A look at the trends in production and types of Trojan malware
Cyber crime continues to show no signs of slowing down. In fact, 2011 marked a year of new advanced threats and an increased level of sophistication in the attacks witnessed around the globe.
Through 2011, we observed that Zeus 2.0 dominated as the leading financial Trojan. Indisputably the most widely spread financial malware in the world, Zeus is responsible for around 80 per cent of all attacks against financial institutions today and is estimated to have caused over $1 billion in global losses in the last five years.
One observation noted was the surge of financial attacks connected to the SpyEye Trojan. Financial cyber crime attributed to SpyEye variants decreased over the course of the year, with 19 per cent of attacks attributed to SpyEye in Q1 ‘11 to only 4 per cent in Q3 ‘11.
At this time however, SpyEye continues to be the most costly Trojan code sold inthe black market. It sells for a few thousands of dollars for a basic kit with separate plug-ins averaging at about $1,000 each. SpyEye also features technical complexity which has been known to be a problem for the average cyber criminal to use effectively.
There are a couple of trends when it comes to Trojan malware that are expected to continue this year.
A growing trend in the world of cybercrime codes will further carry Zeus (ZitMo) and SpyEye (SPitMo) over to various mobile platforms. The main purpose of spreading these will be to steal data such as SMS codes. “InfoStealers” for the mobile platform are also likely to emerge with Trojans designed to keylog touch-screen input and monitor data traffic through the mobile device.
Privately-owned and geo-specific Trojan development is expected be on the rise. Last year, cyber criminals demanded more customised Trojans built for fraud operations they planned to execute. For example, there was an increased development of private Trojans as well as codes adapted to specific geographies. The Shiz Trojan, targeted at Russian banking applications, is one such example.
Banking Trojans might be sold in varying business models. The sophisticated business models used by cyber criminals has allowed tools and services once reserved for the cybercrime elite to be made available on the black market as commodities. The more savvy criminals offer their goods and services to those who may be starting out or are in need of set-up and instructions. Whether selling off-the-shelf botnets, Trojans by the binary, or Zeus recompiles, the underground is loaded with tools to allow any “newbie” cybercriminal to launch an attack.
Fraud tools have evolved in a very short time – from how they are sold and packaged to the obvious decrease in price as they are commoditised. Earlier, the full version of SpeEye would cost $4,000. Now it is available with set-up and injections for $600. Zeus, which cost $ 10,000, is now priced at $380 for two.Cybercriminals are in a perpetual arms race against security professionals and the prevention tools they develop. One recent example highlighting this trend is the ‘Malware Guard', a botnet-protection tool. This was designed to harden a botnet's security and block off any possibly ‘hostile' IPs from reaching it (i.e., an IP address originating from a security researcher's lab). The application, made to plug-and-play with the explicit purpose of protecting bot-herders and their infrastructures, is available for sale in the black market for $250.
Due to stronger security, blocking scripts , and locking the communication of bank's servers with online customers, Trojan developers are resorting to remote control-assisted manual attacks using the victim's own device. This type of fraud is lengthier and requires hands-on action by the cyber criminal; it is thus linked with the more lucrative nature of attacks on corporate accounts.
In terms of attack methods and the improvement of existing mechanisms, cyber criminals are commonly using two distinct Trojan-assisted manual attack methods to commit financial fraud.
Bank Web sites on which Trojan scripts no longer successfully execute or where the bank's server's communication has been locked once the session has been activated have pushed cyber criminals away from automated fraud transactions and back into manual attacks. The move to manual attacks has considerably slowed down the transaction rate It would also be logical to see malware authors attempt to develop a new type of code to bypass the hurdles which have impeded the use of automated transactions.
(The author is Country Manager, RSA India & SAARC)