Zeus Malware: A Continuing Threat

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/zeus-malware-continuing-threat-a-6751

The indictment of nine alleged participants in a fraud scheme that involved
infecting thousands of business computers with Zeus malware to steal
millions of dollars shows that the malware remains a formidable ongoing
threat, financial services security experts say.

The victims in the case included a Nebraska bank and a Nebraska company,
according to an announcement of the indictment from federal prosecutors.
The indictment was unsealed in connection with the April 11 arraignment of
two Ukrainian nationals, who were recently extradited from the United
Kingdom. Three other Ukrainians and a Russian have not yet been arrested;
the indictment also names three other "John Doe" defendants.

"These actors are only a few of those who operate Zeus botnets out of a sea
of cybercriminals who use variations to commit fraud," says Ryan
Sherstobitoff, a threat researcher at security vendor McAfee, a unit of
Intel. "Zeus will always be a continuing threat, and cybercriminals will
continue to use Zeus to steal money. We as an industry must be vigilant."

Kevin Haley, security response director at security vendor Symantec, says
the indictments won't put much of a dent in the use of the malware. "Zeus
is not a gang; it's a toolkit, a very popular one used by many gangs," he
says. "While today there is one less gang, there are still plenty of others
using Zeus to attack us."

Andreas Baumhof, chief technology officer at anti-fraud vendor
ThreatMetrix, says that when it comes to fighting fraud, the latest
indictments are "like taking a scoop of sand out of the beach.

"The thing about Zeus is that the people who develop and distribute Zeus
are not the same people who use Zeus to steal money," Baumhof says. "Now we
have a couple less people using Zeus."

Zeus is a continuing threat because many financial institutions aren't
looking necessarily for the malware itself, says George Tubin, banking
expert at anti-malware provider Trusteer. "What [banks] are trying to do is
use different authentication means and different fraud prevention
technologies to try to spot when fraud happens," he says. "But very few
institutions are actually trying to identify when man-in-the-middle malware
[such as Zeus] is being used."

Zeus Scheme

The nine defendants in the case revealed April 11 allegedly used the
malware to capture passwords, account numbers and other information
necessary to log into online banking accounts, federal prosecutors say. The
conspirators then used the information to steal millions of dollars from
victims' bank accounts.

The defendants allegedly falsely represented to banks that they were
employees of the victim organizations and were authorized to make transfers
of funds from the victims' bank accounts, according to an announcement from
the Federal Bureau of Investigation.

As part of the scheme, the defendants allegedly used money mules in the
U.S. who received funds transferred over the ACH network or through other
interstate wire systems from victims' bank accounts, the FBI says. The
money mules then allegedly withdrew some of those funds and wired the money
overseas to conspirators.

All the defendants were charged by a federal grand jury with conspiracy to
participate in racketeering activity, conspiracy to commit computer fraud
and identity theft, aggravated identity theft and multiple counts of bank
fraud.

Tackling Zeus

McAfee's Sherstobitoff says federal law enforcement is making progress
mitigating the Zeus threat through botnet takedowns and disruption efforts.
"These disruption efforts are oriented toward breaking up criminal rings
who operate Zeus to steal from commercial entities," he says.

Haley at Symantec notes: "Security technology continues to get better, and
users become more aware of the social engineering tricks that attackers
deploy. But the attackers do not stand still either."

Organizations need to first identify the critical business information that
must be protected and prioritize that appropriately, Haley says. Then they
must implement security technology, including anti-spam technology, to
mitigate the e-mail threats. "And finally, users need security awareness
training," he says.

ThreatMetrix's Baumhof says making progress in fighting fraud is
challenging because many malware attacks are so targeted. "The trick with
Zeus is that it is a very flexible toolkit that you can use in many
different ways," he says. "People try to mitigate the specific attacks that
they are being attacked with, not against Zeus. People are protecting
against cuts and not against the Swiss Army knife."

To fight attacks that use Zeus, banks need to ensure more data is available
to systems that assess risk, Baumhof says. And that includes information
about end users' devices. "How can a bank make a good decision regarding
whether or not a particular transaction is valid if there is no visibility
into the endpoint?"

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!