Zeus: How to Fight BackSophisticated Trojan Demands New Game Plan
Zeus continues to strike online bank accounts and users, and technology designed to thwart these Trojan attacks continually fails to keep up. Malware expert Andreas Baumhof says to defeat Zeus, financial institutions have to change their approach.
Zeus, a financially aimed malware, comes in many different forms and flavors. It can be tweaked to hijack personal PCs, or come in the form of a keylogger that tracks keystrokes as users enter them. But the one commonality is that Zeus malware aims to steal online-banking credentials, and phishing schemes and drive-by downloads are most often the avenues hackers use to spread this increasingly sophisticated and evolving Trojan.
Baumhof, who serves as the chief technology officer at online security vendor ThreatMetrix, says a sophisticated end-point solution can be a good proactive approach to ensuring end-user devices aren't infected.
"But in order to provide complete protection, we also need to look at the server side and tie in any kind of protection and information from the end-user's device into the strong security chain," Baumhof says in an interview with Information Security Media Group's Tracy Kitten [transcript below].
During this interview, Baumhof discusses:
- How banking institutions could make wiser investments to fight Zeus;
- Why Zeus' longevity poses new and increasing concerns;
- How information sharing could improve protections.
Baumhof is an expert in encryption, PKI, malware and phishing. Before joining ThreatMetrix, Baumhof was an executive director, CEO and co-founder of Australian-based TrustDefender, a provider of security and fraud detection technologies. Baumhof previously served as co-founder and chief technology officer of Microdasys Inc., a provider of deep content security systems. While there, he developed the first SSL proxy and has patents pending in Europe and the U.S.
TRACY KITTEN: Before we get started, can you tell our audience a bit about what spurred ThreatMetrix to initiate its research into the growing power of Zeus?
ANDREAS BAUMHOF: ThreatMetrix is in the business of protecting consumers and online businesses, as well as financial institutions, from any kind of fraudulent transaction, be it through fraud manually or by malware automatically. Zeus is ... malware that is highly sophisticated and highly successful in targeting various financial institutions over the last six years. This is an example of malware we constantly monitor and we constantly look at how it evolves and whether there are new target vectors, whether they're changing their tactics or whatever they do. This is one thing we do to make sure we understand what the bad guys do [so that we can] protect the good guys.
KITTEN: ThreatMetrix based some of its analysis on research that was conducted over the course of a month. How was the research conducted and what did you glean?
BAUMHOF: We at security research have focused on the malware, so we don't really focus on how much money is being lost by financial institutions. We focus on the malware and what the malware is doing. Any fraud groups and rings, when they distribute the malware, it's basically out in the open. We have lots of senders and honey pots so we know about the malware. We then have our internal engineers looking at those samples, making sure we can find the configurations behind the Zeus Trojan. We really know exactly what the Zeus Trojan is doing. Zeus is one of the very sophisticated Trojans - they can take the same Zeus Trojan and configure it so it targets different brands, different financial institutions, different merchants completely differently to either steal personal information, but also, for example, fully automated wire transfers. We look at the Trojan and the configuration behind it.
KITTEN: What is it about Zeus that makes it a different kind of malware, a malware that poses increasing threats to the online community?
BAUMHOF: The Zeus Trojan, in particular, has been built from the early days to be very, very flexible. The group of people developing the Zeus Trojan are not actually using [it] to do any fraudulent transactions. They've been reselling the Zeus Trojan to other people and they could then perpetrate the fraud. In a very, very flexible way, as I mentioned before, you can use the Zeus Trojan and just configure it for a particular attack; so it's very versatile, very flexible. It's kind of like a plug-in system where ... it has key-logging functionality or [you can use it for] man-in-the-browser functionality, or to steal personal information, or user passwords, or whatever you want to do. You can use it to target social networking sites, but you can also use it to do really sophisticated attacks, like getting around two-factor authentication that's primarily used by financial institutions, or even to do fully automated wire transfers in the background. This flexibility and also the mechanism where people developed Zeus and then resell it to other people is what makes Zeus a particular concern.
Operation High Roller
KITTEN: You raised some interesting points about Zeus and how long it's been around and the fact that it does often target financial transactions. I'm wondering how Zeus relates to so-called Operation High Roller, which McAfee says involved more than $78 million in attempted fraudulent transfers for more than 60 financial institutions. Can you give us some background there or draw a connection?
BAUMHOF: It's an interesting question simply because Operation High Roller highlights a particular attack that's very, very commonly known, in particular for financial institutions, for years and years. The big news about Operation High Roller is that they virtually use off-the-shelf Zeus Trojans or SpyEye Trojans ... to do fully automated attacks in a very sophisticated way.
Operational High Roller is nothing really new, but what's new is that they used it on a much, much bigger scale. We're seeing at ThreatMetrix attacks in similar ways going back to 2010 [which] were virtually doing exactly the same thing back then, but those Trojans were very targeted toward a number of financial institutions. [One example] was capable of doing a fully-automated wire transfer. What's new with Operation High Roller is that people use off-the-shelf Zeus Trojans, put heavy automation around it so they can get around two-factor authentication, as well as they could have lots of service-side automations and really target not just one, two or three different financial institutions. I think Operation High Roller was around 60 financial institutions if I read correctly, but at the end of the day this is just one fraud ring using the Zeus Trojan to perpetrate their fraud in a very, very sophisticated way.
Failing to Address Threats
KITTEN: Why's the security industry failing to adequately address these threats?
BAUMHOF: You can argue that anti-virus engines have been around for a decade and still we have a lot of problems with malware on a daily basis. And the answer to this is actually two-fold. First of all, anti-virus and security engines on the consumer side still heavily rely on blacklists. Slowly there are more and more effective systems coming in - but really very slowly. Zeus Trojans first need to target and infect end-users.
If I compromise a Twitter account and I send a malicious link to my millions of followers from a popular account, chances are high that people will actually download something. And once a computer is infected, what the Zeus Trojan does is a man-in-the-browser injection that makes it very, very sophisticated and you can see this in the ThreatMetrix report we put out. Even for the trained eye, it's incredibly hard to find out whether this is legitimate or whether this is a Zeus Trojan. We've seen cases where they just inject additional images and pages into a logging procedure and this looks completely legitimate. The sophistication is ever-increasing, which obviously makes sure end-users who are not really trained to deal with Trojans don't see anything. We've seen this in a number of other cases as well, where we know of a Trojan and viruses that have been around for five or six years before we properly can detect them.
KITTEN: You've talked a little bit about why current solutions are failing, but what solutions should financial institutions as well as other organizations be investing in?
BAUMHOF: The problem can be [addressed] in a number of different ways, and one way is obviously making sure that the end-user device is not compromised in the first place. Security solutions provide a first good step there. But there are more sophisticated end-point solutions with a more proactive approach, rather than a signature-based approach, to make sure that the end-user device is not infected at all. [One] of those products has a forensics approach, which would detect compromises very early on.
But in order to provide complete protection, we also need to look at the server side and tie in any kind of protection and information from the end-user's device into the strong security chain, which is what's happening on the server, for example. We need to have much better tools to detect on the server side without knowing anything about the client, whether this is a compromised device, for example, or whether this device is behaving badly, or whether this is one Trojan or one fraudster on one computer trying to log-in to a number of different accounts, to make much better use of the information that's available and really combine this with information on the end-user's device.
Consumer: Core of the Problem
KITTEN: Would you agree with the statement that at the core of all of this is really the consumer? These phishing schemes and these spoofed websites are really duping consumers.
BAUMHOF: Yes, and this is getting worse and worse, because the attacks are really getting more sophisticated. ... A common practice, for example, with security companies who do Trojan tests within the enterprise is ... you send this out to all the employees, [and if] you get a really high percentage of successful hits [you know more education is needed]. It's not really about technology. It's about the end-user. But at the same time we need to make sure that we don't put all the burdens just on the end-user. I can sit here and say the end-user is not trained enough to use the system, so we really need to make sure that technology works seamlessly in the background without putting too much burden on the end-user.
Preventing Social Engineering
KITTEN: Is there anything that the industry can do to prevent socially engineered schemes from being so successful?
BAUMHOF: I think we need to be much more open and say, "This is a problem and let's work on solutions for this problem." They're still out in the industry with this perception that, "I can't talk openly about what things are happening," simply because then people would actually be scared of using the online channel, online transactions or Internet banking in some way or form. In some ways, to be more open could be actually a good thing because then you can actually collaborate. Let's say I'm an online business and I tell my customers for years and years and years everything is fine; everything is safe; we protect everything. As a user I'm led to believe that everything's fantastic.
And then, we need to have more education, but not just education in terms of putting the burden to the end-user, really more education in making the technology with user education combined together and then I think we can make a difference there.
KITTEN: I wanted to ask you about the new domain-naming system initiative, which calls for high-level domain names to be approved or vetted by industry boards and groups. On the financial side, we have the ABA and FS-ISAC that have applied for the .bank domain name. I'm wondering if you think this new domain-naming system might help to disrupt some of these socially engineered schemes that we see today.
BAUMHOF: Yes and no. Obviously we have a lot from phishing sites, and phishing sites, by definition, use unofficial domain names. People don't really tend to put too much emphasis on this. Security professionals and industry groups, for example, theoretically, if a domain is within this group to a certain degree, you could have a browser security policy that says, "This domain is vetted and in this approved group, or certain content [from] this page needs to be in the approved group as well." That would make man-in-the-browser injections much, much harder to do.
A couple of years ago, Financial Technology Consulting, which is now FTC [and] part of BITS, [had] an idea called Safe Browsing. [It called for including] not just the individual domain, but including every external resource that's referenced by this domain. ... That could make a big difference for the man-in-the-browser injections.
KITTEN: Before we close, I wanted to ask what you think institutions and organizations across the board should be doing right now to better protect themselves and their customers from some of these increasingly sophisticated attacks.
BAUMHOF: Most attacks boil down to two use cases. The first use case is either the fraud will steal personal information, like a credit card number, for example, or the log-in details, which they use in some way then at the lighter stage. Or fraudsters, who have some fully automated set-up, like High Roller for example, in the financial institutions space where they could take a username and password and do a fully automated transaction in the background.
For both of these new cases there are solutions out there making sure to look at the data that's available to detect anomalies, to detect these kinds of things. For example, device imprinting will help with the use case of someone stealing your personal information. If I see your username and password, and if I'm trying to log-in to your banking account from my device, the bank would see that there's someone trying to log into Tracy's account from a computer we've never ever seen. It comes from a completely different location and more from an automated point-of-view where you have those man-in-the-browser injections, you would be alerted the first time someone would try to log into your bank and the bank's website has been altered; it has been changed with a man-in-the-browser Trojan. There's technology out there that obviously goes in the same way. Technology alone will not solve the problem. User education will make a big difference.