Risk Management

Bugat is New Malware of Choice

Cyber Criminals Branching Out from Zeus to Other Trojans
Bugat is New Malware of Choice
Last week's LinkedIn phishing attack didn't deliver Zeus, the best-known and widely distributed Trojan, say malware researchers, but instead delivered its less well-known cousin, Bugat.

This move is important to watch say researchers who point to the emergence of Bugat as an attempt by cyber criminals to diversify their attack tools, using a platform that is similar to Zeus, but harder to detect.

While Zeus, Clampi and Gozi may be better known malware, Bugat's attack is similar, says Jason Milletary, SecureWorks' technical director for malware analysis, Bugat can function as a SOCKS proxy server, upload files from the infected computer to a remote server or download and execute programs.

How Bugat Works

The Bugat Trojan communicates with a command and control server from where it receives instructions and updates to the list of financial websites it targets. This communication can be encrypted in order to thwart traffic inspection tools.

Malware researchers at Trusteer say the new version of the Bugat malware is used to commit online fraud. This version targets Internet Explorer and Firefox browsers and harvests information during online banking sessions. The stolen online banking credentials are used to commit fraudulent ACH and wire transfer transactions mostly against small to midsized businesses, which result in high-value losses. Bugat is three times more common in the US than Europe, but its distribution is still fairly low.

Cyber criminals sent emails to LinkedIn users in last week's attack reminding them of pending messages in their account and inserted a malicious link. When a victim clicked on the link they were directed to a fraudulent website where a java applet downloaded and installed the Bugat executable.

Malware Distribution

Criminals are stepping up their malware distribution efforts by continuously updating configurations of well known malware such as Zeus, and using new versions of less common Trojans like Bugat, to avoid detection, says Mickey Boodaei, Trusteer's CEO. He says the industry is in an arms race with criminals.

"Although Zeus gets a lot of attention from law enforcement, banks and the security industry, we need to be vigilant against new forms of financial malware like Bugat and SpyEye which are just as deadly and quietly expanding their footprint across the internet," Boodaei says.

These expanding footprints create many other attack vectors that enable the cyber criminals to get into online bank accounts and money transfers that don't use Zeus, says Avivah Litan, a security analyst at Gartner. One example she points to is the relatively new piece of malware called Spyeye. Litan says it is a "landmark infection that doesn't require administrative privileges on the PC and it does its work in just a couple of hours. It's a hit-and-run type of attack."

Boodaei warns that recent industry focus on Zeus makes it easier for other Trojans such as Bugat, SpyEye and Carberp which are less wide spread but equally sophisticated. Carberp currently targets nine banks in the United States, Denmark, The Netherlands, Germany and Israel.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network