Remember Zeus? No, not the ancient god. We're talking about the nasty little bit of malware that can trick you into believing that you're logged onto your bank's website when you're really on a fake one designed to give criminals your online banking username and password. Earlier this year, the European Network and Information Security Agency told banks to "assume all PCs are infected." One of the worst things about Zeus is that it's an easily purchased piece of software that can be customized, yielding a variety of different sub-bugs that have proven very difficult to eradicate. Zeus may be old (around since at least 2007), but it ain't dead yet -- by a long shot. So here's an edited Q-and-A update on the threat we conducted yesterday with Meaghan Molloy, an analyst with the IT security firm Mandiant:
Killer Apps: How extensive is the problem today?
Molloy: Earlier this year, in response to a Zeus campaign "High Roller" that was targeted at high-balance accounts, the European Network and Information Security Agency (ENISA) advised that banks should assume that all PCs are infected. In 2011, a variant of Zeus [Zitmo, aimed at breaking into bank customers' mobile banking apps] was behind the theft of an estimated $47 million from 30,000 European individuals and corporate customers. This is by no means the total sum of money lost through Zeus. It has been spotted in nearly every country and caused untold hundreds of millions of dollars in damage.
Killer Apps: Is it still making inroads into the U.S.?
Molloy: Yes, absolutely. Here is just one example: Operation Trident Breach in 2010 exposed the theft of $70 million dollars from hundreds of small and medium business in the U.S. In an attack lasting 18 months, a Ukrainian gang used Zeus to break into 390 bank accounts belonging to American companies.
Killer Apps: How advanced is the threat? How could it evolve?
Molloy: Zeus is an information stealing trojan primarily designed to harvest banking credentials using keystroke logging and form grabbing. It can be purchased for the low price of just a few hundred dollars and is highly customizable beyond its basic functionality. Because Zeus is readily available for purchase on many black markets there is no single Zeus botnet but rather thousands of smaller botnets run by individuals and criminal organizations.
Killer Apps: Is there a security solution to Zeus?
Molloy: Unfortunately there is no single security solution to combat the threat of Zeus. Most Zeus variants communicate with their command and control infrastructure just like regular web traffic. In particular, small and medium sized companies should ensure that they have strict security procedures in place for any unusual activity on their accounts. They are at the highest risk since financial institutions do not provide companies with the same money back guarantee in case of fraud as they do with individuals. Additionally, companies of that size are the least likely to maintain an in-house security team. Maintain up-to-date software, only bank within a virtual machine, and change your passwords frequently though none of those techniques guarantee your security. Most importantly, individuals and companies should monitor their network traffic for communication with command and control servers.
Killer Apps: Are there similar threats?
Molloy: SpyEye is another information stealing trojan focused primarily on banking credentials. In 2011, there were reports of a potential merger between the creators behind both trojans. Regardless, development of both types and subsequent variants is ongoing.
John Reed reports on the frontiers of cyber war and the latest in military technology for Killer Apps.