Financial Trojans: Part 2
It would be nice if the Zeus Trojan, discussed in my previous blog entry, were the only financial Trojan that posed a high level of risk. Alas, this is not true. In fact, many experts consider the URLzone Trojan to be even worse than Zeus. Financial Trojans such as Zeus capture users’ financial information and then rely on individuals to “do the rest of the dirty work.” The more dirty work these individuals have to do, the more likely it is that bank account customers will notice that something is wrong, prompting them to report suspicious account activity to bank authorities. In contrast, the URLzone Trojan is programmed to do steps that middle men in fraudulent banking transactions normally have to perform and also uses a number of stealth mechanisms, thereby making fraud detection more difficult. Once this Trojan infects a system, it gleans the user’s banking information and uses this information to transfer funds to the accounts of naïve’ individuals who have been hired for jobs that superficially appear to be legitimate. These individuals then transfer the money to accounts owned by perpetrators. Information posted by Finjan indicates that to avoid fraud detection, each person used to make money transfers is allowed to do so only a maximum of two times.
The nature of money transfers to the hired “mules” varies. Each infected system connects to a server in the Ukraine to learn what to do next. It can, for example, be instructed to steadily withdraw small, random amounts of money from the victim’s account so that the withdrawals are less likely to be noticed. Additionally, the Trojan does not attempt to withdraw money when the balance of the victim’s account is zero. Furthermore, URLzone modifies on-line statements by modifying HTML content rendered by customers’ browsers such that when users view them, the fraudulent transactions do not appear. Another option is that if the banking transactions are listed, the displayed amount for each is less that the amount that in reality occurred. The Internet Explorer (IE) browser has, according to anti-virus vendor Finjan, been involved in this fraudulent activity more than any other type of browser, but other browsers are also susceptible.
URLzone’s methods of infecting PCs is anything but spectacular. Perpetrators send messages designed to entice potential victims to visit certain URLs. If users click on the indicated URLs, they reach malicious Web sites with routines that attempt to exploit a range of vulnerabilities. If the routines are successful, they inject the URLzone executable and then start it.
URLzone is taking a terrific toll; it reportedly resulted in nearly 6,600 fraud incidents last month, and was making the equivalent of nearly USD 18,000 per day for the perpetrators. Last August the perpetrators focused mainly on customers of major German banks; the financial loss then was reportedly around the equivalent of USD 400,000.
How long will URLzone go on making all kinds of trouble? No one is sure, but the fact that so many anti-virus tools fail to detect this malicious code has greatly contributed to its success. Count on more variants designed to accomplish a wider range of sordid actions surfacing in the future. And you can also count on the fact that most users whose systems are infected with URLzone will not notice that anything is wrong until the damage is already done.