eus variant_trails_target_on_u.s._military_bank__august_30__2010_
1. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
ISSUE NO. 71
AUGUST 30, 2010
ZeuS Variant Trails Target on U.S. Military Bank
The concept of cybercrime may be difficult to grasp, particularly for users who have never experienced it firsthand. For victims, however,
cybercrime is as real and pressing as the fact that they unwittingly lost their hard-earned money. Whether retirement funds or entrepreneurial
investments, the fact remains that cybercriminals have successfully stolen millions of dollars from unsuspecting users. Included in the list of
preferred tools of the trade is ZeuS/ZBOT, a crimeware toolkit that has and is still playing a significant role in the cybercriminal world.
The Threat Defined
ZeuS: A Persistent Cybercrime Enterprise
Various changes and improvements have allowed ZeuS to remain one of the most effective and efficient crimeware
tools today. It is consistently being used as a crimeware kit to steal users’ online banking credentials. It has likewise
played a significant role in several instances that led to major financial losses, some of which left businesses on
the brink of bankruptcy.
In addition to significant ZeuS technology upgrades, there has also been an increase in ZeuS-related attacks that
have been seemingly created with specific individuals or companies in mind. The recent targeted ZeuS attacks
include tailor-made spammed messages and variants targeting Russian banks. These notable developments
indicate that the cybercriminal minds behind ZeuS are constantly finding new ways to increase the effectiveness of
their malicious creations.
Current Target: U.S. Military Personnel
Advanced threats researcher Robert
McArdle recently discovered another
targeted ZeuS attack, which involved a
spammed message informing
recipients that their Bank of America
Military Bank accounts need to be
updated. It then advised them to click a
link that redirects to a fake but almost-
identical bank login page. In reality,
however, this bogus page is hosted in
Russia.
Once users input any user name and
password combination, they will be
brought to a page that hosts Update
Tool, a malicious .EXE file Trend Micro
detects as TSPY_ZBOT.BIZ. Users
should supposedly install this on their
systems to ensure that their accounts
will comply with the requirements of the Figure 1. TSPY_ZBOT.BIZ infection diagram
new login system.
Particularly noteworthy, however, is the fact that the website uses a kit that attempts to automatically infect systems
by exploiting vulnerabilities in browsers and browser plug-ins. While the use of an exploit kit is not entirely novel,
using an entire suite of browser exploits increases the probability of system infection in this attack. As a result,
users who fall into the masterfully made trap do not even have to manually download the file. As such, the
download link just serves as a last-resort attack vector.
1 of 2 – WEB THREAT SPOTLIGHT
2. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
Old Tactics Made New
It would also be interesting to note that a similar attack was spotted last year. Instead
of a spammed message targeting U.S. military personnel, however, the attack
leveraged a spammed message that led users to a bogus Facebook login page. The
phishing site also contained a Web exploit toolkit that launched browser attacks,
depending on users’ browsers and OSs.
The use of a download page prompting users to save a file named updatetool.exe
was another familiar tactic. Incidentally, the final payload of the said attack is also a
ZeuS variant.
The striking similarity between these two distinct attacks may mean that only one
gang is behind them. It is, however, also likely that the new attack is merely an
example of how cybercriminals learn from other criminals’ success stories. As the old Figure 2. Download pages
adage goes, imitation is the best form of flattery. posing as Bank of America
and Facebook login pages
User Risks and Exposure
One of the primary risks in the proliferation of targeted attacks is the increased possibility of system infection. When
users are faced with spammed messages or sites that are particularly believable, they are more likely to put their
guards down. In the recent attack, U.S. military personnel face increased risks should the spammed message end
up in their inboxes. Given today’s increasingly complex threat landscape, it is a good practice to always check for
authenticity especially when there is money involved.
As previously discussed, online banking undeniably offers both convenience and risks. As such, information
continues to play a key role in protecting users from online threats like ZeuS. Understanding how ZeuS works and
how it propagates is a critical step in keeping up with the notorious malware and in preventing system infections.
Trend Micro Solutions and Recommendations
Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional
approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ combines unique
in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and
automatically protect your information wherever you connect.
In this particular attack, Smart Protection Network’s email reputation technology blocks all messages related to this
spam run from even reaching users’ inboxes. File reputation technology, meanwhile, immediately detects and
deletes malicious files like TSPY_ZBOT.BIZ from systems. Finally, Web reputation technology blocks user access
to malicious sites from which malware may be downloaded as well as the upload (HTTP POST) of any stolen data.
The following post at the TrendLabs Malware Blog discusses this threat:
http://blog.trendmicro.com/zeus-variant-targets-us-military-personnel/
The virus reports are found here:
http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.BIZ
http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.CCB
Other related posts are found here:
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/zeusapersistentcriminalenterprise.pdf
http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html
http://krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss/
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/26oct09_web_threat_spotlight_issue_49_zbotzeus_sends_out_
tailor-made_spam.pdf
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/68_new_zeuszbot__variant_targets_russian_banks__july_19_2
010_.pdf
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/122109_web_threat_spotlight_issue_53_facebook_phishing_pa
ge_leads_to_exploits_and_zbot.pdf
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/62_security_threats_loom_over_online_banking__june_28__20
10_.pdf
2 of 2 – WEB THREAT SPOTLIGHT