A quick look at Zbot
There are many ways hackers can try to steal personal data from computers. We will take a look at what is known as Zeus to give you the idea of how your banking information can be stolen, so that you know what to be aware of, and how to avoid of becoming a victim.There is an in-depth analysis of ZeuS Banking trojan to be found at SecureWorks website by authors Kevin Stevens and Don Jackson, Security Researchers from SecureWorks Counter Threat Unit SM (CTU). While it is suggested that you read the whole article, I will post some excerpts here:
ZeuS is a well-known banking Trojan horse program, also known as crimeware. This trojan steals data from infected computers via web browsers and protected storage. Once infected, the computer sends the stolen data to a bot command and control (C&C) server, where the data is stored. ZeuS has evolved over time and includes a full arsenal of information stealing capabilities:
- Steals data submitted in HTTP forms
- Steals account credentials stored in the Windows Protected Storage
- Steals client-side X.509 public key infrastructure (PKI) certificates
- Steals FTP and POP account credentials
- Steals/deletes HTTP and Flash cookies
- Modifies the HTML pages of target websites for information stealing purposes
- Redirects victims from target web pages to attacker controlled ones
- Takes screenshots and scrapes HTML from target sites
- Searches for and uploads files from the infected computer
- Modifies the local hosts file (%systemroot%\system32\drivers\etc\hosts)
- Downloads and executes arbitrary programs
- Deletes crucial registry keys, rendering the computer unable to boot into Windows
How to detect the ZeuS Banking Trojan on your computer
Computers infected with this version of ZeuS will have the following files and folders installed. The location depends on whether the victim has Administrator rights. The files will most likely have the HIDDEN attribute set to hide them from casual inspection.
With Administrator rights:
%systemroot%\system32\sdra64.exe (malware)%systemroot%\system32\lowsec%systemroot%\system32\lowsec\user.ds (encrypted stolen data file) %systemroot%\system32\lowsec\user.ds.lll (temporary file for stolen data) %systemroot%\system32\lowsec\local.ds (encrypted configuration file)
Without Administrator rights:
%appdata%\sdra64.exe%appdata%\lowsec%appdata%\lowsec\user.ds%appdata%\lowsec\user.ds.lll%appdata%\lowsec\local.ds
ZeuS also makes registry changes to ensure that it starts up with Administrator privileges:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinlogonFrom:"Userinit" = "C:\WINDOWS\system32\userinit.exe"To:"Userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe"
Without Administrator rights:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunAdd:"Userinit" = "C:\Documents and Settings\<user>\Application Data\sdra64.exe"
The sdra64.exe program uses process injection to hide its presence in the list of running processes. Upon startup, it will inject code into winlogon.exe (if Administrator rights available) or explorer.exe (for non-Administrators) and exit. The injected code infects other processes to perform its data theft capabilities.
How your system can get infected
There is a list of ways your system can get infected to be found in one of my other posts here. Things you really should watch out for, and avoid, are emails supposedly sent from your bank where you are asked to follow a certain link in order to update your security details, or to download a file attached to the e-mail message. Here are few samples of such e-mail messages:
Dear Customer,We detected irregular activity on your
Internet banking account.
For your protection, you must verify this
activity before you can continue using your
account.
Please download the document attached to this
email to review your account activity.
We will review the activity on your account
with you and upon verification, we will remove any restrictions placed on
your account.
If you choose to ignore our request, you leave us no choice
but to temporary suspend your account.
We ask that you allow at least 72 hours for the case to be
investigated and we strongly recommend to verify your
account in that time.
© Copyright Barclays Bank Holdings plc 2012 - All rights reserved
and
Dear Valued Customer,
Your account is suspended due to the number of incorrect login attempts.
For your protection, we've suspended your account .
To reactivate your account please download the document attached to this
e-mail and review your account activity.
If not completed until February 09, we will be forced to close your account .
Note: If you received these e-mail in your BULK/SPAM section please
add to your address book [e-mail address withdrawn]
Thank you,
Customer Support Service.
Copyright © NatWest Bank Plc. Limited. All rights reserved.
On both occasions senders obviously have made an opportunistic attempt to get me into downloading their malicious HTML files attached to messages without knowing that I'm not a customer of either of aforementioned banks.
So, what would have happened if I'd downloaded the attached file? I would most likely have infected my machine with a trojan bot spyware that would be capable of sending data from my computer to a remote server on the Internet, controlled by a cyber criminal, and basically making my machine a part of a botnet.
Or, if there would have been a link to follow, then, by clicking it, I would most likely have ended up on some bogus website designed by a cyber criminal for malicious purposes such as pharming (URL redirections with purpose of information stealing) or spreading malware infections. Example of a phishing message:
Dear Valued Customer,
our security filter noticed a malicious activity in your online account.
We were able to trace it to an unknown link thereby, placing
your online banking on suspension till this is resolved.
We implore you to go over your account details so
as to continue with your online transactions.
Click here to resolve the problem. [Link withdrawn]
Thank you for helping us to render you a maximum protection.
Security Department.
Alliance-leicester online banking.
So, what would have happened if I'd downloaded the attached file? I would most likely have infected my machine with a trojan bot spyware that would be capable of sending data from my computer to a remote server on the Internet, controlled by a cyber criminal, and basically making my machine a part of a botnet.
Or, if there would have been a link to follow, then, by clicking it, I would most likely have ended up on some bogus website designed by a cyber criminal for malicious purposes such as pharming (URL redirections with purpose of information stealing) or spreading malware infections. Example of a phishing message:
Dear Valued Customer,
our security filter noticed a malicious activity in your online account.
We were able to trace it to an unknown link thereby, placing
your online banking on suspension till this is resolved.
We implore you to go over your account details so
as to continue with your online transactions.
Click here to resolve the problem. [Link withdrawn]
Thank you for helping us to render you a maximum protection.
Security Department.
Alliance-leicester online banking.
Things to keep in mind
Regardless of the content of the message, remember: banks will not ask you for any security details or security updates via e-mail. Don't just click on links in emails you receive from someone. Make sure the sender is trusted and genuine, and the link does not look dodgy. (The same applies to Instant Messenger chats.) If you receive a suspicious email supposedly sent from your bank, and you are asked to proceed with giving away any of your personal or financial details, or to download an attachment, don't. Instead, forward the email message to the bank. Almost on all occasions you can find e-mail address for forwarding phishing emails to at the bank's official website. For more detailed information on types of scams related to Online banking, and to get a genuine advice, please visit Bank Safe Online, a website developed by UK Payments Administration Ltd.
|
|
No comments:
Post a Comment