Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:00 AM
Connect Directly

Bank Botnets Continue to Thrive One Year After Gameover Zeus Takedown

Features on new botnets suggest attackers have learned from the lessons of takedown.

RSA CONFERENCE -- San Francisco -- Despite the takedowns of the Gameover Zeus and Shylock botnets last year, banking botnet activity continues to persist unabated.

If anything, they have become even more sophisticated and evasive suggesting that those behind these botnets have learned and adapted from the Zeus and Shylock takedowns, a report from Dell SecureWorks Counter Threat Unit said Wednesday.

Researchers at SecureWorks analyzed banking botnet activity between early 2014 and early 2015 and discovered that botnets have increasingly begun relying on hidden network services like Tor and I2P (Invisible Internet Project) to resist takedown attempts and surveillance said CTU senior security researcher Pallav Khandhar.

Some have begun using 128-bit public keys to sign every update issued by command and control servers to ensure the messages cannot be intercepted and poisoned by law enforcement and security researchers, Khandhar said.

Banking trojans were used in attacks against about 1,400 financial institutions over the past year. Almost 90 percent of the victims were U.S-based institutions, but several were located overseas as well including in countries like the United Kingdom, Spain, Australia, Germany and Italy. Some have begun targeting financial institutions in Asia as well.

The Gameover takedown has also spawned at least three distinct new botnets. “All three came out with a vengeance. They introduced new features like Tor and I2P that Zeus and other botnets never used,” Khandhar said

One new botnet that has made its presence felt in the post Gameover Zeus era is Dyre. The botnet shares many features with Zeus including the mechanism used to drop malware on an infected system. But there are significant differences as well.

Current generation versions of the Dyre trojan, which is also called Dyreza and Dyzap, use SSL to encrypt all communications between a compromised system and the command control server that is remotely controlling it.

The malware is capable of using web fakes, dynamic web injects and other options to retain control of the botnet, Khandhar said. It uses a custom algorithm and RSA cryptography to sign all configuration files and plugins. What makes Dyre interesting is its use of proxy servers to hide its true back-end, Khandhar said. Since Dyre was released in June last year it has quickly emerged as one of the most dangerous banking trojans currently doing the rounds.

Another botnet that has garnered some attention is Bugat v5, SecureWorks said in its report. The trojan was first discovered in 2010 and grew significantly in 2014. It went from a using centralized command and control model to one where control is enabled via peer-to-peer systems. It uses a cryptographic system that combines both public key cryptography and symmetric key cryptography to communicate with infected systems,

Though banking botnets are designed to steal financial information from consumers and businesses they are being repurposed for a wide variety of other malicious purposes, Khandhar said.

Over the period of their analysis SecureWorks’ researchers noted banking botnets being used to target website for corporate payroll and finance service, email services, employment portals, dating sites and stick trading and social networking sites.

The threat posed to consumers by these types of attacks should not be underestimated Khandhar said. Hackers have used botnets to steal identity and log in credentials and then used those credentials to log into employment sites and job portals. In some instances, they used their access to pose as employees and intercept communications and resumes from job applicants.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-18
Huawei HEGE-560 version; OSCA-550 and OSCA-550A version; and OSCA-550AX and OSCA-550X version have an insufficient authentication vulnerability. An attacker can access the device physically and perform specific operations to exploit this vulnerability. Succe...
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system.
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a null pointer dereference vulnerability in the robot (controller) component. A remote attacker can crash the Controller service.
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code.
PUBLISHED: 2020-02-18
HUAWEI Mate 20 smartphones with versions earlier than have an improper authorization vulnerability. The system has a logic judging error under certain scenario, successful exploit could allow the attacker to switch to third desktop after a series of operation in ADB mode.