New, Improved Trojans Target Banks

Security Experts: Malware Variants Seek Corporate Accounts
New, Improved Trojans Target Banks
Security researchers are warning financial institutions about the Qakbot Trojan, a rare kind of malware that is allegedly infiltrating large banks and other global financial institutions. It's unlike other types of malware because it has the ability to spread like a worm, but still infect users like a Trojan.

The Qakbot Trojan, named for its primary executable file, _qakbot.dll, is not new, but its qualities and difference in attack set it head and shoulders above other more well-known Trojans, such as Zeus, in that it can infect multiple computers at a time. It is the only Trojan known to exclusively target U.S. banks, says RSA security researcher Uri Rivner.

Trojan Is Very Targeted

The more well-known Trojans and their variants, Zeus and Spyeye, are all available for sale on the black market, says Rivner, head of new technologies, consumer identity protection at RSA, The Security Division of EMC. Qakbot, first discovered by Symantec in 2007, is most likely being run by one group. "It is not available as a kit on the Internet, or offered for sale," Rivner says. Instead, it is likely that an organized crime group developed it, focusing on their own specific methods, and tailored the Trojan to a specific segment -- large banks and their commercial customers.

Rivner will not identify specific institutions struck by Qakbot, but RSA's researchers have identified a series of unique attributes that makes this Trojan stand apart. For example: Qakbot is the first Trojan seen to exclusively target corporate financial accounts. It is designed to spread like a worm - infecting multiple machines at a time -- while also stealing data like an ordinary banker Trojan. Qakbot is the first Trojan to separate out targeted credentials from other stolen information on the client side, rather than in a drop zone.

Hybrid of Worm/Trojan

The fact that Qakbot combines the attributes of a worm and a Trojan is unique, Rivner says. "You don't usually see this, because a worm is easily detected once it gets on a network. The chances are much higher after 1,000 computers are infected, it would be detected, where Trojans are more stealthy."

Qakbot shows itself to be highly sophisticated, "just by the amount of information it is trying to capture," Rivner says. It even blocks IP addresses of researchers who are trying to study it. "It wants to make sure that no one can penetrate it," he says.

The most famous attack by Qakbot was the attack on the UK's National Health Service network earlier this year. The worm-Trojan hit the huge healthcare system's network so fast that forensic pros investigating the attack later said that 4 Gigabytes of data were taken in a short time period. While there was no evidence that medical data was compromised, other data was taken, including login credentials from Facebook, Twitter, Hotmail, Gmail and Yahoo. All were seen being funneled through NHS-monitored servers.

Once on a computer, Qakbot divides and filters the data it takes into different segments before it is sent via FTP accounts. Rivner describes it as a "life grabber," as it steals everything that a user is doing.

In addition, the malware is unique in that it prefers shared networks, copying its executable file into shared directories, which enables it to propagate and contaminate every computer on the corporate network.

Researchers are still investigating how the malware acquires money out of corporate bank accounts. So far researchers say there are no traces of HTML or JavaScript code injections or Web Trojan attacks such as Man-in-the-Browser.

Rivner says the malware's focus on corporate accounts is simply a matter of economics. The goal for Qakbot is to siphon out larger sums of money, much more than would generally be available in private online accounts. He speculates that some of the recently revealed ACH fraud at U.S. companies may be linked to Qakbot, despite its low prevalence in the wild.

While Qakbot is not the first and only Trojan to target large corporate accounts, so far Rivner says it is the only one that shows this type of strict "preference" by design, and with no exceptions.

Gozi Trojan Variant Undetectable

In another disturbing find, security researchers at TrustDefender Labs have found a new Gozi Trojan variant that shows a zero percent detection rate. The Trojan targets financial institutions and is invisible to the most used anti-virus software.

Gozi has been attacking banks for three years, but has managed to stay low and undetected. TrustDefender researchers warn that by targeting specific financial institutions, mainly business and corporate banking, Gozi has avoided wider attention from businesses as the Zeus Trojan has grabbed the headlines.

The new Gozi variant has many of the same characteristics of its earlier variants that were researched a year ago. Gozi developers evade signature patterns so much that the history of the Trojan is mostly unknown. TrustDefender's CTO Andreas Baumhof states that an increasing number of Trojans are using SSL and HTTPS to hide their presence. Gozi is also using client-side logic to go around two-factor authentication, as are other Trojans including Zeus, Spyeye and Carberp.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network