ultimately fall to new family of Trojans

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0985
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.

CVE-2014-0986
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.

CVE-2014-0987
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.

CVE-2014-0988
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.

CVE-2014-0989
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.

Best of the Web
Dark Reading Radio