New, Improved Trojans Target BanksSecurity Experts: Malware Variants Seek Corporate Accounts
The Qakbot Trojan, named for its primary executable file, _qakbot.dll, is not new, but its qualities and difference in attack set it head and shoulders above other more well-known Trojans, such as Zeus, in that it can infect multiple computers at a time. It is the only Trojan known to exclusively target U.S. banks, says RSA security researcher Uri Rivner.
Trojan Is Very TargetedThe more well-known Trojans and their variants, Zeus and Spyeye, are all available for sale on the black market, says Rivner, head of new technologies, consumer identity protection at RSA, The Security Division of EMC. Qakbot, first discovered by Symantec in 2007, is most likely being run by one group. "It is not available as a kit on the Internet, or offered for sale," Rivner says. Instead, it is likely that an organized crime group developed it, focusing on their own specific methods, and tailored the Trojan to a specific segment -- large banks and their commercial customers.
Rivner will not identify specific institutions struck by Qakbot, but RSA's researchers have identified a series of unique attributes that makes this Trojan stand apart. For example: Qakbot is the first Trojan seen to exclusively target corporate financial accounts. It is designed to spread like a worm - infecting multiple machines at a time -- while also stealing data like an ordinary banker Trojan. Qakbot is the first Trojan to separate out targeted credentials from other stolen information on the client side, rather than in a drop zone.
Hybrid of Worm/TrojanThe fact that Qakbot combines the attributes of a worm and a Trojan is unique, Rivner says. "You don't usually see this, because a worm is easily detected once it gets on a network. The chances are much higher after 1,000 computers are infected, it would be detected, where Trojans are more stealthy."
Qakbot shows itself to be highly sophisticated, "just by the amount of information it is trying to capture," Rivner says. It even blocks IP addresses of researchers who are trying to study it. "It wants to make sure that no one can penetrate it," he says.
The most famous attack by Qakbot was the attack on the UK's National Health Service network earlier this year. The worm-Trojan hit the huge healthcare system's network so fast that forensic pros investigating the attack later said that 4 Gigabytes of data were taken in a short time period. While there was no evidence that medical data was compromised, other data was taken, including login credentials from Facebook, Twitter, Hotmail, Gmail and Yahoo. All were seen being funneled through NHS-monitored servers.
Once on a computer, Qakbot divides and filters the data it takes into different segments before it is sent via FTP accounts. Rivner describes it as a "life grabber," as it steals everything that a user is doing.
In addition, the malware is unique in that it prefers shared networks, copying its executable file into shared directories, which enables it to propagate and contaminate every computer on the corporate network.
Rivner says the malware's focus on corporate accounts is simply a matter of economics. The goal for Qakbot is to siphon out larger sums of money, much more than would generally be available in private online accounts. He speculates that some of the recently revealed ACH fraud at U.S. companies may be linked to Qakbot, despite its low prevalence in the wild.
While Qakbot is not the first and only Trojan to target large corporate accounts, so far Rivner says it is the only one that shows this type of strict "preference" by design, and with no exceptions.
Gozi Trojan Variant UndetectableIn another disturbing find, security researchers at TrustDefender Labs have found a new Gozi Trojan variant that shows a zero percent detection rate. The Trojan targets financial institutions and is invisible to the most used anti-virus software.
Gozi has been attacking banks for three years, but has managed to stay low and undetected. TrustDefender researchers warn that by targeting specific financial institutions, mainly business and corporate banking, Gozi has avoided wider attention from businesses as the Zeus Trojan has grabbed the headlines.
The new Gozi variant has many of the same characteristics of its earlier variants that were researched a year ago. Gozi developers evade signature patterns so much that the history of the Trojan is mostly unknown. TrustDefender's CTO Andreas Baumhof states that an increasing number of Trojans are using SSL and HTTPS to hide their presence. Gozi is also using client-side logic to go around two-factor authentication, as are other Trojans including Zeus, Spyeye and Carberp.