Malware authors have had great success targeting financial institutions in recent years, and in turn, those organizations have a vested interest in improving their banking botnet detection capabilities. However, one expert says financial firms are failing because they ignore unusual network traffic.
Criminals tend to stick with what works. They're not going to spend much more time and effort improving the robustness of their infrastructure if they don't need to.
senior security researcher, Dell SecureWorks
Jason Milletary, senior security researcher with Dell Inc.'s SecureWorks unit, which recently released a report on the top banking botnets that the security vendor observed in 2013, said that most banking botnets have been utilizing the same attack and communications techniques for years, largely because targets have been unable to disrupt their success.
In terms of initial infections, banking malware authors still largely rely on simple spam emails that include malicious attachments or links, Milletary said, though he noted that some of the downloaders, such as the recent Pony Trojan, have added new capabilities, including the ability to steal credentials from mail and STP clients.
The communication methods utilized by the most prevalent banking botnets also haven't changed much, according to Milletary, with a notable exception coming in the form of the Gameover Zeus Trojan.
Gameover stands apart from its competitors, largely thanks to its use of peer-to-peer (P2P) communication methods via a number of different network ports, namely TCP and UDP. Instead of sending updates directly from an attacker-controlled server to an infected host, Gameover uses the infected hosts themselves to deliver info on configurations and targets.
Milletary said the telltale sign of a Gameover infection is the unusual network traffic generated by the botnet, which typically shows up as encrypted traffic on dozens or maybe even hundreds of hosts around the world, particularly through the aforementioned TCP and UDP ports. He advised companies to block connections via those ports to arbitrary hosts with egress filtering, though the battle still isn't over at that point.
If an infected machine is unable to connect to the attacker's P2P infrastructure, it will fall back to a typical command-and-control (C&C) communication method, with new random connections produced daily via domain-generation algorithms. Milletary said they key here is to look for DNS resolution requests involving long, seemingly random domains.
Beyond Gameover, Milletary said most banking botnets, notably including Shylock, rely on standard C&C communications to deliver instructions and exfiltrate data, with most utilizing HTTPS for encryption. Financial institutions, he noted, should be looking for HTTPS connections to suspicious or malicious IP addresses in such cases.
"To detect that, you'll need to have a mechanism as an enterprise where you're able to inspect HTTPS content," Milletary said, "which typically is some kind of Web security gateway that effectively breaks the SSL connection, inspects the cleartext content and reestablishes the encrypted connection with the remote host.
Enterprises also shouldn't overemphasize the impact of banking botnets utilizing stronger crypto algorithms, he noted, because such tactics are largely aimed at preventing researchers from decrypting malicious traffic and getting attackers' instructions.
"From a detection standpoint," Milletary said, "it's going to look the same."
Ultimately, Milletary said, it was unsurprising that the Dell SecureWorks research showed that communications methods underpinning the most successful banking botnets haven't changed; enterprises can't thwart attackers' proven techniques.
"Criminals tend to stick with what works. They're not going to spend much more time and effort improving the robustness of their infrastructure if they don't need to," Milletary said. "Unless we find ways to bring pain to the adversaries in this, basically having a direct impact on their return on investment, I think we'll see more of the same."