Vulnerabilities / Threats
7/23/2013
12:38 PM
50%
50%

Russian Trojan With Twist Targets Financial Details

Malware, designed to not infect Russian or Ukrainian PCs, is already for sale on cybercrime underground, says RSA.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
For sale: State-of-the-art banking Trojan, just $5,000 via the WebMoney (WMZ) payment system.

So goes the sales pitch for "a new professional-grade banking Trojan" spotted by security firm RSA. Dubbed Kins, the software promises to fill a gap in the financial malware world left by the source code for the easy-to-use Zeus malware published in 2011, and Citadel -- which offered not only a range of features but also high-grade technical support -- withdrawn from sale in cybercrime marketplaces in December 2012.

"Underground chatter increasingly reflects the growing appetite for new, 'real' banking malware in the online fraud arena, featuring discussions by criminals who would eagerly welcome a new developer and jointly finance a banker project if one would only make sense to them," said RSA cyber intelligence researcher Limor Kessem in a Tuesday blog post.

[ Is telecom equipment maker Huawei engaged in espionage? Read Huawei Spies For China, Former NSA Director Says. ]

Enter Kins, which RSA said it first began hearing chatter about in February 2013. Earlier this month, meanwhile, "a vendor in a closed Russian-speaking online forum announced the open sale of the Trojan to the cybercrime community," said Kessem.

The related "software sale" bulletin, written in Russian, says the bot includes both a dropper and Zeus-compatible DLLs, which are used for malicious Web injections, to disguise the malware's manipulation of online banking accounts.

The developer behind Kins promised that the Trojan can infect a PC deep at the volume boot record (VBR) level, where it's harder for antivirus software to detect. The developer also said that the malware includes features designed to help it evade Trojan trackers, which have been used by security researchers to bring down numerous botnet command-and-control systems, including SpyEye.

The malware's developer advertised the base version of the Trojan for $5,000, but said additional modules are also for sale, including a plug-in for $2,000 that's designed to disable the financial malware defense tool Rapport. Kins' developers also promised technical support for all Windows 8 users and said they have "plans for further development," including a module that will scan infected PCs for the presence of software that uses the remote desktop protocol (RDP). If RDP is present, remote attackers would have an easy-to-use and hard-to-detect mechanism for gaining full remote control of an infected PC.

Who built Kins? Assuming the software is real, it appears to be built by Russian or Ukrainian criminals. "Kins does not work on Russian-language systems. If Russian or Ukrainian specs are detected, the Trojan will terminate," said Kessem. That suggests that Kins' developer is abiding a long-standing agreement between cybercriminals and authorities in both of those countries: If the criminals refrain from targeting locals and agree to provide occasional pro bono work to the country's security services, then government authorities turn a blind eye to their online crime campaigns -- or in this case, financial malware development efforts.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.