UK banking customers targeted by data-stealing Trojan

UK banking customers targeted by data-stealing Trojan

Summary: Botnets are being deployed by criminals to put the Zeus Trojan on systems used by the customers of all of the major UK banks, according to security company Trusteer

SHARE:
TOPICS: Security
1

Two UK-based botnets are zeroing in on British bank customers with new variants of the Zeus Trojan, according to a security firm.

The Zeus botnets, which consist of 20,000 to 30,000 compromised computers, are being used to send out regionally-specific infected spam to distribute links to the Trojans, according to Trusteer. Compromised UK websites are also being used in the attack on online banking users, it added.

"It looks like criminal gangs are focused on the UK market and are specialising in UK banks," Trusteer chief executive Mickey Boodaei said on Friday.

Boodaei declined to name the banks, saying only that customers of all of the major institutions had been targeted. Spam runs typically focus on customers from three to nine of the major banks at a time, according to Trusteer.

Zeus, also known as Zbot, steals data by installing a keystroke logger on the victim's machine. People who click on a link in an infected email or compromised website could end up exposing their online banking credentials.

Trusteer said it gained access to the command-and-control servers of the botnets, and this allowed it to pinpoint the location of the zombie computers from their IP addresses. The company then analysed attack commands from the servers to determine the targets of the Zeus variants.

In general, detection rates for the malware have been low, said Boodaei. Between zero and 20 percent of the Trojans is being picked up by antivirus companies, according to Trusteer.

To determine detection rates, the company ran the different Zeus variants through services like VirusTotal, which checks malware samples against different antivirus engines. It also performed forensics at its own labs.

Boodaei said that international antivirus companies may not detect the Trojans due to their localised nature. Antivirus companies normally deploy a network of sensors, including computers designed specifically to capture malware samples, in networks called 'honeynets'. The Trojans may not be hitting these sensors, said Boodaei.

"The malware is too local to see on the radar," he said.

In addition, heuristics designed to stop malware by identifying its behaviour may be circumvented by criminals testing their products in their own labs before unleashing them on the public, said Boodaei.

Trusteer also warned of two other pieces of financial malware, which it calls Silon.var2 and Agent.DBJP, that are tailored to British online banking customers. These use the same distribution methods as the Zeus variants: infected email and compromised websites.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • It would be nice to see how this stands up to to pin sentry on line banking adaptations.
    CA-aba1d