informa
News

Bank Botnets Continue to Thrive One Year After Gameover Zeus Takedown

Features on new botnets suggest attackers have learned from the lessons of takedown.

RSA CONFERENCE -- San Francisco -- Despite the takedowns of the Gameover Zeus and Shylock botnets last year, banking botnet activity continues to persist unabated.

If anything, they have become even more sophisticated and evasive suggesting that those behind these botnets have learned and adapted from the Zeus and Shylock takedowns, a report from Dell SecureWorks Counter Threat Unit said Wednesday.

Researchers at SecureWorks analyzed banking botnet activity between early 2014 and early 2015 and discovered that botnets have increasingly begun relying on hidden network services like Tor and I2P (Invisible Internet Project) to resist takedown attempts and surveillance said CTU senior security researcher Pallav Khandhar.

Some have begun using 128-bit public keys to sign every update issued by command and control servers to ensure the messages cannot be intercepted and poisoned by law enforcement and security researchers, Khandhar said.

Banking trojans were used in attacks against about 1,400 financial institutions over the past year. Almost 90 percent of the victims were U.S-based institutions, but several were located overseas as well including in countries like the United Kingdom, Spain, Australia, Germany and Italy. Some have begun targeting financial institutions in Asia as well.

The Gameover takedown has also spawned at least three distinct new botnets. “All three came out with a vengeance. They introduced new features like Tor and I2P that Zeus and other botnets never used,” Khandhar said

One new botnet that has made its presence felt in the post Gameover Zeus era is Dyre. The botnet shares many features with Zeus including the mechanism used to drop malware on an infected system. But there are significant differences as well.

Current generation versions of the Dyre trojan, which is also called Dyreza and Dyzap, use SSL to encrypt all communications between a compromised system and the command control server that is remotely controlling it.

The malware is capable of using web fakes, dynamic web injects and other options to retain control of the botnet, Khandhar said. It uses a custom algorithm and RSA cryptography to sign all configuration files and plugins. What makes Dyre interesting is its use of proxy servers to hide its true back-end, Khandhar said. Since Dyre was released in June last year it has quickly emerged as one of the most dangerous banking trojans currently doing the rounds.

Another botnet that has garnered some attention is Bugat v5, SecureWorks said in its report. The trojan was first discovered in 2010 and grew significantly in 2014. It went from a using centralized command and control model to one where control is enabled via peer-to-peer systems. It uses a cryptographic system that combines both public key cryptography and symmetric key cryptography to communicate with infected systems,

Though banking botnets are designed to steal financial information from consumers and businesses they are being repurposed for a wide variety of other malicious purposes, Khandhar said.

Over the period of their analysis SecureWorks’ researchers noted banking botnets being used to target website for corporate payroll and finance service, email services, employment portals, dating sites and stick trading and social networking sites.

The threat posed to consumers by these types of attacks should not be underestimated Khandhar said. Hackers have used botnets to steal identity and log in credentials and then used those credentials to log into employment sites and job portals. In some instances, they used their access to pose as employees and intercept communications and resumes from job applicants.

Recommended Reading: