Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:00 AM
Connect Directly

Bank Botnets Continue to Thrive One Year After Gameover Zeus Takedown

Features on new botnets suggest attackers have learned from the lessons of takedown.

RSA CONFERENCE -- San Francisco -- Despite the takedowns of the Gameover Zeus and Shylock botnets last year, banking botnet activity continues to persist unabated.

If anything, they have become even more sophisticated and evasive suggesting that those behind these botnets have learned and adapted from the Zeus and Shylock takedowns, a report from Dell SecureWorks Counter Threat Unit said Wednesday.

Researchers at SecureWorks analyzed banking botnet activity between early 2014 and early 2015 and discovered that botnets have increasingly begun relying on hidden network services like Tor and I2P (Invisible Internet Project) to resist takedown attempts and surveillance said CTU senior security researcher Pallav Khandhar.

Some have begun using 128-bit public keys to sign every update issued by command and control servers to ensure the messages cannot be intercepted and poisoned by law enforcement and security researchers, Khandhar said.

Banking trojans were used in attacks against about 1,400 financial institutions over the past year. Almost 90 percent of the victims were U.S-based institutions, but several were located overseas as well including in countries like the United Kingdom, Spain, Australia, Germany and Italy. Some have begun targeting financial institutions in Asia as well.

The Gameover takedown has also spawned at least three distinct new botnets. “All three came out with a vengeance. They introduced new features like Tor and I2P that Zeus and other botnets never used,” Khandhar said

One new botnet that has made its presence felt in the post Gameover Zeus era is Dyre. The botnet shares many features with Zeus including the mechanism used to drop malware on an infected system. But there are significant differences as well.

Current generation versions of the Dyre trojan, which is also called Dyreza and Dyzap, use SSL to encrypt all communications between a compromised system and the command control server that is remotely controlling it.

The malware is capable of using web fakes, dynamic web injects and other options to retain control of the botnet, Khandhar said. It uses a custom algorithm and RSA cryptography to sign all configuration files and plugins. What makes Dyre interesting is its use of proxy servers to hide its true back-end, Khandhar said. Since Dyre was released in June last year it has quickly emerged as one of the most dangerous banking trojans currently doing the rounds.

Another botnet that has garnered some attention is Bugat v5, SecureWorks said in its report. The trojan was first discovered in 2010 and grew significantly in 2014. It went from a using centralized command and control model to one where control is enabled via peer-to-peer systems. It uses a cryptographic system that combines both public key cryptography and symmetric key cryptography to communicate with infected systems,

Though banking botnets are designed to steal financial information from consumers and businesses they are being repurposed for a wide variety of other malicious purposes, Khandhar said.

Over the period of their analysis SecureWorks’ researchers noted banking botnets being used to target website for corporate payroll and finance service, email services, employment portals, dating sites and stick trading and social networking sites.

The threat posed to consumers by these types of attacks should not be underestimated Khandhar said. Hackers have used botnets to steal identity and log in credentials and then used those credentials to log into employment sites and job portals. In some instances, they used their access to pose as employees and intercept communications and resumes from job applicants.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...