banking Trojan

RSA banking Trojan research underscores problem tracking cybercriminals

Research into the URLZone banking Trojan has found sophisticated code designed to root out machines run by researchers.

The cybercriminals behind the URLZone banking Trojan, have upped the ante in the cat-and-mouse game white hat security researchers are playing as they target and try to shut down black hat malware coders.

The URLZone banking Trojan has been highly successful malware. Like other bank Trojans it dupes bank account holders into giving up their credentials and transferring gobs of money into overseas accounts held by cybercriminals by pushing out “mule” account information with bogus account balances.

But security researchers had been hot on their trail, shutting down fraudulent accounts and notifying banks of the Trojan’s spread. Knowing that their fraudulent accounts were close to being shut down, the cybercriminals designed server-side-code that prevents the extraction of the gang’s genuine mule accounts, according to the RSA FraudAction Research Lab.

In a blog posting Monday, researchers at RSA described a sophisticated coding technique designed by black hat coders to root out security researchers and send them onto a wild goose chase. The goal is to keep researchers off the money trail so the operation can continue to harvest gobs of money.

Instead of displaying the details of URLZone’s genuine mule accounts, this piece of code delivers the details of more than 400 (and counting) legitimate accounts that do not belong to the gang’s mules. The code is clearly URLZone’s most unique attribute, and speaks to its operators’ caution against having their criminal pipelines compromised.

The RSA researchers go on to describe how the coding works. For now the list of genuine accounts — designed to trick the researchers — is growing. But as we’ve seen before, once researchers get a handle on the tricks being used by cybercriminals to avoid detection, the cybercriminals turn to a new method. And the cat and mouse game continues.

Zeus Trojan evades antivirus software, Trusteer says

A study of 10,000 PCs infected with the Zeus showed that the machines had antivirus installed.

The Zeus Trojan has already proven itself to be one nasty piece of malware in its quest for banking credentials. Now, a new report by security vendor Trusteer shows another alarming facet of Zeus: It’s infecting PCs with updated antivirus software 77% of the time.

In a study of 10,000 PCs infected with the Zeus, also called Zbot, Trusteer found that most of the infections occurred on machines where an antivirus product was installed and kept up-to-date: 31% percent of the Zeus-infected PCs had no antivirus while 55% percent had updated antivirus software. Installing antivirus and keeping it updated only reduces the probability of a Zeus infection by 23%, Trusteer concluded.

The study was based on reports gathered from consumer PCs running Trusteer’s Rapport, which the company said detects Zeus through a unique fingerprint the Trojan leaves when it penetrates the browser process. Rapport is a browser plug-in that protects online credentials and transactions. According to Trusteer, the technology detects whether a PC has antivirus and whether it’s updated through the Windows Security Center.

Trusteer claims that its test of how effective antivirus is against Zeus in the wild is more accurate than most other antivirus efficiency tests, which it says are performed in the lab. The test result, the company said, is “disturbing and reveals that the vast majority of Zeus infections go unnoticed by antivirus products.”