Banking Malware on the Rise – Hitting Highest Level Since 2002

Sophisticated malicious software by cybercriminals designed to silently steal banking credentials from victimized systems has been swimming the World Wide Web since 2002. However, it recorded its highest infections in the past three months. According to a new report from Norton, they recorded over 200,000 new infections from July through September which is the highest number within a three-month period in 11 years. Cybercriminals are not only targeting the Europe and the Americas with the banking malware, but are also diversifying the banking customers they target by distributing the malware throughout the globe. United States made up 23 percent of the new infections, Brazil 16 percent and Japan 12 percent. Other affected countries include India, Australia, France, Germany, Vietnam, Taiwan and Mexico.

What Norton Found

Banking malware is a malicious software program which is sophisticated and designed to self-resist detection by employing several tricks to deceive anti-malware programs. In an attempt to decipher this malware, Norton by Symantec Inc. identified couple malware programs including ZeuS, also called Zbot with a history that dates back to 2006. ZeuS is planted on websites from where it attacks a visitor’s machine. If the machine has software vulnerability, it exploits this and gets the malware installed. Once the machine is infected, the malware can then steal online banking credentials and send the details to a remote server. According to Norton, this is but one of the many malicious functions identified with this banking malware.

Additionally, Norton also uncovered two other banking malware programs, KINS and Citadel. KINS is a professional-grade banking Trojan designed after ZeuS and used by cybercriminals to infect systems and siphon banking details from them. Citadel is a banking credential stealer with the ability to modify or replace websites opened with infected computers.

How the Banking Malware Evades Detection

The banking malware hides its tracks by using Domain Generation Algorithm (DGA) to pass phone-home traffic through couple IPs which it creates with self-signed SSL certificates. This makes it almost impossible for traditional network monitoring solutions to interfere or dissect packets from malicious transactions.

DGA has a trickery background activity that has been harnessed by several other malware families like PushDo, ZeuS and TDL/TDSS to keep them from detection services and software. The algorithm generates and tests new domain names and decides if a command and control server responds to a request. This ensures that the attacker don’t have to manage a command and control infrastructure of servers thereby evading researchers and law enforcement agencies.

How Sophisticated Is The Banking Malware?

It comes with features that both aid its malicious operations and those that help it evade security detection software and services. It can install on compromised machines on the fly with webinjects, and can spread over Skype instant messages with the help of certain plug-ins which are all well integrated in the program. Additionally, attackers had been reportedly found using some javascript from MaxMind GeoIP IP address location database. This assists them in collecting enough data regarding the location of new victims. This proves that malware writers can also leverage legitimate services to equip their programs.

Furthermore, the malware is created to fight for its survival and persistence on a compromised machine. It can detect if it is been run in a virtual machine and whether the host machine is online, and can even create an autorun registry entry and augments system processes which prevents its removal from an infected machine.

The malware also tries to get victims to install a mobile component on their Symbian, Blackberry or Android phone. Once a victim’s computer is infected, it pulls up a malicious webpage requesting for the person’s cellphone model and number – when supplied it will send a text message to the phone with a link to the malicious mobile app for installation. The mobile app is designed to break, bypass and hijack bank’s two-factor authentication – a user authentication security measure currently used by some banks.

What Does Norton Do About It

Symantec has upgraded its Norton Deluxe and Premium antivirus software as a response to the increasing threats in online transactions. That’s why they came up with new Norton discount deals this month. Users can also search online for a Norton coupon code to type at the checkout and save up to 20%.

About the Author


Be the first to comment on "Banking Malware on the Rise – Hitting Highest Level Since 2002"

Leave a comment