Keep It Simple, Stupid: The Zeus Version

September 24, 2013
| |
3 min read

IBM’s Amit Klein blogged in 2013 about two malware families called Tinba and Tilon and how they were going back to basics. He said we are witnessing an interesting trend: Organizations are rolling out advanced malware detection systems that force malware authors to drop some of their more advanced techniques and reuse older techniques that were abandoned years ago. The latest example of this trend is a Zeus variant that was detected by the IBM Security Trusteer research team this month. Using a unique HTML injection mechanism and static mule accounts, this malware is now targeting banks in Eastern Europe by covertly manipulating and performing transactions on the end user’s behalf.

In the last couple of years, many organizations took note of the malware threat and deployed advanced malware detection systems. These new security solutions were familiar with all the latest tricks that malware authors had to offer and contained effective countermeasures. But malware authors (and their criminal clients) did not sit idly by while their attacks were detected and eliminated; they fought back. Here are just three examples of such cases, examining the original criminal threat, the banks’ countermeasure and the criminals’ response to the countermeasure.

Case One

Cyber criminals use stolen user credentials to commit fraud from their own devices. Security solutions then start using device ID and device reputation techniques to identify criminal devices and logins not originating from the known end user’s device. In response, cyber criminals then use Remote Desktop Protocol (RDP) to connect to the victim’s device and commit the fraudulent activity from that trusted device. Device ID solutions see this as the legitimate client’s device and therefore do not generate an alert.

Case Two

Cyber criminals use automatic scripts that create a fraudulent transaction right after an infected user logs in to the account. Security solutions then start performing velocity tests to all transaction pages. If a transaction form is filled out in less than a second, it’s obviously not a human, and the transaction is challenged or declined. In response, cyber criminals create automatic scripts with a “slow-fill” function that fills out the transaction form in a humanlike way (characters are entered by the script with intervals of 0.1-2 seconds). Velocity tests view the automated script as human and do not generate an alert.

Case Three

Cyber criminals use HTML injections to display additional fields to victims, who fill them out and provide the attackers with more data. Security solutions then compare page input fields to determine if the user is submitting data the bank did not ask for. In response, cyber criminals use malware to inject full pages to the victim rather than alter the original bank page. Effectively, the user is unknowingly filling out a malware-generated page and not communicating with the bank’s website. The bank then only sees the fields expected and does not generate an alert.

The Zeus Variant

The IBM Security Trusteer research team recently identified a Zeus variant that uses a rather curious method to overcome malware detection solutions. This particular variant targets an Eastern European bank, whose transaction form contains typical data fields such as the paying account, transaction amount, beneficiary account, beneficiary name, beneficiary address and a transaction title. An HTML injection is applied to the transaction page that changes the HTML form field names of the beneficiary account number, name, address and transaction data (while leaving the source account field names and transaction amount field names unchanged). This Zeus variant also injects mule account data with the correct field names instead of the altered fields. The victim fills in the transaction details (at the HTML level, the field names for some data are incorrect), submits the form and the bank receives a HTTP request for the transaction only with the correct fields that now specify a receiving mule account.

To recap, the malware uses a hard-coded HTML injection (with static mule account information) to perform fraudulent transactions. This technique, though simple and generally uninvolved, offers two advantages over JavaScript (JS) HTML injection: Fewer “moving parts” (dynamic scripts) means tougher detection for antivirus and anti-malware solutions, and it works on browsers whose users disabled JS for security reasons. Simple and crude — but effective.

Just as users, organizations and security solutions study and adapt to new threats, malware authors remain stealthy by learning new security tactics. IBM Security Trusteer Rapport can detect, mitigate and remove this and other Zeus variants from infected devices. In addition, IBM Security Trusteer Pinpoint Malware Detection can effectively identify and warn organizations of malware-infected devices that attempt to log in and conduct transactions with their website.

Etay Maor
Executive Security Advisor, IBM Security

Etay Maor is an Executive Security Advisor at IBM Security, where he leads security and fraud fighting awareness and research. A security evangelist, Etay re...
read more