A Trojan that steals online banking credentials is proving to be a particularly insidious and successful piece of malware, according to security experts.
Zeus is the "biggest banking Trojan out there," Laura Mather, co-founder and vice president of marketing at Palo Alto, Calif.-based fraud prevention company Silver Tail Systems said during a recent company webcast. "It's the nastiest, most sophisticated Trojan I've ever seen. It's a money-stealing machine."
Also called Zbot, Zeus and its variants surfaced last year but began trying to infect machines at a steady clip this spring, said Ben Greenbaum, senior manager in the security response unit at Symantec Corp. The malware is easy to configure and widely available on the Internet, with prices ranging from a couple hundred dollars to free, he added.
"Zeus is unusual in the level of success it's achieved. It's more widespread than most," he said. "It combines the best-of-breed features of other crimeware packages into one easy-to-use software suite, so to speak."
About 1.6 million infected machines make up hundreds of Zeus botnets, which target 960 banks, Mather said. Criminals have wreaked a lot of havoc with the bank Trojan's advanced capabilities, she said, citing a case reported by the Washington Post, in which cybercriminals stole $415,000 from Bullitt County, Ky., where Zeus infected the county treasurer's computer.
Mather, managing director of operational policy for the Anti-Phishing Working Group and a former director of fraud prevention at eBay Inc., said the malware can be customized to gather credentials from banks in specific geographic areas and has various means of distribution, including email attachments and malicious Web links. Once it infects a machine, it typically sits dormant, springing to life when the user visits a webpage with a form to fill out.
The Zeus Trojan has a capability that allows criminals to add fields to the form, such as fields for additional authentication information for a bank website; those credentials are sent back to the criminal, she said. Fraudsters also can alter the display to fool users into thinking all their money is still in their account.
The way Zeus alters a form on a genuine bank website as it's displayed on the victim's computer -- instead of showing an entirely fake banking website -- is one of its most powerful features and sets it apart from other banking Trojans, said Richard Wang, manager of the U.S. research labs at Sophos Plc.
"What versions of Zeus might do is see that page as it's being displayed, and at the browser level instead of at the bank level, add an extra box that might ask for your Social Security number," he said. "It looks like the bank has changed its login procedure."
Wang said Zeus is not just a single Trojan, but a toolkit that allows criminals to build their own Trojans that have added functionality. "It allows someone who doesn't have the technical skills to just buy the technology they need to do the banking data theft," he said.
One new Zeus Trojan functionality allows criminals to quickly use stolen credentials, and in some cases, circumvent two-factor authentication. In studying several Zeus variants, researchers at RSA, the security division of Hopkinton, Mass.-based EMC, recently discovered that some criminals were using the Jabber instant messaging open protocol in order to receive stolen information as soon as it was collected from infected computers. The first Jabber IM module RSA researchers studied was configured to extract credentials from users of a single U.S.-based financial institution; another was used by a criminal to target user credentials at five institutions, researchers wrote in a blog post.
"Real-time notification can further online criminals' goals in some cases when certain variations of man-in-the-middle (MITM) or man-in-the-browser (MITB) attacks are launched," RSA researchers wrote. "With such attacks, the online criminal may be acting in real-time as their intended victim logs in to his or her account."
The technique is nothing new, but seems to be gaining popularity, they added.
Symantec's Greenbaum noted that the Zeus Trojan targets more than banking credentials; criminals also are looking to steal social networking site logins and gaming site credentials. Also, Zeus isn't just a bank Trojan, Sophos' Wang said. The malware is used to create "full-featured botnets" that like other botnets, can be used to send spam, launch denial-of-service attacks, and provide hosting services for malicious websites.
The best tactic banks can take against the malware is to educate their customers about computer security, Wang said: "It is very much about user education and making sure people are using good security practices and that they have security software installed and kept up to date."
In a recent interview, Michael Benardo, chief of the cyber fraud and financial crimes section at the Federal Deposit Insurance Corporation, advised banks to help educate their business customers about PC security in light of the increase in fraudulent wire and ACH transfers . Most of the fraudulent electronic funds transfers (EFTs) involved business customers whose online banking crednetials were compromised by criminals using Trojans, keyloggers and other spoofing techniques, the FDIC said.
RSA researchers said online security isn't limited to user credentials, although one-time passwords are still an effective layer of protection.
"In order to fight these threats, organizations should adopt multi-layered online security techniques, such as those that shut down Trojan attacks or authenticate users based on their distinct computer profiles and locations," they wrote.