SlideShare ist ein Scribd-Unternehmen logo

eus variant_trails_target_on_u.s._military_bank__august_30__2010_

Trend Micro
Trend Micro
1 von 2
Downloaden Sie, um offline zu lesen
Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. ISSUE NO. 71 AUGUST 30, 2010 ZeuS Variant Trails Target on U.S. Military Bank The concept of cybercrime may be difficult to grasp, particularly for users who have never experienced it firsthand. For victims, however, cybercrime is as real and pressing as the fact that they unwittingly lost their hard-earned money. Whether retirement funds or entrepreneurial investments, the fact remains that cybercriminals have successfully stolen millions of dollars from unsuspecting users. Included in the list of preferred tools of the trade is ZeuS/ZBOT, a crimeware toolkit that has and is still playing a significant role in the cybercriminal world. The Threat Defined ZeuS: A Persistent Cybercrime Enterprise Various changes and improvements have allowed ZeuS to remain one of the most effective and efficient crimeware tools today. It is consistently being used as a crimeware kit to steal users’ online banking credentials. It has likewise played a significant role in several instances that led to major financial losses, some of which left businesses on the brink of bankruptcy. In addition to significant ZeuS technology upgrades, there has also been an increase in ZeuS-related attacks that have been seemingly created with specific individuals or companies in mind. The recent targeted ZeuS attacks include tailor-made spammed messages and variants targeting Russian banks. These notable developments indicate that the cybercriminal minds behind ZeuS are constantly finding new ways to increase the effectiveness of their malicious creations. Current Target: U.S. Military Personnel Advanced threats researcher Robert McArdle recently discovered another targeted ZeuS attack, which involved a spammed message informing recipients that their Bank of America Military Bank accounts need to be updated. It then advised them to click a link that redirects to a fake but almost- identical bank login page. In reality, however, this bogus page is hosted in Russia. Once users input any user name and password combination, they will be brought to a page that hosts Update Tool, a malicious .EXE file Trend Micro detects as TSPY_ZBOT.BIZ. Users should supposedly install this on their systems to ensure that their accounts will comply with the requirements of the Figure 1. TSPY_ZBOT.BIZ infection diagram new login system. Particularly noteworthy, however, is the fact that the website uses a kit that attempts to automatically infect systems by exploiting vulnerabilities in browsers and browser plug-ins. While the use of an exploit kit is not entirely novel, using an entire suite of browser exploits increases the probability of system infection in this attack. As a result, users who fall into the masterfully made trap do not even have to manually download the file. As such, the download link just serves as a last-resort attack vector. 1 of 2 – WEB THREAT SPOTLIGHT
Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. Old Tactics Made New It would also be interesting to note that a similar attack was spotted last year. Instead of a spammed message targeting U.S. military personnel, however, the attack leveraged a spammed message that led users to a bogus Facebook login page. The phishing site also contained a Web exploit toolkit that launched browser attacks, depending on users’ browsers and OSs. The use of a download page prompting users to save a file named updatetool.exe was another familiar tactic. Incidentally, the final payload of the said attack is also a ZeuS variant. The striking similarity between these two distinct attacks may mean that only one gang is behind them. It is, however, also likely that the new attack is merely an example of how cybercriminals learn from other criminals’ success stories. As the old Figure 2. Download pages adage goes, imitation is the best form of flattery. posing as Bank of America and Facebook login pages User Risks and Exposure One of the primary risks in the proliferation of targeted attacks is the increased possibility of system infection. When users are faced with spammed messages or sites that are particularly believable, they are more likely to put their guards down. In the recent attack, U.S. military personnel face increased risks should the spammed message end up in their inboxes. Given today’s increasingly complex threat landscape, it is a good practice to always check for authenticity especially when there is money involved. As previously discussed, online banking undeniably offers both convenience and risks. As such, information continues to play a key role in protecting users from online threats like ZeuS. Understanding how ZeuS works and how it propagates is a critical step in keeping up with the notorious malware and in preventing system infections. Trend Micro Solutions and Recommendations Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect. In this particular attack, Smart Protection Network’s email reputation technology blocks all messages related to this spam run from even reaching users’ inboxes. File reputation technology, meanwhile, immediately detects and deletes malicious files like TSPY_ZBOT.BIZ from systems. Finally, Web reputation technology blocks user access to malicious sites from which malware may be downloaded as well as the upload (HTTP POST) of any stolen data. The following post at the TrendLabs Malware Blog discusses this threat: http://blog.trendmicro.com/zeus-variant-targets-us-military-personnel/ The virus reports are found here: http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.BIZ http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.CCB Other related posts are found here: http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/zeusapersistentcriminalenterprise.pdf http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html http://krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss/ http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/26oct09_web_threat_spotlight_issue_49_zbotzeus_sends_out_ tailor-made_spam.pdf http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/68_new_zeuszbot__variant_targets_russian_banks__july_19_2 010_.pdf http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/122109_web_threat_spotlight_issue_53_facebook_phishing_pa ge_leads_to_exploits_and_zbot.pdf http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/62_security_threats_loom_over_online_banking__june_28__20 10_.pdf 2 of 2 – WEB THREAT SPOTLIGHT

Empfohlen

Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Trend Micro
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionTrend Micro
 
Threat predictions 2011
Threat predictions 2011 Threat predictions 2011
Threat predictions 2011 Trend Micro
 
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest TexasTrend Micro
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryTrend Micro
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesTrend Micro
 
Industrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesIndustrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesTrend Micro
 
Investigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeInvestigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeTrend Micro
 

Empfohlen

Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Trend Micro
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionTrend Micro
 
Threat predictions 2011
Threat predictions 2011 Threat predictions 2011
Threat predictions 2011 Trend Micro
 
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest TexasTrend Micro
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryTrend Micro
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesTrend Micro
 
Industrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesIndustrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesTrend Micro
 
Investigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeInvestigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeTrend Micro
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Trend Micro
 
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Trend Micro
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSTrend Micro
 
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Trend Micro
 
Mobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaMobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaTrend Micro
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep WebTrend Micro
 
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)Trend Micro
 
HBR APT framework
HBR APT frameworkHBR APT framework
HBR APT frameworkTrend Micro
 
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsCaptain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsTrend Micro
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksTrend Micro
 
Who owns security in the cloud
Who owns security in the cloudWho owns security in the cloud
Who owns security in the cloudTrend Micro
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep securityTrend Micro
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryTrend Micro
 
Security Best Practices for Health Information Exchange
Security Best Practices for Health Information ExchangeSecurity Best Practices for Health Information Exchange
Security Best Practices for Health Information ExchangeTrend Micro
 
Solutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceSolutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceTrend Micro
 
PC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To CompromisePC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To CompromiseTrend Micro
 
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a FlashWeb Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a FlashTrend Micro
 
FIFA Spam Targets Football Fanatics
FIFA Spam Targets Football FanaticsFIFA Spam Targets Football Fanatics
FIFA Spam Targets Football FanaticsTrend Micro
 
The Heart of KOOBFACE
The Heart of KOOBFACEThe Heart of KOOBFACE
The Heart of KOOBFACETrend Micro
 
The Real Face Of KOOBFACE
The Real Face Of KOOBFACEThe Real Face Of KOOBFACE
The Real Face Of KOOBFACETrend Micro
 

Weitere ähnliche Inhalte

Mehr von Trend Micro

Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Trend Micro
 
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Trend Micro
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSTrend Micro
 
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Trend Micro
 
Mobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaMobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaTrend Micro
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep WebTrend Micro
 
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)Trend Micro
 
HBR APT framework
HBR APT frameworkHBR APT framework
HBR APT frameworkTrend Micro
 
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsCaptain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsTrend Micro
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksTrend Micro
 
Who owns security in the cloud
Who owns security in the cloudWho owns security in the cloud
Who owns security in the cloudTrend Micro
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep securityTrend Micro
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryTrend Micro
 
Security Best Practices for Health Information Exchange
Security Best Practices for Health Information ExchangeSecurity Best Practices for Health Information Exchange
Security Best Practices for Health Information ExchangeTrend Micro
 
Solutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceSolutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceTrend Micro
 
PC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To CompromisePC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To CompromiseTrend Micro
 
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a FlashWeb Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a FlashTrend Micro
 
FIFA Spam Targets Football Fanatics
FIFA Spam Targets Football FanaticsFIFA Spam Targets Football Fanatics
FIFA Spam Targets Football FanaticsTrend Micro
 
The Heart of KOOBFACE
The Heart of KOOBFACEThe Heart of KOOBFACE
The Heart of KOOBFACETrend Micro
 
The Real Face Of KOOBFACE
The Real Face Of KOOBFACEThe Real Face Of KOOBFACE
The Real Face Of KOOBFACETrend Micro
 

Mehr von Trend Micro (20)

Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
 
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWS
 
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
 
Mobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaMobile Telephony Threats in Asia
Mobile Telephony Threats in Asia
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
 
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
 
HBR APT framework
HBR APT frameworkHBR APT framework
HBR APT framework
 
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsCaptain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted Attacks
 
Who owns security in the cloud
Who owns security in the cloudWho owns security in the cloud
Who owns security in the cloud
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep security
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
 
Security Best Practices for Health Information Exchange
Security Best Practices for Health Information ExchangeSecurity Best Practices for Health Information Exchange
Security Best Practices for Health Information Exchange
 
Solutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceSolutions for PCI DSS Compliance
Solutions for PCI DSS Compliance
 
PC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To CompromisePC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To Compromise
 
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a FlashWeb Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
 
FIFA Spam Targets Football Fanatics
FIFA Spam Targets Football FanaticsFIFA Spam Targets Football Fanatics
FIFA Spam Targets Football Fanatics
 
The Heart of KOOBFACE
The Heart of KOOBFACEThe Heart of KOOBFACE
The Heart of KOOBFACE
 
The Real Face Of KOOBFACE
The Real Face Of KOOBFACEThe Real Face Of KOOBFACE
The Real Face Of KOOBFACE
 

eus variant_trails_target_on_u.s._military_bank__august_30__2010_

  • 1. Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. ISSUE NO. 71 AUGUST 30, 2010 ZeuS Variant Trails Target on U.S. Military Bank The concept of cybercrime may be difficult to grasp, particularly for users who have never experienced it firsthand. For victims, however, cybercrime is as real and pressing as the fact that they unwittingly lost their hard-earned money. Whether retirement funds or entrepreneurial investments, the fact remains that cybercriminals have successfully stolen millions of dollars from unsuspecting users. Included in the list of preferred tools of the trade is ZeuS/ZBOT, a crimeware toolkit that has and is still playing a significant role in the cybercriminal world. The Threat Defined ZeuS: A Persistent Cybercrime Enterprise Various changes and improvements have allowed ZeuS to remain one of the most effective and efficient crimeware tools today. It is consistently being used as a crimeware kit to steal users’ online banking credentials. It has likewise played a significant role in several instances that led to major financial losses, some of which left businesses on the brink of bankruptcy. In addition to significant ZeuS technology upgrades, there has also been an increase in ZeuS-related attacks that have been seemingly created with specific individuals or companies in mind. The recent targeted ZeuS attacks include tailor-made spammed messages and variants targeting Russian banks. These notable developments indicate that the cybercriminal minds behind ZeuS are constantly finding new ways to increase the effectiveness of their malicious creations. Current Target: U.S. Military Personnel Advanced threats researcher Robert McArdle recently discovered another targeted ZeuS attack, which involved a spammed message informing recipients that their Bank of America Military Bank accounts need to be updated. It then advised them to click a link that redirects to a fake but almost- identical bank login page. In reality, however, this bogus page is hosted in Russia. Once users input any user name and password combination, they will be brought to a page that hosts Update Tool, a malicious .EXE file Trend Micro detects as TSPY_ZBOT.BIZ. Users should supposedly install this on their systems to ensure that their accounts will comply with the requirements of the Figure 1. TSPY_ZBOT.BIZ infection diagram new login system. Particularly noteworthy, however, is the fact that the website uses a kit that attempts to automatically infect systems by exploiting vulnerabilities in browsers and browser plug-ins. While the use of an exploit kit is not entirely novel, using an entire suite of browser exploits increases the probability of system infection in this attack. As a result, users who fall into the masterfully made trap do not even have to manually download the file. As such, the download link just serves as a last-resort attack vector. 1 of 2 – WEB THREAT SPOTLIGHT
  • 2. Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. Old Tactics Made New It would also be interesting to note that a similar attack was spotted last year. Instead of a spammed message targeting U.S. military personnel, however, the attack leveraged a spammed message that led users to a bogus Facebook login page. The phishing site also contained a Web exploit toolkit that launched browser attacks, depending on users’ browsers and OSs. The use of a download page prompting users to save a file named updatetool.exe was another familiar tactic. Incidentally, the final payload of the said attack is also a ZeuS variant. The striking similarity between these two distinct attacks may mean that only one gang is behind them. It is, however, also likely that the new attack is merely an example of how cybercriminals learn from other criminals’ success stories. As the old Figure 2. Download pages adage goes, imitation is the best form of flattery. posing as Bank of America and Facebook login pages User Risks and Exposure One of the primary risks in the proliferation of targeted attacks is the increased possibility of system infection. When users are faced with spammed messages or sites that are particularly believable, they are more likely to put their guards down. In the recent attack, U.S. military personnel face increased risks should the spammed message end up in their inboxes. Given today’s increasingly complex threat landscape, it is a good practice to always check for authenticity especially when there is money involved. As previously discussed, online banking undeniably offers both convenience and risks. As such, information continues to play a key role in protecting users from online threats like ZeuS. Understanding how ZeuS works and how it propagates is a critical step in keeping up with the notorious malware and in preventing system infections. Trend Micro Solutions and Recommendations Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect. In this particular attack, Smart Protection Network’s email reputation technology blocks all messages related to this spam run from even reaching users’ inboxes. File reputation technology, meanwhile, immediately detects and deletes malicious files like TSPY_ZBOT.BIZ from systems. Finally, Web reputation technology blocks user access to malicious sites from which malware may be downloaded as well as the upload (HTTP POST) of any stolen data. The following post at the TrendLabs Malware Blog discusses this threat: http://blog.trendmicro.com/zeus-variant-targets-us-military-personnel/ The virus reports are found here: http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.BIZ http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.CCB Other related posts are found here: http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/zeusapersistentcriminalenterprise.pdf http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html http://krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss/ http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/26oct09_web_threat_spotlight_issue_49_zbotzeus_sends_out_ tailor-made_spam.pdf http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/68_new_zeuszbot__variant_targets_russian_banks__july_19_2 010_.pdf http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/122109_web_threat_spotlight_issue_53_facebook_phishing_pa ge_leads_to_exploits_and_zbot.pdf http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/62_security_threats_loom_over_online_banking__june_28__20 10_.pdf 2 of 2 – WEB THREAT SPOTLIGHT