Gozi-Prinimalka is a sophisticated Trojan that was first identified by RSA researchers last October. Now, new findings from McAfee support RSA's prediction that Prinimalka is expected to take aim at 30 U.S. banking institutions this spring, and the campaign poses a serious threat.
Ryan Sherstobitoff, a McAfee threat researcher, writes in a report about the blitzkrieg-like attack that this Gozi variant offers some unique innovations.
"The Trojan is supported by an innovative technical back-end that provides the botmaster the ability to select drop accounts," Sherstobitoff says in an interview with BankInfoSecurity [transcript below]. "It has detailed information about how to transfer to those drop accounts. It even gives statistics about who's online by what financial institution."
Thirty U.S. banking institutions have been named in underground forums as targets for the attacks, Sherstobitoff says. But he warns that all institutions should have Prinimalka on their defense radars this year.
Sherstobitoff recommends anomaly detection. "[It's] always the wisest thing to use, given that there aren't really any other artifacts, other than looking for odd connection times and IP addresses that don't match the typical user's connecting IP addresses," he says. "Also, because they're going to be duplicating the settings into a virtual machine, it will allow the fraudster to connect from that machine from anywhere in the world," Sherstobitoff says. "If you're using anomaly detection, these inconsistencies will be spotted quite easily."
During this interview, Sherstobitoff explains:
- Prinimalka's innovative back-end and coordinated attack effort;
- Why some security researchers have been skeptical of this emerging Trojan and its planned attack;
- Steps all banking institutions should take to protect themselves and their customers' accounts.
Sherstobitoff is a McAfee threat researcher who focuses on cyberfraud research and threat intelligence. Before joining McAfee, he was a threat researcher at Guardian Analytics, where he focused on tracking financial fraud for mid-sized banks. Sherstobitoff was also chief corporate evangelist at Panda Security, where he managed the U.S. strategic response for new and emerging threats. He is widely recognized as a security and cloud-computing expert.
TRACY KITTEN: When RSA identified this Gozi variant, it noted that the Trojan stood out for a couple of reasons: it's ability to bypass two-factor authentication methods commonly used in the U.S., coupled with the coordinated effort developers of the Trojan were spearheading to enlist the assistance of a hundred botmasters to help with the attack. What have you learned beyond what RSA told us in October?
RYAN SHERSTOBITOFF: We have learned that the campaign that was announced in the underground forum, indeed, did have credibility to it, and we have learned that they're using a strategy to keep under the radar by infecting a select number of individuals that have higher dollar balances to make targeting worthwhile.
In addition, we have also discovered that Gozi-Prinimalka has been around since 2008 and has been used in a number of other campaigns leading up to the official announcement of Project Blitzkrieg.
KITTEN: What's a blitzkrieg-like attack?
SHERSTOBITOFF: A blitzkrieg-type attack would be doing a massive campaign against hundreds of victims and stealing large amounts of money, hence it would be widely spread and widely infecting.
Trojan Capabilities and Botmaster Recruitment
KITTEN: What have you learned about this Trojan's capabilities and the botmaster recruitment efforts?
SHERSTOBITOFF: We've learned that the Trojan is supported by an innovative technical back-end that provides the botmaster the ability to select drop accounts. It has detailed information about how to transfer to those drop accounts. It also gives statistics about who's online by what financial institution. In addition, the Trojan has a number of interesting characteristics, such as a virtual machine think module, which is really meant to fool device fingerprinting that relies on identifying user agent strings for other machine-specific settings, and they're hoping to use this to mask themselves. It's really a typical use of Gozi, but in a different flavor supported by a coordinated effort along with an innovative back-end.
KITTEN: The planned attack is aimed at 30 U.S. banking institutions. What can you tell us about those targeted banks?
SHERSTOBITOFF: The targets are a distribution of credit unions, and also [they're] highly focused on investment banking and national large banks across the country. We believe that on the investment-banking side, they're looking for individuals that have high-dollar assets, and that would be the reason for selecting those types of accounts as part of Project Blitzkrieg.
KITTEN: Have you ever seen an attack like this before?
SHERSTOBITOFF: We have seen an attack like this, like Operation High Roller, but then again that wasn't coordinated by different groups like Project Blitzkrieg or advertised. What really makes this kind of interesting and unique is the willingness to recruit other botmasters and the willingness to advertise this Trojan on underground forums and make the campaign known.
KITTEN: Has the list of targeted institutions changed at all since early October, when RSA first announced its discovery of Prinimalka?
KITTEN: Should other institutions that haven't been named be worried?
SHERSTOBITOFF: I would say that everybody should have this on their threat radar for 2013. I wouldn't say that this is a red alarm. I would say [for them to] keep themselves abreast of this type of attack because they can change any of these targets at will.
Questioning Attack's Validity
KITTEN: Some researchers have questioned the validity of this attack. Why have they questioned whether or not this attack is valid?
SHERSTOBITOFF: They're questioning really the aspect of why would he advertise this in an underground forum and why would he be so bold about these claims? Given that the underground community puts a lot more faith into Zeus and SpyEye, there's a lot of speculation surmounting that initial claim. However, the research that we performed put additional color and insight into the claims made.
For example, there was a blitzkrieg pilot campaign that occurred in early 2012. We were able to actually track, based on the screenshot that was posted in the underground forum, the exact variance of Prinimalka that was used to attack consumers across the country and were able to correlate and estimate an average of between 300-500 victims.
In addition, Sept. 9 he posted the advertisement. After that, he said that a couple of weeks later he will be releasing Prinimalka, not mentioning the Trojan's name, and we saw a new campaign operating out of Romania spring up Oct. 1 and officially end on Nov. 30.
KITTEN: What new information have you uncovered that makes you believe that the attack will actually hit in the spring?
SHERSTOBITOFF: The evidence is that subsequent activity that led all the way up until the end of November, given that some say that he's called it off all together and some say that he has disappeared. But we saw activity as recent as the end of November, given that it's in its planning stages and some of the variance had robust infrastructure in terms of where they're hosting. It's possible that this can happen in 2013, but in a different form than what he initially advertised.
Advice for Institutions
KITTEN: Before we close, can you give some advice to banking institutions about how they might prepare or defend themselves against these attacks?
SHERSTOBITOFF: In these cases, anomaly detection is always the wisest thing to use, given that there aren't really any other artifacts, other than looking for odd connection times and IP addresses that don't match the typical user's connecting IP addresses. Also, because they're going to be duplicating the settings into a virtual machine, it will allow the fraudster to connect from that machine from anywhere in the world. Typically, if you're using anomaly detection, these inconsistencies will be spotted quite easily, given this is not a sophisticated attack like some automated messages were.