Inside a banking Trojan drop-zone

There can be no doubt that cybercrime is on the rise. Compared to real-world crime, it is easier, often more profitable, and carries definitely less risk to the perpetrator.

Last year’s high profile takedowns of cyber gangs employing the Zeus Trojan have again put the spotlight on that particular piece of malware. Known by many different names – Zbot, Kneber, Wsnpoem – it has been the best-known and most used information-stealing Trojan in the world for quite some time.

Detected for the first time in late 2006, its popularity with the cybercriminals could be due to the thousands of versions available and – until recently – the continuous development of new ones, and to the many plug-ins and modules available.

The price for a full pack with a generic version can reach a $1,000, and that with a unique exclusive version some $5,000. These prices may look high to the casual observer, but the cybercriminals are counting on a much, much higher return on that investment.

Cybercriminals often use social engineering to get the user to install Zeus on their machine. They might fail a great number of times, but statistically, they will succeed with some users because their approach changes constantly – and sometimes all it takes is a moment of distraction.

They also often use exploits to infect systems – lately, PDF exploits have been the most used ones. The criminals can target users geographically or target users of a specific financial institution, and can even intercept financial transaction and substitute the receiving account with one of their own.

According to Kaspersky Lab’s Senior Security Researcher David Emm, another advantage cybercriminals have is that they can move about. When they feel the heat is on and investigators are getting close, they can simply change their ISP and their physical location. The geopolitical restrictions of law enforcement agencies works in their favor.

“Botnets are a core component of the threat landscape,” said Emm during his presentation at this year’s press event for Infosecurity Europe. “And the drop-zone is where they stash the stolen loot.” The average size of a drop-zone is about 14GB, but criminals like to be sure that the information their botnet has gathered is safe, so they use several servers on different locations configured to receive and store the stolen information.

The files stashed in the drop-zone are usually:

  • JPGs (screen captures)
  • .txt files (containing private information that can be used to steal money)
  • certificates (often sold or misused to sign malware)
  • .dat files (scripts, server side programs).

The criminals manage their operation similarly to an administrator of a legal network. Online C&C panels provide easy management of their bot armies – it allows them see what’s going on, and in case of an emergency to kill all connections in order to cover their tracks.

They want to manage their network effectively, and such a panel allows them to see the relevant infection statistics, to see where their victims are located, to kill all connections to hide their tracks if the need arises, and much more:

The fight against these criminals has not shown many results so far. Botnets are taken down, only to rise again because of the large number of C&Cs available to herd the bots. Drop-zones are taken down but new ones appear almost instantly.

Emm believes that there are many things that can be done to mitigate the situation: improved software is being developed constantly, and patching and updating should become a priority. Education and the promotion of the right security mindset could also help.

He pointed out that asking about when is it going to stop is not the right question – we don’t ask the same thing about “offline”, real-world crime because, realistically, it will always be there. The only thing we can do to minimize our risk as individuals is to develop an online equivalent of common sense.

In another presentation, João Gouveia of AnubisNetworks also broached the topic of Zeus. He says that there are things happening that may give some hope for a successful fight against botnets, such as the Australian Internet Security Initiative, and a similar anit-botnet initiative in Germany.

“Unfortunately, effective tools are still missing,” he says, and hinted at his company’s current project of developing a platform that will efficiently detect infected devices and help ISPs and organizations clean their networks.

Don't miss