Banking Trojans

CWSandbox
My previous post already contains some information on our recent work, but I think it makes sense to include some more details. We wanted to study an attack class we call impersonation attacks, i.e., all attacks in which an attacker wants to steal a credential from a victim in order to impersonate as the victim at a provider:

This kind of attacks is quite common, for example also phishing attacks fall under this class: In such an attack, the attacker uses phishing e-mails as an attack channel and lures the victim into revealing his credentials at a bogus site. These credentials are then sent to the attacker using the harvesting channel, which can for example be e-mail. The attacker can then use the stolen credentials to impersonate as the victim, for example at an online bank.

We studied a specified type of impersonation attacks, namely the attacks in which keyloggers and banking trojans are used by the attacker. Example of such malware include ZeuS/Wsnpoem and Limbo/Nethell, which we studied in detail. Based on the information collected during dynamic analysis, we found many dropzones and got access to many logfiles. We performed a statistical analysis of this data and here are some highlights:
  • We found a total of 175 different countries in which the 170,000 victims are located and almost one third of the infected machines are located in either Russia or the United States.

  • We also found that the dropzones are located in many different Autonomous Systems (68 different AS in total), but several AS host a larger percentage of ZeuS dropzones: The three most common AS host 49% of all dropzones, indicating that there are some providers preferred by the attackers. Presumably those providers offer bullet-proof hosting, i.e., takedown requests are not handled properly by these providers.

  • In total, we found 10,775 unique bank account credentials in all logfiles. This includes passwords and all bank account details as entered by a victim during a normal transaction. Furthermore, we found more than 5,600 full credit card details and tens of thousands of passwords for different sites.

  • The distribution of victim IP addresses is highly non-uniform: The majority of victims are located in the IP address ranges between 58.* – 92.* and 189.* – 220.*.

  • The results of analyzing the potential income of an attacker indicate that an attacker can earn several hundred dollars per day based on impersonation attacks with keyloggers – a seemingly lucrative business.

Full details are available in the technical report. Note that the data we collected during this study is very sensitive. We thus handed over this data to AusCERT, the national Computer Emergency Response Team (CERT) for Australia, since they are in a position to notify the victims.

Update: I received a few comments regarding how to protect against this threat. Best way for protection is patching and not clicking all links and attachments. Furthermore, you can protect yourself against keyloggers by using two-factor authentification when doing bank transactions. German banks offer services such as mobile TAN/SMS-TAN in which a transaction number is sent to the mobile phone to authorize a transaction. A weaker system is iTAN (indexed TAN). The Postbank also published some guidance on how to protect yourself. If you follow these guidelines, you should be relatively secure and not affected by banking trojans.

Trackbacks

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. MysteryFCM says:

    Cheers for the update :o) (and for posting it so quickly!)

  2. Andreas Pashalidis says:

    Thanks for this excellent checkup of what is happening out there. If you will, please let me know of your opinion about kyps.net , which is trying to tackle part the problems you point out.

    Cheers & happy new year
    Andreas

  3. Frederik trovatten says:

    Awesome illustration of your "impersonation attacks," for us non-techies :)

  4. access control systems says:

    Our company has had major issues in the past controlling who gains access to the information stored on our network. We have tried everything from firewalls to expensive anti-virus software. It seems like the hackers are always one step ahead of us. I appreciate your article on how trojans work, and I'll send it to our IT department. What is the most effective way proven to prevent Trojans and other computer viruses from gaining access to the information stored on a computer?

  5. Cheap Kenny Chesney Tickets says:

    Your post is knowledgeable… I really appreciate the way you write . I would like to read more from you.

  6. SEO Chicago says:

    Does gmail offer protection from trojan viruses from attacking your computer? I own a MAC and don't really worry about being attacked by viruses. It seems like a lot of people that use PCs get viruses just by visiting certain websites they find on the internet.

  7. dream vacation network says:

    wow really great post i really like this post thanks for sharing...

  8. 来自中国的小伙 says:

    感觉不错,很好啊,VERY GOOD!

  9. Frederik says:

    I love this illustration! Just beatiful!


Add Comment


E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5