The 37 people charged by the US Attorney in New York, which worked with the FBI on the investigation, and the 19 people arrested in the UK for bank fraud using the Zeus trojan virus are primarily the “mules” used to transfer the money stolen from bank accounts, not the people responsible for setting up the scams.
Alf Pilgrim, CTO with Clearswift, said that the Zeus trojan is a “fairly classic scam” that has been around for a long time. “But the malware writers have been getting sneakier and sneakier and more sophisticated about how to get that trojan onto the users' PC in the first place. There is now a whole ecosystem of people who run the botnets and the people who make use of the data. The people who buy the data and enact the fraud use third parties. It’s the people who actually handle the money [the mules] who suffer the consequences, typically,” he observed.
Paul Henry, security and forensic analyst with Lumension, said that the Zeus trojan “genie is already out of the bottle”. Even though these people have been arrested, “Zeus is still going to be a problem…and is not going away”.
Henry estimated that there are thousands of criminals using the Zeus trojan to commit bank fraud around the world. “It’s a very powerful trojan. The key logger gives the ability to strike at random. The code can easily be modified. Once you have the users credentials, anybody can access that account and drain it.”
The biggest vulnerability that the Zeus trojan exploits is the home user. The most important step an individual user can take to thwart the fraudsters is to “make sure the PC is patched and up-to-date”, Henry said. “In most cases, malware such as the Zeus trojan takes advantage of opportunities that have long ago been patched by vendors. So make sure you are using the most up-to-date version of your vendor’s software.”
Jon Ramsey, CTO at SecureWorks, said that his company discovered the Zeus trojan used for bank fraud back in 2007. “It’s the most prolific piece of malware that we've seen.”
“The ‘business model’ for the Zeus trojan is that someone writes the program and then they create kits and they sell the kits for about $5000. There are other malware vendors competing for the Zeus market share. Zeus is not going away anytime soon. It’s a thriving ecosystem,” he said.
The SecureWorks CTO estimates that there are between 5 to 10 major Zeus trojan crime rings and dozens of minor rings around the world. The arrests in the US and the UK only took down one of the major rings.
Ramsey said the virus tries to infect the PC by tricking the user into clicking on an email link or a web advertisement. “Once the user runs the virus, it takes control of the machine and does a series of things, all designed to steal the account information from the user or use the machine once the user has logged into the particular account.”
The Zeus trojan can modify files on the host PC, steal PKI certificates, and redirect victims from the intended website to a fraudulent website. Using the victim’s computer, the fraudster can make money transfers, payments, or other financial transaction without the victim’s knowledge. A full list of the Zeus trojan capabilities appears on SecureWorks’ website.
Fraudsters are now targeting small and mid-size businesses and organizations that have substantial bank accounts but not the level of security a large company or institution would have. “So they are targeting schools, churches, small businesses, and local government agencies”, Ramsey said.
To combat the Zeus trojan virus, Ramsey recommends that an organization dedicate one computer to handle financial transactions only. That computer or virtualized desktop would not have any other capabilities, such as sending and receiving emails or surfing the web.
Paul Royal, a research scientist at the Georgia Tech Information Security Center, said that there are many Zeus trojan botnets in the world with many different controllers. “Zeus is especially nasty in terms of the information it is capable of stealing. The virus can create forms to gather information that appear to the users as if the information request is coming from the bank,” he said.
To combat the virus, Royal said that banks can educate their customers to be aware of this type of fraudulent information request. Banks can advise customers that if they do get requests for certain information: 1) don’t enter the information; 2) change your password from another computer; and 3) consult with a computer security expert to eliminate the infection. “User education is the most effective solution”, he said.
“We are at a point where even technically illiterate, unsophisticated criminals can run these kinds of schemes because of the increasing commoditization of malware in the criminal underground,” he concluded.