Well it was inevitable really, I’ve noticed in the last couple of years Phishing e-mails have started to use targeted lists especially for banking sites and the next up of course is trojans developed for specific regions.

A security company Trusteer (who makes Rapport) has done some research on this matter which has pin-pointed certain malware which is specifically targeted at UK banking sites and their users. And they actually appear to be using the rather successful Zeus trojan, with 2 botnets targeting the UK.

I would guess that targeting on a per-country basis increases the chances of success hugely as there only limited banks in each country and especially in the small countries like UK there aren’t that many popular ones, especially with all the mergers that took place.

Cybercrooks have developed regionally-targeted banking Trojans that are more likely to slip under the radar of anti-virus defences.

Detection rates for regional malware vary between zero and 20 per cent, according to a study by transaction security firm Trusteer. This company markets browser security add-ons to banks, which offer them to consumers as a way of reducing the risk of malware on PCs resulting in banking fraud.

Trusteer cites two pieces of regional malware targeted at UK banking consumers. Silon.var2, crops up on one in every 500 computers in the UK compared to one in 20,000 in the US. Another strain of malware, dubbed Agent-DBJP, was found on one in 5,000 computers in the UK compared to one in 60,000 in the US.

The Zeus Trojan is the most common agent of financial fraud worldwide. The cybercrime toolkit is highly customisable and widely available through underground carder and cybercrime forums. Trusteer has identified two UK-specific Zeus botnets, designed to infect only UK-based Windows and harvest login credentials of only British banks from these compromised systems.

It seems like a sensible shift in the paradigm for the bot-herders and malware pushers, rather than spraying their malware everywhere they can geolocate the IP addresses they are attacking and send out specific versions of their malware for clients from different countries.

Rather than in the early days when phishing and trojans only targeted the very largest US banking organizations (Citibank, Bank of America etc.).

Plus the fact more and more people are using online banking, micro-payment systems and sharing all kinds of sensitive data with the World online and stored on their computers. This makes it a much richer field for the would-be fraudster.

Trusteer reckons the crooks behind the attack are using UK-centric spam lists and compromised websites to spread the malware while staying under the radar of security firms. It compares this process to the shift from mass assaults to targeted strikes in corporate espionage-motivated attacks such as Operation Aurora, which struck Google and other hit-tech firms last year.

“Unlike known malware kits such as Zeus, Torpig, and Ambler which simultaneously target hundreds of banks and enterprises around the world and are on the radar of all security vendors, regional financial malware such as Silon.var2 and Agent.DBJP are highly targeted,” said Mickey Boodaei, Trusteer’s chief exec.

“In the UK, each campaign would usually focus on three to seven banks and target them for a period of six to nine months and then morph and change the list of targets, using a new more advanced version of the malware.”

Regionally-targeted malware has also cropped up in South Africa and Germany over recent months. A strain of malware called Yaludle, almost unseen outside Germany, has been used to target the online banking credentials of German surfers. Trusteer is urging banks to share information on targeted attacks locally as well as working with regulators and local law enforcement agencies to shut down command and control servers associated with regionally-targeted malware. The firm, naturally enough, also wants to persuade more banks to use its Rapport secure browsing software as a way of providing an extra defence against fraud.

As the report states, it’s started to appear in other countries too such as Germany and South Africa. If you live in a non-major country, I’d imagine it’ll be coming to your shores soon enough. I already started seeing regionally targeted phishing e-mails here last year, I’d expect the location aware trojans to hit soon too.

The trojans were actually identified by Trusteer’s Flashlight service, which is a kind of forensics software for banking. It allows banks to diagnose whether a client’s PC has been infected with malware following incidents of suspected fraud.

Anyway interesting stuff, if you work in the financial sector give those upstairs a heads-up about this, if you have a big user-base – please warn your users too.

Source: The Register

We did mention Torpig in passing back in January 2008 when talking about the Mebroot rootkit which digs down deep into the Master Boot Record.

It seems like Torpig has been pretty active since then and the latest break is that some security researchers have managed to infiltrate the botnet and collect some data on what it’s doing.

I always enjoy reading about these ‘insider’ stories though as it’s hard to know unless someone gets access what these botnet fellas are really achieving.

Security researchers have managed to infiltrate the Torpig botnet, a feat that allowed them to gain important new insights into one of the world’s most notorious zombie networks by collecting an astounding 70 GB worth of data stolen in just 10 days.

During that time, Torpig bots stole more than 8,300 credentials used to login to 410 different financial institutions, according to the research team from the University of California at Santa Barbara. More than 21 percent of the accounts belonged to PayPal users. Overall, a total of almost 298,000 unique credentials were intercepted from more than 52,000 infected machines.

One of the secrets behind the unusually large haul is Torpig’s ability to siphon credentials from a large number of computer programs. After wrapping its tentacles around Mozilla Thunderbird, Microsoft Outlook, Skype, ICQ, and 26 other applications, Torpig constantly monitors every keystroke entered into them. Every 20 minutes, the malware automatically uploads new data to servers controlled by the authors.

It seems like once Torpig is dug into the machine it can get hold of everything, being based on a low level rootkit it can intercept anything including important credentials from financial institutions and money services like Paypal.

The numbers are quite huge with the malware having the ability to steal all kinds of accounts and access details from both software and web based applications.

In all, the researchers counted more than 180,000 infected PCs that connected from 1.2 million IP addresses. The data underscores the importance of choosing the right methodology for determining the actual size of a botnet and, specifically, not equating the number of unique IP addresses with the number of zombies. “Taking this value as the botnet size would overestimate the actual size by an order of magnitude,” they caution.

Torpig, which also goes by the names Sinowal and Anserin, is distributed through Mebroot, a rootkit that takes hold of a computer by rewriting the hard drive’s master boot record. As a result, Mebroot is executed during the early stages of a PC’s boot process, allowing it to bypass anti-virus and other security software.
By infiltrating Torpig, the researchers were able to become flies on the wall that could watch infected users as they unwittingly handed over sensitive login credentials. One victim, an agent for an at-home, distributed call center, transmitted no fewer than 30 credit card numbers, presumably belonging to customers, the researchers guessed.

The number of unique IP addresses per infection is quite interesting too and it shows if you estimate the size of a botnet by unique IP addresses you could easily be out by a factor of 5.

And wow, infecting a call center PC dealing with credit cards? That must be a botnet masters wet-dream – that really is a gold mine.

Imagine if they could spread the infection through the whole call-center, they would be rolling in credit card details.

Source: The Register