ITBusiness.ca

Trojan behind phishing scam can be found via Google

A Trojan used in an e-mail phishing attack targeting corporate users this week can be controlled by anyone that Googles its Web-based command and control centre.

Zeus is a tough-to-detect Trojan that steals personal information and Web site login credentials, according to Trusteer Research. It injects itself into Web browsers to monitor all traffic and report it back to its master.

“Zeus now actively targets corporate users through an effective e-mail campaign that asks Outlook Webmail users to update their settings,” the New York-based security vendor says in an advisory.

The spam campaign launched last week.


An example of the phishing e-mail scam that launched Oct. 14.

This style of Zeus trojan attack is far from an isolated incident. The “crimeware” kit is the largest botnet known to date with more than 3.6 million infected computers in the U.S. alone. It accounts for 44 per cent of all malware that is currently stealing financial data, according to Trusteer.

The trojan is only detected by 12 out of 41 anti-virus vendors and most infected computers also have anti-virus software installed. But finding all the resources needed to set up and coordinate an attack powered by Zeus is as simple as conducting a Google search.

Roy Firestein, security consultant with Digital Defence, demonstrated how to locate a full-service, one-stop-shop for cybercrime in a Oct. 6 workshop at Toronto-based SecTor security conference.

“Please don’t follow these links,” he cautions. “When I did this, I wasn’t using Windows and I had a cloud provider tunnel my connection.”

After finding a screenshot of the Zeus command and control Web service on a security blog, Firestein has a good keyword to search for: “Zeus :: login”. By typing that in Google and including commands to search only in the title (intitle:) and for php files (filetype:), the crimeware is the first result to display.

After this all users with malicious intent have to do is set up their own Web domain with the trojan and start luring unsuspecting surfers to download the exploit. At the impromptu hacker’s disposal is an analytics feature that displays infection rates in real time. Also, the ability to take screen shots, intercept Web communications, and integrate with the Jabber IM client.

“That’s impressive,” Firestein says. “You don’t get that type of support from the good guys.”

The current attack follows this model to a T. Employees at a targeted company receive an e-mail asking them to update some settings to their Outlook Webmail account. The e-mail sender spoofs the corporate domain and the link appears to lead to an in-house company Web site.

But those fooled actually are led to “nerrassst.eu” and tricked into downloading a file that contains a trojan, Trusteer says in its report.

Zeus and other user-friendly trojans like it are part of an unsettling trend in the cyberspace underground, says David Senf, a security analyst at IDC Canada. Hacking tools have progressed from being more complicated command line interfaces to graphical user interface (GUI) that are so easy to use, no underlying knowledge is required.

“You just need to know what knowledge you’re seeking, then run the right exploit,” Senf says. “There’s an eco-system of middlemen helping to create the tools where you can broker stolen information.”

Crimeware is now often delivered through the cloud-computing or software-as-a-service model used by successful consumer Web sites such as Amazon and Salesforce. Many offer sophisticated customer service and don’t cost much to purchase.

The Elonore kit costs $700 and provides live support over IM client ICQ (it’s account number 9000001 if you’re interested), Firestein says. It comes with nine exploits to use, including one for Firefox fonts and another for DirectX DirectShow.

The Andrenalin Botnet kit is a bit pricier at $3,500 but promises 24/7 technical support. It also removes other malware, assuring you’ll be the only hacker stealing that user’s information. It also provides key logging and actively avoids detection. 

The best shot companies have at not getting infected by such crimeware is to keep systems up to date, Senf says.

“All you can do is patch,” he says. Secunia.com is an online site that will analyze a system and inform users of what programs are out of date.

To avoid the current phishing scam using Zeus and targeting corporations, Trusteer recommends educating employees. IT departments could also take the measure of blocking all .exe and .zip downloads from the Web for the short term.

Should security analysts be publicizing hacking services?

In his own demonstration of how to access Zeus, Firestein used a picture posted to a well-reputed security blog to get the key words he needed to locate the service in Google. The security analyst with Toronto-based Digital Defence doesn’t think there’s a risk in publicizing such information.

“It’s important for us to know what’s happening so we know what steps to take to protect ourselves and the community,” he says. “Bringing it to the surface is important.”

Making the public aware, and companies aware mean that there will be more people trying to prevent hackers from compromising their systems, he adds. Companies creating software will also have security at front of mind.

A similar argument is made about open source software, Senf says. Many argued that if code was openly shared, then it would be too easy to exploit it. But so far, it seems the opposite is true – more people can fix it and secure it against hackers.

Exit mobile version