Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/22/2015
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Bank Botnets Continue to Thrive One Year After Gameover Zeus Takedown

Features on new botnets suggest attackers have learned from the lessons of takedown.

RSA CONFERENCE -- San Francisco -- Despite the takedowns of the Gameover Zeus and Shylock botnets last year, banking botnet activity continues to persist unabated.

If anything, they have become even more sophisticated and evasive suggesting that those behind these botnets have learned and adapted from the Zeus and Shylock takedowns, a report from Dell SecureWorks Counter Threat Unit said Wednesday.

Researchers at SecureWorks analyzed banking botnet activity between early 2014 and early 2015 and discovered that botnets have increasingly begun relying on hidden network services like Tor and I2P (Invisible Internet Project) to resist takedown attempts and surveillance said CTU senior security researcher Pallav Khandhar.

Some have begun using 128-bit public keys to sign every update issued by command and control servers to ensure the messages cannot be intercepted and poisoned by law enforcement and security researchers, Khandhar said.

Banking trojans were used in attacks against about 1,400 financial institutions over the past year. Almost 90 percent of the victims were U.S-based institutions, but several were located overseas as well including in countries like the United Kingdom, Spain, Australia, Germany and Italy. Some have begun targeting financial institutions in Asia as well.

The Gameover takedown has also spawned at least three distinct new botnets. “All three came out with a vengeance. They introduced new features like Tor and I2P that Zeus and other botnets never used,” Khandhar said

One new botnet that has made its presence felt in the post Gameover Zeus era is Dyre. The botnet shares many features with Zeus including the mechanism used to drop malware on an infected system. But there are significant differences as well.

Current generation versions of the Dyre trojan, which is also called Dyreza and Dyzap, use SSL to encrypt all communications between a compromised system and the command control server that is remotely controlling it.

The malware is capable of using web fakes, dynamic web injects and other options to retain control of the botnet, Khandhar said. It uses a custom algorithm and RSA cryptography to sign all configuration files and plugins. What makes Dyre interesting is its use of proxy servers to hide its true back-end, Khandhar said. Since Dyre was released in June last year it has quickly emerged as one of the most dangerous banking trojans currently doing the rounds.

Another botnet that has garnered some attention is Bugat v5, SecureWorks said in its report. The trojan was first discovered in 2010 and grew significantly in 2014. It went from a using centralized command and control model to one where control is enabled via peer-to-peer systems. It uses a cryptographic system that combines both public key cryptography and symmetric key cryptography to communicate with infected systems,

Though banking botnets are designed to steal financial information from consumers and businesses they are being repurposed for a wide variety of other malicious purposes, Khandhar said.

Over the period of their analysis SecureWorks’ researchers noted banking botnets being used to target website for corporate payroll and finance service, email services, employment portals, dating sites and stick trading and social networking sites.

The threat posed to consumers by these types of attacks should not be underestimated Khandhar said. Hackers have used botnets to steal identity and log in credentials and then used those credentials to log into employment sites and job portals. In some instances, they used their access to pose as employees and intercept communications and resumes from job applicants.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...