RSA, the security division of EMC Corp., is alerting the world to a new banking Trojan, simply dubbed "KINS," which is expected to debut in the wild soon. While RSA hasn't seen an actual copy of KINS yet, details being discussed in underground communities suggest KINS may share architectural similarities with Trojans of the past, such as Zeus or SpyEye.
KINS is the first commercial Trojan to look believable since Citadel. It's in an exclusive environment and it's not your everyday fraudster behind it.
cybercrime specialist, RSA
Fraudsters are certainly talking about KINS as if it's the real deal, and a Russian-speaking online forum has announced its open sale to the cybercrime community. RSA believes KINS doesn't require the same level of tech savvy to deploy as previous Trojans, and thinks it will emerge within the next few weeks.
"Criminals are really looking forward to seeing this on their computers," said Limor Kessem, cybercrime specialist for RSA's FraudAction Research Labs team. "KINS is the first commercial Trojan to look believable since Citadel. It's in an exclusive environment and it's not your everyday fraudster behind it."
Rumor has it KINS is based on Citadel and shares many of its features, even though the developer denies this, according to Kessem.
"Looking at the feature list, we think there's at least some sort of a connection to SpyEye and Citadel," Kessem said. "We won't know for sure until we see the malware in the wild and can sample it and get signatures to see antivirus defenders and flag for this malware."
RSA believes KINS is built with a main malware component and uses plug-ins built with a dynamic link library. "It's very Trojan-like," Kessem said.
The Trojan's author has put a remote desktop protocol on it to allow attackers to access computers with user-grade access, which is a method to commit fraud and impersonate the genuine user. "And the Neutrino exploit kit, which is one of the most sophisticated exploit packs today, is being recommended by the developer, who claims his bot conversion is very high with Neutrino," Kessem said. "Since the exploit kit is very good and the Trojan is new, bot masters using it right now are reportedly getting good results."
One unusual aspect of KINS is that it'll be the first commercial Trojan sold as a bootkit. "Unlike a rootkit, a bootkit is a different way to infect computers -- on a deeper level – on their master boot record," Kessem said. Bootkits allow the malicious program to execute before the operating system boots.
KINS will affect PCs but not Macs, according to Kessem, because cybercriminals are still targeting the more prevalent platform. "KINS is a PC Trojan and fraudsters are talking about how it's deployable on Windows 8," she added.
Not surprisingly, there's one part of the world KINS won't be infecting: Eastern Block countries. KINS, like Citadel, is designed not to infect users in Eastern Block countries as part of a move to ensure local law enforcement won't come after them. KINS terminates if it detects Russian or Ukrainian language systems.
"They can get away with it because it's very difficult to extradite people from Russia. That's why developers there won't target people in and around their own country," Kessem said.
But laws in Russia are really starting to crack down on malware developers, which is why many of them aren't willing to sell commercially anymore. "They're sort of afraid of law enforcement there, so when this Trojan came out, a lot of people said this developer is very brave and commended him for his decision to sell to others," Kessem said.
For more details, check out RSA's blog on KINS.