ZeuS (Malware) Trojan

A challenge incident responders and fraud analysts for firms in the banking and financial services sector (BFSS) will soon be faced with is an increased incidence of customer take-over fraud from a very advanced malware family that was recently released into the wild (Cohen, 2013, July 9). After the historic ZeuS Trojan was released into the wild more sophisticated programmers transformed this already powerful banking Trojan into the very virulent Citadel Trojan. The Citadel permutation was even more resilient, evasive, and sophisticated than the ZeuS Trojan. Many are now expressing concern about an even more notorious Russian Trojan that can easily be modified to target BFSS firms in the U.S.(Krebs, 2013, June 13). Originally known as Carberp (beginning in 2010), this malware family has gone through several evolutionary steps with the most virulent form now recognized as Win32/Hodprot (Lipovsky, 2011).

What makes this malware family interesting is that it contains very sophisticated anti-detection/ anti-forensics features (Fisher, 2011, January 21). Investigators working for BFSS firms need to be aware of these features when investigating account take-over fraud (ATO), reconstructing a crime scene and analyzing digital evidence (Casey, 2011). Figure 1 illustrates how ATO works.

Figure 1 – Account Take-Over Fraud Works by Infecting Customer Devices

Account Take-Over Fraud Works by Infecting Customer Devices

Three Gangs – Three Exploit Kits

To see where the malware is going and what digital forensics investigators need to watch for in the future, it is useful to see how Carberp evolved into Win32/Hodprot. In piecing together the history of this rapidly evolving Trojan it appears to have been distributed initially by three separate, private criminal gangs (Matrosov et al., 2012). The first version of the Carberp Trojan appears to have been distributed through the Origami botnet (Zubareva, 2012, June 22). The original developer(s) outsourced many of the program components to legitimate programmers in Kiev, Zaporozhye, Lvov, Odessa, and Kherson, estimated to be a group of approximately 25 people (Tung, 2012, June 26). The components were then assembled into the Carberp Trojan in Odessa (Ryabchun, 2013, April 2).

After one of the original developers, aka Germes, was arrested in September 2011, the first gang appeared to morph into a second gang with additional members (Matrosov et al., 2012, p. 12). Then, in March 2012 two brothers were arrested, along with six other people. One brother functioned as the botmaster (D****** I***), and the other brother was a malware developer (Maxim Glotov) (Ragan, 2012). But, even after these arrests, by May 2012 an estimated six million computers were infected. The remaining criminals had made an estimated 150 million rubles (approximately US$4.5 million) (Zubareva, 2012, p. 2).

By Quarter 1 of 2012, the Win32/Hodprot version of Carberp had been developed and was being distributed by cybercrime gang #3 (Matrosov et al., 2012). It appears that they were using the Nuclear Pack Ver. 2.0 exploit kit for distribution. Figure 2 provides a schematic showing rough approximations of the timelines for the operations of the criminal gangs and the exploit kits they used. This figure was developed as a compilation of the sequence of events discussed by all of the sources given in this section.

By February 2013 the Ukrainian newspaper Kommerant reported that an estimated US $250 million had been stolen (Ryabchun, 2013, April 2). By June, with several of the original crime gang members in jail, a member of the Lampeduza crime forum posted that he was selling the source code to a single buyer for $25,000, allegedly to help out one of the developers who was short on cash (Krebs, 2013, June 13). Trusteer later reported that it was being offered on multiple crime forums (ibid.). The prices for various versions range from US$5,000 to US$50,000. One security researcher found the Carberp code in a file called “BlackJoe WhiteJoe” with no reference to the original name of Carberp (Satis, 2013, July 10).

Peter Kruse analyzed the code and characterized it as Carberp “with a bootkit.” He noted that the bootkit enabled loading at the kernel bypassing the Patchguard protection of Windows 7 64-bit systems (Kruse, 2013, June 25). This behavior resembles the functionality described above as the Win32/Hodprot version.

Figure 2. Visualization of Evolution of Carberp to Win32/Hodprot

Visualization of Evolution of Carberp to Win32/Hodprot

Beyond the Event Horizon for the BFSS

One of the key concerns malware researchers have noted is that, with the availability of the source code in the wild for now what is perceived to be a reasonable price, there is a likelihood that the Trojan will be used as a sophisticated multipurpose tool for a highly organized international criminal gang using ATO fraud as their modus operandi (Dunn, 2013, August 27). And, with the DDoS functionality, it will have an added protective measure against other criminal gangs that might be invading the dominant gang’s target territory (i.e., banking customers).

As a MitB attack targeting U.S. banking customers with vulnerable browsers, the potential is high that Carberp (aka Win32/Hodprot) will affect the customers of many small and medium-sized banks and financial institutions in the U.S. (Riberio, 2013). According to one information security professional familiar with this sector, many of the incident response and digital forensics functions are outsourced (personal communication, September 14, 2013). This poses a problem for smaller companies that may not detect ATO fraud for some time.

Such sophisticated crimeware kits may motivate some BFSS companies to migrate even more quickly to the cloud where monitoring of real-time threat feeds (24/7/365) is more feasible. This may be especially true for BFSS firms signing up with cloud-based vendors that are emphasizing security standards based on FFIEC requirements, COBIT5, and/or ISO 27001/ISO 27002. These firms would have the in-house capability to respond to an incident such as a security breach or a malware infection. With widespread and extensive state-level data breach notification requirements (NCSL, 2012), there will likely be more disclosures of breaches and subsequent digital forensics investigations. Fraud investigators that have threat intelligence on this Trojan will know what to watch for when performing their analyses. Those that do not may miss valuable signs. To this end, NSS Labs expects to soon release a comparative analysis of such tools under development by Quarri, Wotok, ThreatMetrix, Trusteer (acquired by IBM), Webroot and Versafe (Dunn, 2013) to address account takeover fraud.

Another approach that may help BFSS firms dealing with ATO is to use more robust identification, authentication, and authorization methods for their customer accounts. The use of biometrics, SMART cards, and one-time passwords are just a few of the approaches that are being explored in this area.

Conclusion

The reverse engineering teams at ESET and Group iB that have performed several of the reverse engineering analyses cited in this essay have noted that Carberp (aka Win32/Hodprot) was “specifically designed to withstand forensic analysis and bypass security systems” (Rodionov et al., p.15). This essay has outlined some of the features of the most current version of the Carberp family of Trojans that BFSS investigators must deal with. Small and medium-sized enterprises would do well to proactively consider all of their options ranging from strengthening their customer identification, authentication, and authorization protocols and technologies, acquiring in-house capabilities, outsourcing some or all of these functions, or full migration to the cloud.