Security

Researchers at security firm Finjan have discovered details of a new type of banking Trojan horse that doesn't just steal your bank log-in credentials but actually steals money from your account while you are logged in and displays a fake balance.

The bank Trojan, dubbed URLZone, has features designed to thwart fraud detection systems which are triggered by unusual transactions, Yuval Ben-Itzhak, chief technology officer at Finjan, said in an interview Tuesday. For instance, the software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available.

It exploits a hole in Firefox, Internet Explorer 6, IE7, IE8, and Opera, and it is different from previously reported banking Trojans, said Ben-Itzhak. The Trojan runs an executable only on Windows systems, he said. The executable can come via a number of avenues, including malicious JavaScript or an Adobe PDF, he added.

The specific Trojan Finjan researchers analyzed targeted customers of unnamed German banks, according to the latest Finjan report. It was linked back to a command-and-control server in Ukraine that was used to send instructions to the Trojan software sitting inside infected PCs. Finjan has notified German law enforcement, Ben-Itzhak said.

"It's a next generation bank Trojan," he said. "This is part of a new trend of more sophisticated Trojans designed to evade antifraud systems."

Finjan researchers were able to trace the communications from the code on an infected machine back to the command-and-control server, which was left unsecured, according to Ben-Itzhak. On that server, they saw the LuckySploit administration console and were able to see exactly what types of rules the Trojan was written to follow and statistics on victims.

About 90,000 computers visited the sites housing the malware and 6,400 of them were infected, a 7.5 percent success rate, he said. Of those whose computers installed the Trojan, a few hundred had money stolen from their bank accounts, he said.

During the span of 22 days in mid-August, the criminals behind the Trojan stole the euro equivalent of nearly $438,000.

The Trojan code includes detailed instructions on how the Trojan should calculate the amount to steal from a victim's bank account.

(Credit: Finjan)

Here's how the Trojan works:

Potential victims get their computers infected either by opening an e-mail and clicking on a link to a Web site created to distribute malware or by visiting a site that has been compromised and malware hidden on it.

In this case the malware, a toolkit called LuckySploit, exploits a known security hole in the browser, and installs the Trojan on the computer. When the Trojan notices the computer user visiting the site of a targeted bank it springs into action.

While the computer user goes about his or her business on the site, the Trojan looks at the available balance and figures out how much money to steal. The Trojan is given a minimum and a maximum range that is below the amount that triggers antifraud systems and to leave a certain percentage in the account, Ben-Itzhak said.

After performing the calculation, the Trojan then makes the transaction, communicating with the bank site through the browser without the computer user knowing.

"The Trojan is sending requests to the bank and getting replies that your browser doesn't display," Ben-Itzhak said. "You are looking at your account and you don't see any of it."

A Finjan blog post describes it like this:

URLZone is a Trojan Kit that allows the attacker with the use of the 'URLZone Builder' to create a configuration file. This file contains precise orders to the bot, enabling the attacker to target any bank he wants...The URLZone successfully managed to bypass the German banks' protection using 'One Time Password.' This is a technique used to enable the user to get a new password every time he logs into his account. Its goal is to make the theft of usernames and passwords worthless. In order to be successful, the malware must execute itself on the browser to change the parameters and fool the the user to approve a fraudulent money transaction from his account...So far the malware behavior is similar to many other Trojans. However, URLZone uses the delivered configuration file to manipulate the user.

The Trojan has the money sent to the bank account of a money mule, someone who has an account set up to receive the funds. Money mules are typically people recruited online as "independent contractors" or "financial managers" whose sole purpose is to wire the money placed into their account to someone else, typically out of the country, in exchange for a commission. Because their accounts are used only once or twice, they often do not realize the ruse immediately, Ben-Itzhak said.

Meanwhile, the Trojan hides the theft by erasing it from the report of account activity displayed to the computer user and shows a fake balance--what the amount would be if not for the theft. The victim will not notice something is wrong until a different, uncompromised computer is used to access the account, an ATM is used, or a transaction is denied because of insufficient funds.

The Trojan also keeps a log of the victim's bank account log in credentials, takes screenshots, and snoops on the user's other Web accounts, such as PayPal, Facebook, and Gmail, according to the Finjan report.

This is the first Trojan Finjan has come across that hijacks a victim's browser session, steals the money while the victim is doing online banking, and then covers its tracks by modifying information displayed to the victim, all in real time, Ben-Itzhak said.

People should keep their antivirus, operating system, browser and other software up to date to protect against this type of attack, he said.

Updated 5:30 a.m. PDT to specify that the Trojan targets Firefox, Internet Explorer 6, IE7, IE8, and Opera, that is different from previous Trojans, and that it affects Windows only. Also, more technical details were added, as well as links to the report and blog post from Finjan.

Updated October 30 at 9:58 a.m. PDT: The software was called SecureTwitter when this article was first published. The name was later changed to SecureTweets and the article has been updated to reflect that.

Finally, there's a tool that can help prevent people from clicking on URLs that appear to come from friends on Twitter and other social media sites but which lead to sites hosting malware.

Web security firm Finjan began offering this week a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as in Gmail, Blogger, MSN, social networks MySpace and Bebo, news aggregators Digg and Slashdot, and the Google and Yahoo search sites.

SecureTweets scans the Web pages that the URLs lead to in real time to analyze the code, as opposed to querying a database of blacklisted URLs, as other safe Web browsing services do, Yuval Ben-Itzhak, chief technology officer at Finjan, said on Thursday.

SecureTweets alerts Twitter users when a URL on the site leads to a page that appears to be hosting malware.

(Credit: Finjan)

Green checkmark icons appear next to URLs that are deemed safe and red "X"s for URLs to sites with code that could be a virus, a Trojan, or other malicious program. Yellow question mark icons appear next to URLs that lead to a page that was not available for scanning by SecureTweets for some reason.

SecureTweets appears to be the first safe browsing service that scans URLs within applications and not just in search results or browser address bars.

In a quick test of the service I didn't find any warnings for malicious URLs on the various sites, but it did put a yellow question mark next to URLs that appeared at the top of my Gmail page that linked to legitimate CNN articles, for some reason.

I would love to have SecureTweets warn me about URLs in Facebook, but Facebook requires people to log in to see profiles on the site, which means the company would need people's passwords to access those pages. Since the other sites do not, Finjan could easily scan the URLs on those sites without needing access to private information like log-in credentials, so that's where the company decided to focus their efforts, Ben-Itzhak said.

The service would have protected followers of venture capitalist Guy Kawasaki, whose Twitter feed automatically re-distributed a malicious URL from an un-moderated section of a user-generated news site earlier this week.

It also would protect people against the kind of worm attacks that hit Twitter in April in which people who clicked on the name or image of someone whose account had been compromised by the worm got infected and re-broadcast the malicious message.

And SecureTweets could protect Twitter users against a clickjacking attack, which also hit the site this year. In these attacks, clicks are basically hijacked and users forced to do things they don't intend to, such as redistribute malicious Twitter updates.

Home page of the Golden Cash network.

(Credit: Finjan)

Researchers at security firm Finjan said on Wednesday that they have uncovered an underground botnet-leasing network where cyber criminals can pay $5 to $100 to install malware on 1,000 PCs for things like stealing data and sending spam.

The Golden Cash network, dubbed "Your money-making machine" on its home page, sells access to botnets comprised of thousands of compromised PCs to cyber criminals for custom malware spreading jobs, according to issue 2 of the Cybercrime Intelligence Report for 2009.

Here's how it works: a cyber criminal creates a botnet by hiding malicious code in a legitimate Web site that is used to turn Web surfing PCs into zombies. The code, typically an iFrame, points the PCs to a separate Web site where they are then infected with a Trojan backdoor that reports back to the Golden Cash command and control server.

In order to increase the number of botnets, the Golden Cash server installs an FTP (file transfer protocol) grabber on new zombies to steal credentials used by the computers to run Web sites, giving the server control over additional legitimate Web sites. Approximately 100,000 domains, including corporate domains from around the world, were identified among the stolen FTP credentials under Golden Cash's control, according to the report.

Customers pay for the ability to install different types of malware on the Golden Cash bots, which are recycled for new jobs and new customers afterward. Prices are higher for compromised PCs in western countries, the report said.

"This advanced trading platform marks a new milestone in the cybercrime evolution," Finjan said in a statement.

More technical analysis is available on Finjan's Malicious Code Research Center blog, including the fact that the command and control server is hosted in Texas, the registrant country is China and the "proxy" Web site that tunnels traffic to the command and control server is hosted in Krasnodar, Russia.

SAN FRANCISCO--Security firm Finjan has uncovered what it says is one of the largest bot networks controlled by a single cybergang, with 1.9 million infected zombie computers.

The botnet has been in use since February, is hosted in the Ukraine, and is controlled by a gang of six people who are instructing the Windows XP-based machines to copy files, record keystrokes, send spam, and take screenshots, Ophir Shalitin, Finjan marketing director, said in an interview on the eve of the RSA security conference.

The gang has compromised computers in 77 government-owned domains in the U.S. and elsewhere, he said. Nearly half of the infected computers were in the United States. Nearly 80 percent of the infected computers are running Internet Explorer, while 15 percent are using Firefox, Finjan said.

The criminals operating the botnet can make as much as $190,000 in one day renting out the zombies to others, according to Finjan Chief Technology Officer Yuval Ben-Itzhak.

The command-and-control server being used to control the infected PCs is instructing the bots to download and execute a Trojan horse, which is detected by only 4 out of 39 antivirus products, said Shalitin.

The Trojan installs malicious executables that communicate with other computers, inject code into processes, visit Web sites, and other activities the user has no involvement with, according to a post on the Finjan Malicious Code Research Center blog.

"Overall, the cybergang can remotely execute anything it likes on the infected computers," the post says.

Updated March 23, 5:03 a.m. PDT with a link to the new Cybercrime Intelligence Report.

Online scammers are making a lucrative business out of redirecting visitors from legitimate Web sites to sites that try install rogue antivirus software, according to a report due to be released by security firm Finjan on Monday.

Finjan's Malicious Code Research Center came across a traffic management server in Ukraine used by underground online scammers to keep track of how many redirects their rogue antivirus sites get from legitimate sites that have been compromised.

Typically, rogue antivirus software displays a message saying that the PC is infected and offering antivirus software for sale. In a successful attack, the scammers end up with the victim's credit card information and don't bother to install any legitimate software.

Members of the "affiliate network" who compromise legitimate Web sites get 9.6 cents for each successful re-direct, Finjan said in its latest Cybercrime Intelligence Report. There were 1.8 million unique users redirected to the rogue antivirus software during 16 consecutive days Finjan was monitoring the network, or about $10,800 for each day, the researchers calculated.

Finjan also discovered that between 7 percent and 12 percent of people end up installing the rogue antivirus software and 1.79 percent of them paid $50 for it.

Finjan researchers said they weren't certain how the legitimate Web sites were compromised. Once the sites were compromised, the scammers made heavy use of search engine optimization techniques to get those sites ranked high in search results by dynamically generating search keywords with typos and popular terms that people might use, Finjan said.

Lured by the high ranking on search engines, visitors end up on the compromised sites and are immediately redirected to pages that try to install rogue antivirus software on their computers.

(Credit: Finjan)

Finjan, which sells Web gateway security software to the corporate market, announced Wednesday a $22 million investment round.

HarbourVest Partners led the round, which also includes Benchmark Capital, Israel Seed Partners, Benhamou Global Ventures, and Cisco Systems.

San Jose, Calif.-based Finjan said it plans to expand its sales and marketing infrastructure with the money.