Financial Trojans: Part 1
The fact that such a large percentage of today’s malware is authored by individuals with profit motives is no secret. What may not be quite so obvious, however, is the way this software has changed over the last few years. Much of the malware written just a few years ago captured all keystrokes or even all traffic (keystrokes, mouse movements, graphic images, and more) going in and out of a computer system. Perpetrators had to comb through a volume of captured data to find what they were looking for. What is genuinely novel about the latest round of malware is that it is more efficient in that it is designed to steal only financial information. Financial Trojans are in fact rapidly becoming one of the greatest if not the greatest current kind of information security threats.
One of the best examples is the Zeus Trojan, also called LDO8, LDnn.exe, LD12.exe, PP06.exe, PP08.exe, Zbot, NTOS, WSNPOEM and PRG. Zeus is designed primarily to steal credentials associated with numerous network services. Once it infects a Windows system, it monitors user activity, particularly logons to Web sites of certain banks and other financial institutions, but also other types of activity such as sending and receiving email. If it detects such activity, it captures the information and relays it to a remote host. Zeus variants also inject HTML content containing among other things URLs of targeted banking and financial sites into pages that browsers render.
Spread primarily through email messages and “drive-by downloads,” Zeus also incorporates a number of measures designed to avoid detection. It encrypts the configuration files that it creates in infected systems. Additionally, it has a very small footprint—only between 40 and 150 KB. And perhaps most significantly, perpetrators who use Zeus have ostensibly been very careful concerning systems to infect. Anti-virus vendors and researchers operate honeynets to detect malware, but Zeus has to a large extent evaded honeynets. When Zeus has been detected, another variant with somewhat different characteristics typically surfaces. According to Trusteer, a malware detection and eradication company, typical anti-virus software detects a dismal 23 percent of all Zeus infections.
Lamentably, the Zeus Trojan is just one of numerous new banking Trojans. It will also by no means be the last. But what is perhaps worst about Zeus is that it is commercially available—worldwide. Anyone willing to pay the purchase price can purchase Zeus and then install it in systems at will. Presumably, law enforcement around the world is monitoring Zeus purchase sites, but there is no indication whatsoever that arrests of individuals who download this malware are being made. Are those who download Zeus are simply malware researchers? Some undoubtedly are, but I also suspect that many are not. In countries such as Germany downloading programs of this nature is illegal, yet German law enforcement appears to be “sitting on its hands.” What will it take for law enforcement to take a more active role concerning the use of Zeus? I suspect that the answer is a greater amount of financial loss. Until then, all we can do is stand by and hope for the better.