Financial Malware: Past and Present


Malware is not only increasingly diversified and capable, but also easier to create. Through 2015, this widespread threat will continue to grow unabated. An effective cyber criminal effort could just as well be predicated on an overwhelming amount of simple pieces of malware as it could be upon a monolithic, state-level attack. There are two primary mitigation vectors that can be used against such powerful financial malware - backend protection and specialized endpoint protection.

Malicious software (aka malware) affects us all. Modern malware ranges from keyloggers, to ransom ware to spyware to botnets. Arguably the most advanced are financial trojans, which are capable of emptying bank accounts in seconds. The Zeus toolkit has stolen hundreds of millions of dollars globally in recent years, and is one of the most effective financial trojan platforms. This platform has been used to launch other powerful financial malware such as KINS and Citadel, which has stolen millions of dollars from banks in 2013 alone.

The two main mitigation vectors against this blitz of advanced malware are backend protection and specialized endpoint protection. Backend protection involves the bank implementing multiple controls which are unseen by the average bank customer. They may involve building out powerful antifraud risk engines built on big data, and implementing dual custody for wire and ACH transactions, and limiting customer transfer limits. They are generally very slow rollouts and resource intensive.
Endpoint protection involves placing software on the customer endpoint, typically PC and Mac devices. Effective end point protection against financial malware is not commonly found in common antivirus suites. Modern financial malware uses techniques such as packing and polymorphic encryption to completely bypass detection by well-known antivirus suites. Zeus has historically been so effective at avoiding antivirus detection that other cybercriminals have adopted its use: Zeus has been used to send spam and steal Facebook credentials in addition to stealing bank credentials since its source code leaked in 2011. The antivirus detection rate for Zeus on average is still only 40,1% , with many of those detected being early Zeus versions.

Zeus, ZeuS, or Zbot is Trojan horse computer malware that runs on versions of the Microsoft Windows. While it is capable of being used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Game over Zeus was first developed in September 2011, and runs software on an infected devices which is then used to intercept online banking transactions, defrauding customers and banks. Zeus controllers can fine tune the copy of Zeus they are using to steal only information they are interested in; typically login credentials for online social networks, e-mail accounts, online banking or other online financial services. 

Citadel
Citadel is a relativly recent incarnation of Zeus, first appearing in February 2012. The owners of Citadel are actively building on to the source code of leaked Zeus (2.0.8.9), and adding new functionality. 2013 has been a banner year for cyber criminals. Their tools had greatly evolved, and new advanced malware suites are now available. Hesperbot, Shylock, Beta Bot, KINS and Carberp are also now being used against banks, and this trend shows no sign of abatement.

According to Symantec, the number of detections of financial malware dropped off significantly in 2014. The total number of common financial Trojans detected decreased by 53%, while financial phishing emails fell by 74%. The U.S. had the most detections, with the UK and Germany rounding out the top three.

While some malware families such as Trojan.Shylock nearly disappeared, others such as the new spin-off threat Infostealer.Dyranges stepped into the void, blogged Symantec security researcher Candid Wueest.
"In the U.S., there is a larger number of potential organizations to target, many of whom conduct banking online and have more wealth across the board, making the U.S. a good target for the attacker in terms of revenue per infection."
In July 2014, an operation led by the UK National Crime Agency (NCA) and European Cybercrime Centre (EC3) at Europol resulted in the seizure of command and control servers and domains used by Trojan.Shylock. Shylock has been observed being distributed by at least five different exploit kits, including Nuclear and Blackhole. After the takedown, the number of Shylock infections fell by more than half, according to Symantec. 

Over the past couple months, the FS-ISAC SOC has been tracking malicious activity associated with the Neverquest banking trojan. Neverquest is a new variant of the Vawtrak banking trojan that primarily targets on-line banking customers in the US and Asia-Pacific countries. It is primarily a credential stealing Trojan that targets the login credentials for specific websites. Like other credential-stealing malware, Neverquest leverages a “trigger list” of URLs and keywords to identify when an infected user logs into a secure banking site or other targeted secure website. Recent configurations show a shift to include social networking sites, gaming sites, and online retailers in their target list. Other optional functionality reportedly includes a VNC module to provide remote control of an infected computer, and a webinject module to collect additional information from victims. Recent related campaigns use the Chanitor malware downloader for initial infection and to download the Neverquest malware to the victim’s computer. Chanitor primarily leverages malicious macros in Microsoft Word documents, which are typically delivered via phishing emails, although they could also be hosted on malicious or compromised websites.

Ineffectiveness of traditional antivirus suites against financial malware? I would say no. Most common desktop antivirus suites are having a hard time of detecting and protecting endpoints from modern financial malware. New financial malware is highly targeted and antivirus vendors do not see copies in the wild until the malware has mainstreamed, by which time cybercriminals will have moved to newer malware having successfully raided countless bank accounts. While it is true that some malware attacks utilize "zero-day" vulnerabilities (attacks that have just been discovered and are referred to as 'unknown vulnerabilities') these attacks are a tiny minority. The reason is that 'zero day', unknown vulnerabilities are hard to discover and are thus expensive and relatively few in number. Rather than being reactive to threats and relying on aging solutions such as blacklist-based malware, an effective security architecture should incorporate practices such as proactive network monitoring with deep discovery, as well as tools that protect endpoints and cloud assets.