With Spyeye, Zeus variants, cybercriminals up the anteDate: Jul 25, 2012
By Robert Westervelt, News Director
LAS VEGAS -- The financial industry has spent years defending against the onslaught of financial-focused malware – primarily the SpyEye/Zeus family – designed to quickly drain bank accounts and remain relatively undetectable on a victim's system.
In this video interview, conducted at the 2012 Black Hat Briefings, Brett Stone-Gross, a security researcher at Dell SecureWorks, explains how the cybercriminals behind Gameover, a private version of the Zeus Trojan, are using some of the most robust and sophisticated tools in their operation to steal banking credentials. Unlike Citadel and other Zeus variants, Gameover is not traded or for sale on hacker forums, Stone-Gross said, and that's a major cause for concern.
"The financial industry has been improving its detection systems, but they're still having difficulty," Stone-Gross told SearchSecurity.com. "It's really been an arms race between the attackers and the financial industry."
More from Black Hat 2012
See more news articles, analysis, commentary and video interviews from Las Vegas on our Black Hat 2012 special coverage page.
The Gameover, Zeus attacks use the Black Hole exploit kit to target vulnerabilities in Web browsers and plugins, such as Adobe Reader, Flash and Java. Pony Loader, a more sophisticated tool used to deliver the malware payload, is used by the cybercriminals, giving them a PHP-based Web interface to configure and manage the distribution of the malware. The malware is designed to defeat two-factor authentication.
Meanwhile, DirtJumper has been used by the same cybercriminals to conduct distributed denial-of-service (DDoS) attacks against financial institutions from which they are stealing the victims' money.
The group behind Gameover has also created a complex architecture that includes peer-to-peer communication channels, making it much more difficult for the financial industry to try to take down the botnet.
Attacks using the malware have been ongoing at companies in the United States, Stone-Gross said, with the number of infections estimated at more than 678,000. He said the Gameover Zeus variant was detected on 14 of the 20 top Fortune 500 companies, as well as a number of government agencies and defense contractors.