News Stay informed about the latest enterprise technology news and product updates.

Financial malware focuses on hiding malicious traffic, localization

A report from NSS Labs details the latest updates to financial malware, with criminal crews focused on hiding communications, localization.

As financial malware evolves and adopts new capabilities, a new report highlights how financial firms and consumers are struggling to fend off malware that uses sophisticated communications techniques, many of which are virtually impossible to detect.

The days of, 'Oh, that looks suspicious' are gone. These are highly organized crews; they're focused and really do their research.

Ken Baylor,
research vice president, NSS Labs

Dr. Ken Baylor, research vice president for Austin, Texas.-based NSS Labs, authored The Cutting Edge is Honed, a look at how financial malware evolved during the course of 2013. Baylor found that the criminal crews behind the malware targeting financial firms are not resting on their laurels, with new, nearly impossible-to-stop features being added to already successful pieces of malware.

Among the new additions are cutting-edge, click-enticing capabilities that would make marketing firms salivate.

"They're now able to do things such as take video captures of your screen so they can see when you're filling out a pop-up that's asking for your Social Security number to watch your mouse to see how many seconds you hesitated before you either ignored it or clicked through," Baylor said. "So it's quality assurance on how effective their pop-ups are at convincing you to hand over your information. We're seeing a lot of innovation in this [area]."

Financial malware authors improve command-and-control systems

Beyond the use of video captures, NSS Labs found financial malware crews are addressing the need for more hidden methods of botnet communications.

The battle between security professionals and cybercriminals has become a cat-and-mouse game in recent years, Baylor said, as Microsoft and other botnet trackers have had success taking down malware by targeting the command-and-control (C&C) infrastructure used to relay instructions to infected machines.

Microsoft led a major operation against the Citadel malware in June 2013, and reportedly took down up to 88% of the Citadel botnets, though it has since rebounded.

"If you can remove the [command-and-control] machines," Baylor said, "the bots basically talk to empty space and can't do any more bad things."

With C&C infrastructure being targeted, financial malware authors moved to utilizing domain-generation algorithm capabilities to randomize the domains with which infected machines could communicate. Again though, Baylor said security vendors, such as Atlanta-based Damballa Inc., have been able to effectively eliminate such activities by identifying communications between enterprise machines and domain names that have been created within the last seven days.

Now, these criminal crews have been left with little choice but to find communications methods that don't arouse the suspicions of enterprises. For example, the resurgent Shylock malware had previously utilized RC4 encryption to hide communications between infected machines and its C&C infrastructure. Though RC4 served its purpose as a solid form of encryption, Baylor said RC4 stood out on enterprise networks and often alerted security teams to attackers' activities. Shylock has since adopted the much more innocuous Secure Sockets Layer (SSL) encryption, which is a common sighting on any network.

Similarly, Taidoor, a banking Trojan that was first discovered in 2008, has been reinvented in large part by employing blogs from Yahoo instead of traditional C&C servers. The blogs host encrypted commands that are usually placed inside typical Web forms, so once infected, a machine can simply send an HTTP request to the blog for further instructions. Relying on a trusted domain like Yahoo for communications has enabled Taidoor to avoid security products that scan for typical botnet infrastructures, and perhaps makes detecting such malicious activity even more difficult than Shylock's use of SSL.

"As an enterprise, you're probably on your own with that one. You're not going to detect a normal HTTP request and it'll probably come out at a normal time. Even if you're looking at what's normal traffic and what's abnormal traffic, this will absolutely not stand out," Baylor said. "So that's a new method of becoming a tree in the forest of trees, and it's pretty effective."

Financial malware becoming more targeted

Financial malware has also become increasingly targeted, according to Baylor. KRBanker, a banking Trojan that targets only Korean online banking customers, is an example of how cybercriminals are localizing their financial malware.

South Korea's online banking system was developed separately from others around the world, and, as a unique result of such isolation, depends heavily on user-assigned digital certificates. KRBanker was designed specifically to collect those certificates, making it easy for the criminals behind it to compromise South Korean banks.

Even the malicious Web pop-ups used by financial malware to collect banking details are becoming more sophisticated and targeted. He noted that one crew might be devoted entirely to Citi Bank, for example, so they research and use the correct fund names and logos used by Citi Bank to mimic the exact appearance of official forms.

In the past, consumers could perhaps be on the lookout for the typically poor grammar used in such pop-ups as a tell-tale sign of fraudulent activity, but even that weakness has been addressed.

"The grammar has improved. There are slightly different uses of English and they're country-appropriate," Baylor said. "The days of, 'Oh, that looks suspicious' are gone. These are highly organized crews; they're focused and really do their research."

Defenses improving, but not there yet

When discussing how to fend off such sophisticated financial malware attacks, Baylor painted a bleak picture. Certain banks have experimented with secure browsing, including the use of downloadable Java applets that will cut off all interactions outside those with a specific online banking system. If a process is injected outside those interactions, the connection will be ceased.

More promisingly, banks are beginning to roll out big data implementations that sit inside their perimeters to track every transaction by every user. Fraud engines, in turn, are able to use the new data to compare new transactions against those a customer has made in the past, triggering notifications when unusual patterns surface. Unfortunately, such technologies take multiple years to implement, providing little in the way of short-term relief.

Ultimately, Baylor said the best hope for combatting financial malware at the moment is legal action, such as the arrest of the Carberp banking malware crew in Russia last year. Mustering the necessary international cooperation needed for arrests has been particularly difficult though, with crews in Russia and other countries choosing not to target fellow countrymen so as to avoid the ire of local law enforcement agencies. The consternation brought on by former NSA contractor Edward Snowden's leaks regarding U.S. spying will only make such cooperation more difficult, according to Baylor.

"So is there anything that is going to stop these guys? No," Baylor said. "They're pretty much untouchable now."

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What's the worst banking or financial malware incident you've dealt with?
One incident malware called Dexter
Malware readiness can be assessed using a method known as PASS, an acronym which examines Performance, Availability, Security, and Scalability. Best practices can expose unseen issues such as outdated software or a misconfigured firewall. While running the tests, use these best practices to look out for overall performance: