E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: ITbusiness.ca

Posted on October 1, 2009

Security experts agree that cyber-criminals are getting better, but a new Trojan takes things to a whole new level.

The URLzone Trojan, identified by researchers at Web filtering vendor Finjan Software earlier this month, represents "the next generation of bank Trojans," said Yuval Ben-Itzhak, Finjan's chief technology officer.

After it infected about 6,400 computer users last month, the Trojan was clearing about €12,000 (US$1,750) per day. That puts it on track to rake in as much as €7.3 million annually.

Criminals installed the Trojan by luring visitors to infected Web sites and leveraging a variety of PC software flaws. They managed to infect about 7.5 percent of the 90,000 computers they attacked before Finjan got access to their command-and-control server, the company said.

More widespread Trojans such as Zeus and Clampi have been siphoning millions of dollars per day out of banks by stealing victim's online credentials and then moving money to unsuspecting "money mules", who then transfer the cash offshore.

These mules are often recruited from job sites such as Monster.com and they typically believe they're doing legitimate payroll work for overseas companies, and not organized criminal enterprises.

Once they send the stolen money offshore, they can be the ones who are held accountable for the loss. For the sheer scale of its impact, Clampi is unique. That ferocious piece of malware infected up to a million PCs causing one researcher to dub it "he most professional thieving piece of malware I've ever seen."

The Clampi Trojan horse has infected anywhere between 100,000 and 1 million Windows PCs, according to Joe Stewart, director of malware research for SecureWorks' counter-threat unit.

SecureWorks identified around 1,400 of the 4,500 total targeted by Clampi. "That's an astounding number," said Stewart. "There are plenty of other banking Trojans out there, but they usually target just 20 or 30 sites."

Hackers sneak Clampi onto PCs by duping a user into opening an e-mailed file attachment or by using a multi-exploit toolkit that tries attack code for several different Windows vulnerabilities, Stewart said.

Once on a machine, the Trojan monitors Web sessions, and if the PC owner browses to one of the 4,500 sites, it captures usernames, passwords, PINs and other personal information used to log on to those sites, or to fill out forms.

Periodically, Clampi "phones home" the hijacked information to a command-and-control server run by the hackers, who then empty bank or broker accounts, purchase goods using stolen credit card information or simply compile it for future use, said Stewart.

Although that describes most key-logging or spying malware, Stewart said Clampi is different, both because of the obvious scale of its operation and because of the multiple layers of encryption and deception used by its makers to cloak the attack code and make it nearly impossible for researchers to investigate its workings.

Stewart started tracking Clampi in 2007, but began an intensive examination earlier this year. "The packing that Clampi uses is very sophisticated, and makes it really, really difficult to reverse engineer, said Stewart.

"I'd say this is the most difficult piece of malware I've ever seen to reverse engineer." Security researchers often will reverse engineer malware -- pulling it apart to try to decipher how it works -- during their investigations.

"They're using virtual machine-based packers that lets them take code from a virtual CPU instruction set, so that the next time it's packed, it's completely different," said Stewart. "You can't look at Clampi with a conventional tool, like a debugger. It's a real mess to follow, frankly."

The Trojan also encrypts the traffic between hijacked systems and the botnet command-and-control server using multiple methods, said Stewart.

Not only is the network communications traffic encrypted in 448-bit blowfish encryption, but the strings inside the attack code binaries are also encrypted. Clampi also uses another unusual tactic to hide from antivirus scanners; its modules -- there are anywhere from four to seven different pieces of the malware -- are stored as encrypted "blobs" in the Windows registry.

The sheer scope of the Clampi operation also separates it from run-of-the-mill financial malware, Stewart argued. "They're targeting not just banking sites, but a wide variety of sites where people put in credentials that help them steal money somehow," said Stewart. Among the 1,400 site he has identified are military information portals, mortgage, insurance, online casino, utility advertising networks and news sites. The sites are hosted in 70 different countries. "That, in itself, speaks to a vast operation on the back end," Stewart said.

It's impossible to say for certain, but all clues point to Russia or Eastern Europe as the base for the criminal gang riding herd on the Clampi botnet. "It looks like it's just one group behind it," said Stewart. "We don't see [chatter about it] on the usual underground forums, which is one reason why there's little or no coverage about Clampi up till now. It's very closely held, and the group is very secretive."

In fact, Stewart held out little hope of nailing the criminals behind Clampi. The command-and-control servers they use to direct the hijacked PCs -- and to receive the stolen usernames and passwords -- are not hosted by a commercial hosting service, but instead are hidden within individual compromised PCs. "I don't think we'll ever get the command-and-control servers," Stewart admitted.

And with URLzone detection is going to be even more difficult.

It's even more sophisticated than its predecessors, Finjan's Ben-Itzhak said. Its user interface lets the bad guys set some controls that help keep fraud detection systems at bay.

From a central server, they can, for example, set the system to ensure that the account's balance never drops below zero; they can pre-set the system to make a series of small withdrawals that will appear unsuspicious; and the software will change the way the victim's banking page is displayed so the true transactions don't get displayed.

"Basically they say, 'I will steal from you €5,000, but I want to make sure at least 5 percent will remain in your balance,'" Ben-Itzhak said.

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.