Security Bytes

Oct 6 2009   1:28PM GMT

RSA banking Trojan research underscores problem tracking cybercriminals

Robert Westervelt Robert Westervelt Profile: Robert Westervelt

Research into the URLZone banking Trojan has found sophisticated code designed to root out machines run by researchers.

The cybercriminals behind the URLZone banking Trojan, have upped the ante in the cat-and-mouse game white hat security researchers are playing as they target and try to shut down black hat malware coders.

The URLZone banking Trojan has been highly successful malware. Like other bank Trojans it dupes bank account holders into giving up their credentials and transferring gobs of money into overseas accounts held by cybercriminals by pushing out “mule” account information with bogus account balances.

But security researchers had been hot on their trail, shutting down fraudulent accounts and notifying banks of the Trojan’s spread. Knowing that their fraudulent accounts were close to being shut down, the cybercriminals designed server-side-code that prevents the extraction of the gang’s genuine mule accounts, according to the RSA FraudAction Research Lab.

In a blog posting Monday, researchers at RSA described a sophisticated coding technique designed by black hat coders to root out security researchers and send them onto a wild goose chase. The goal is to keep researchers off the money trail so the operation can continue to harvest gobs of money.

Instead of displaying the details of URLZone’s genuine mule accounts, this piece of code delivers the details of more than 400 (and counting) legitimate accounts that do not belong to the gang’s mules. The code is clearly URLZone’s most unique attribute, and speaks to its operators’ caution against having their criminal pipelines compromised.

The RSA researchers go on to describe how the coding works. For now the list of genuine accounts — designed to trick the researchers — is growing. But as we’ve seen before, once researchers get a handle on the tricks being used by cybercriminals to avoid detection, the cybercriminals turn to a new method. And the cat and mouse game continues.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: