Large Zeus botnet used for financial fraud

Trusteer announced that it has uncovered a large Zeus version 2 botnet being used to conduct financial fraud in the UK which is operated and controlled from Eastern Europe.

The botnet appears to be controlling more than 100,000 infected computers, 98% of which are UK Internet users. The criminals have been harvesting all manner of potentially lucrative and revenue-producing credentials – including online account IDs plus login information to banks, credit and debit card numbers, account types plus balances, bank statements, browser cookies, client side certificates, login information for email accounts and social networks and even FTP passwords.

Trusteer discovered the extent of the botnet after they gained access to the botnet’s drop servers and command and control center which contained the stolen information including hundreds of thousands of stolen credentials. Trusteer are sharing the information with UK law enforcement agencies.

“This is just one out of many Zeus 2 botnets operating all over the world,” says Amit Klein, Trusteer’s CTO. “What is especially worrying is that this botnet doesn’t just stop at user IDs and passwords. By harvesting client side certificates and cookies, the cybercriminals can extract a lot of extra information on the user that can be used to augment their illegal access to those users’ online accounts.”

“Coupled with the ability to remotely control users’ machines, download data and run any file on them, this means that the fraudsters can insert partial or complete Internet pages into a live Web session, enabling to inject transactions at will or extract even more data from the hapless victims,” he added.

This is another example of the growing trend of regional malware where the cybercriminals operate targeted and segmented attacks on users, harvesting revenue from one bank’s users one day, and, as that bank’s security systems ramp up, move on to another regional bank another day, in this case the UK has been targeted.

In addition to gaining access to the botnet’s servers Trusteer has also been able to access the interface used by the fraudsters to manage the botnet. The interface allows three main functionalities. The first is the ability to monitor the growth and footprint of the botnet with very accurate statistics and graphs showing the total number of bots, their distribution, newly added bots, count of active bots, etc.

The second is a search function on all traffic generated by the bots. The botnet captures all HTTP and HTTPS traffic from infected computers and stores it in a central MySQL database. A search tool allows the fraudsters to easily extract any type of information from the database. For example if the fraudsters are looking for credentials for a specific institution they can just type a part of the institution’s URL into the search box and will immediately receive all HTTP/S requests that contain this pattern. From there they can extract the relevant login information.

The third functionality allows criminals to push updates and other executables to specific bots or to the entire botnet. For example, they can push other pieces of malware or they can push a remote access program that then allows them to remotely access the infected machine and control it.