eus variant_trails_target_on_u.s._military_bank__august_30__2010_


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

eus variant_trails_target_on_u.s._military_bank__august_30__2010_

  1. 1. Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. ISSUE NO. 71 AUGUST 30, 2010 ZeuS Variant Trails Target on U.S. Military Bank The concept of cybercrime may be difficult to grasp, particularly for users who have never experienced it firsthand. For victims, however, cybercrime is as real and pressing as the fact that they unwittingly lost their hard-earned money. Whether retirement funds or entrepreneurial investments, the fact remains that cybercriminals have successfully stolen millions of dollars from unsuspecting users. Included in the list of preferred tools of the trade is ZeuS/ZBOT, a crimeware toolkit that has and is still playing a significant role in the cybercriminal world. The Threat Defined ZeuS: A Persistent Cybercrime Enterprise Various changes and improvements have allowed ZeuS to remain one of the most effective and efficient crimeware tools today. It is consistently being used as a crimeware kit to steal users’ online banking credentials. It has likewise played a significant role in several instances that led to major financial losses, some of which left businesses on the brink of bankruptcy. In addition to significant ZeuS technology upgrades, there has also been an increase in ZeuS-related attacks that have been seemingly created with specific individuals or companies in mind. The recent targeted ZeuS attacks include tailor-made spammed messages and variants targeting Russian banks. These notable developments indicate that the cybercriminal minds behind ZeuS are constantly finding new ways to increase the effectiveness of their malicious creations. Current Target: U.S. Military Personnel Advanced threats researcher Robert McArdle recently discovered another targeted ZeuS attack, which involved a spammed message informing recipients that their Bank of America Military Bank accounts need to be updated. It then advised them to click a link that redirects to a fake but almost- identical bank login page. In reality, however, this bogus page is hosted in Russia. Once users input any user name and password combination, they will be brought to a page that hosts Update Tool, a malicious .EXE file Trend Micro detects as TSPY_ZBOT.BIZ. Users should supposedly install this on their systems to ensure that their accounts will comply with the requirements of the Figure 1. TSPY_ZBOT.BIZ infection diagram new login system. Particularly noteworthy, however, is the fact that the website uses a kit that attempts to automatically infect systems by exploiting vulnerabilities in browsers and browser plug-ins. While the use of an exploit kit is not entirely novel, using an entire suite of browser exploits increases the probability of system infection in this attack. As a result, users who fall into the masterfully made trap do not even have to manually download the file. As such, the download link just serves as a last-resort attack vector. 1 of 2 – WEB THREAT SPOTLIGHT
  2. 2. Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. Old Tactics Made New It would also be interesting to note that a similar attack was spotted last year. Instead of a spammed message targeting U.S. military personnel, however, the attack leveraged a spammed message that led users to a bogus Facebook login page. The phishing site also contained a Web exploit toolkit that launched browser attacks, depending on users’ browsers and OSs. The use of a download page prompting users to save a file named updatetool.exe was another familiar tactic. Incidentally, the final payload of the said attack is also a ZeuS variant. The striking similarity between these two distinct attacks may mean that only one gang is behind them. It is, however, also likely that the new attack is merely an example of how cybercriminals learn from other criminals’ success stories. As the old Figure 2. Download pages adage goes, imitation is the best form of flattery. posing as Bank of America and Facebook login pages User Risks and Exposure One of the primary risks in the proliferation of targeted attacks is the increased possibility of system infection. When users are faced with spammed messages or sites that are particularly believable, they are more likely to put their guards down. In the recent attack, U.S. military personnel face increased risks should the spammed message end up in their inboxes. Given today’s increasingly complex threat landscape, it is a good practice to always check for authenticity especially when there is money involved. As previously discussed, online banking undeniably offers both convenience and risks. As such, information continues to play a key role in protecting users from online threats like ZeuS. Understanding how ZeuS works and how it propagates is a critical step in keeping up with the notorious malware and in preventing system infections. Trend Micro Solutions and Recommendations Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect. In this particular attack, Smart Protection Network’s email reputation technology blocks all messages related to this spam run from even reaching users’ inboxes. File reputation technology, meanwhile, immediately detects and deletes malicious files like TSPY_ZBOT.BIZ from systems. Finally, Web reputation technology blocks user access to malicious sites from which malware may be downloaded as well as the upload (HTTP POST) of any stolen data. The following post at the TrendLabs Malware Blog discusses this threat: The virus reports are found here: Other related posts are found here: tailor-made_spam.pdf 010_.pdf ge_leads_to_exploits_and_zbot.pdf 10_.pdf 2 of 2 – WEB THREAT SPOTLIGHT