Banking Malware: Sophistication Rises In Longtime Botnet Families

Banking Botnets Gain Functionality

Banking Trojans have long been stealing account credentials and draining accounts, and they have been steadily increasing. The malware can blow past most two-factor authentication and password schemes, said Joe Stewart, director of malware research at Dell SecureWorks Counter Threat Unit in an interview with CRN. It is forcing some banks to issue independent hardware devices to certain users who conduct high-value transactions, Stewart said. An Android app called Cronto is becoming increasingly popular. The ability to take a video of the victim's screen to capture the passwords and other information has been added to at least seven different malware families. Authors also are using it to gain intelligence, looking at screen captures and videos to figure out where they can inject code for future attacks. Dell SecureWorks has outlined the top banking Trojan families of 2013 in a new report.

8. Torpig

Torpig is one of the earliest active banking Trojans, having been first detected in 2006. It uses a Man-in-the-Browser (MITB) content manipulation attack technique to emulate user behavior, create delays and trick banks into thinking victims authorized money transfers and other actions, and the malware can spread quickly. Researchers uncovered more than 180,000 Torpig infections during a 10-day period in 2009. Torpig is designed to inject the same look and style of up to 900 banks and credit-card company website account portals.

7. Gozi

Gozi is a rival to Zeus and was detected in 2007, about the same time as the Zeus malware family. It continues to thrive despite arrests of some Gozi attackers last year. The malware spreads through spam campaigns, redirecting victims to attack websites. Gozi has been associated with attacks that steal file transfer protocol (FTP) credentials. It also can steal credentials from email clients to enable it to quickly spread. By default, the malware targets websites that belong to large international banks and popular online payment services, Dell SecureWorks said. It then identifies web pages that victims frequent to conduct business, infects them and sets them up to infect the systems of the web page visitors.

6. Bugat

Bugat arrived on the scene in 2010 and was designed for data stealing and to specialize in web injection against Microsoft Internet Explorer and Mozilla Firefox users. The botnet produces about 2 percent of banking Trojans observed by Dell SecureWorks, falling in line with the IceIX, Gozi and Torpig botnets in terms of relative impact. In addition to capturing screenshots and redirecting victims to attack websites, the malware can easily be configured to conduct a man-in-the-middle attack to spy on victim behavior. The malware uses a customized encryption routine that bolsters confidentiality and boosts efficiency, said Dell SecureWorks.

5. IceIX

The IceIX botnet infects systems with account-credential-stealing malware. IceIX is responsible for about 2 percent of banking Trojans globally. IceIX has all the capabilities of Zeus. It also shares similar characteristics to Zeus, indicating that it could have been created using the Zeus source code leak in 2011, according to Dell SecureWorks. The cybercriminals behind the botnet can connect to more than 300 command and control servers. The botnet itself consists of more than 30,000 infected systems.

4. Shylock

Shylock has never been advertised for sale on hacking forums, but it has gained attention for its ability to quickly spread once a single machine is infected. Shylock produces about 7 percent of banking malware observed by Dell SecureWorks. The malware seeks out network shares to infect additional systems. In addition to using email messages and drive-by attacks, the Trojan has been spreading through Skype instant messages. Researchers say the toolkit uses a plug-in architecture, enabling users to add components depending on their attack, such as support for VNC connection for remote access to compromised devices to the ability to spread through removable drives. The Shylock botnets are controlled by 53 command and control servers, according to Dell SecureWorks.

3. Zeus

The notorious Zeus banking Trojan was first discovered in 2007. Pure Zeus malware is responsible for 13 percent of banking Trojan activity observed by Dell SecureWorks. Its source code was stolen and leaked in May 2011, giving nearly every banking Trojan some Zeus features. Attackers spread Zeus malware through spam campaigns and exploit toolkits to set up drive-by attacks. The Zeus botnet consists of more than 1,000 command and control servers that can send orders to more than 160,000 infected PCs. In addition to common attack capabilities, some variants of Zeus also can take screen shots and capture video.

2. Citadel

Another extremely active botnet is Citadel, which shares many of the same characteristics with Zeus. The botnet ranks second, producing 33 percent of the banking Trojan activity observed by Dell Securworks. The Citadel botnet was temporarily disrupted by authorities last year, but it is resurfacing. The researchers said the creators of the botnet have been active, adding features and other capabilities, such as strong encryption of communication pipelines from infected systems to the remote command and control server. The creators have created a crowdsourcing model so users can propose features. Citadel malware also can block access to security sites on the system it has infected, making it difficult to find information about removing the infection.

1. Gameover Zeus

Gameover, which was first detected in 2011, is responsible for 38 percent of the banking Trojans detected in the space. It spreads through email attachments and drive-by downloads. Gameover is tightly controlled and available to a small segment of the criminal economy. It also uses peer-to-peer communication techniques to mask the location of its command and control servers and drop-off points. Dell SecureWorks researchers call further development of the botnet "extremely focused and driven by a small group of threat actors." Interestingly, those behind Gameover Zeus have been observed using distributed denial-of-service attacks as a diversion tactic to prevent victims from being able to log into their accounts.