CRIMEWAREREPORT

g The Trend Micro Quarterly Crimeware Report series presents the latest threats targeting the financial industry.

A Quarterly Trend Micro Report | 2011

2 2Q2011Crimewarereport

In the second quarter of 2011, crimeware toolkits such as ZeuS and SpyEye continued to evolve,

which allowed cybercriminals to infect as many systems as

possible while evading detection and takedown.

inthisissue

Crimeware, another vehicle by which cybercriminals generate profit, remain prevalent in the current threat landscape. In the second quarter of 2011, crimeware toolkits such as ZeuS and SpyEye continued to evolve, which allowed cybercriminals to infect as many systems as possible while evading detection and takedown.

In April, we published the “1Q 2011 Crimeware Report,” our first roundup of news and insights on malware families that targeted financial institutions in the first three months of this year. In this issue, we focused on the notable crimeware-related incidents within the last three months, including developments made to the latest SpyEye version and insights as to how the reported ZeuS code leakage will affect the security industry and the cybercriminal underground.

The number of banking Trojans and other related malware continued to rise, as stolen user information and banking credentials remained hot commodities in the cybercriminal underground. A stolen driver’s license number, for instance, currently sells for US$5.60–8.00 each while credit reports can go for as much as US$24 each. The fact that this information can be used for other fraudulent activities does not help either.

User Information Type Discounted Selling Price

Undiscounted Selling Price

Driver ’s license US$5.60 US$8.00Background report US$10.50 US$15.00

Credit report US$16.80 US$24.00Credit card balance

check US$0.70 US$1.00

Minideposit verification system US$14.00 US$20.00

Credit card billing address change US$24.50 US$35.00

Sour

ce: D

ata

from

Spy

Sear

ch.B

iz.

Table 1. Stolen personal information and credentials selling prices in 2010

MAL_BANKER, a BANKER variant known for stealing users’ online banking credentials, topped our list of most commonly used crimeware this quarter, followed by BKDR_QAKBOT.SMG and BKDR_PAPRAS.SME. QAKBOT and PAPRAS variants are notorious for monitoring affected user access to certain online banking and financial-related sites. It is also worth noting that a comparatively newer data-stealing Trojan, a SPYEYE variant, is climbing the charts.

3 2Q2011Crimewarereport

Rank Crimeware Detection Name1 MAL_BANKER2 BKDR_QAKBOT.SMG3 BKDR_PAPRAS.SME4 TROJ_SPYEYE.SMEP5 MAL_BANKER26 MAL_BANKER117 WORM_QAKBOT.QRZ8 BKDR_QAKBOT.SMC9 TSPY_BANKER.ES

10 WORM_QAKBOT.BSTable 2. Top 10 crimeware in 2Q 2011

notableinCidents

ZeuS Source Code Leakage

ZeuS’s source code leakage last May posed a lot of risks yet again, as this allowed practically anyone interested to get hold of the crimeware in order to instigate malicious schemes. The code’s availability in a file-sharing site and in various underground forums was, however, already expected, as security researchers have been seeing pieces of the code since March.

Despite the code’s public availability, Trend Micro threat response engineers Roland Dela Paz and Jasper Manuel believe that because ZeuS’s authors are highly knowledgeable in using C preprocessor (cpp) and macros, not everyone who obtains the code can easily enhance it. It would, however, be a different story for those who have the necessary know-how.

On the plus side for the security industry, this incident can shed light on how ZeuS works, which will help researchers and analysts come up with better solutions to combat ZBOT variants.

Despite the ZeuS’s code public availability, Trend Micro

threat response engineers Roland Dela Paz and Jasper Manuel believe that because

the toolkit’s authors are highly knowledgeable in using cpp

and macros, not everyone who obtains the code can easily

enhance it.

4 2Q2011Crimewarereport

SpyEye 1.3.4.x Surfaces

The emergence of SpyEye 1.3.4.x is probably one of the most notable incidents that can affect the state of the threat landscape, particularly in relation to the financial industry, this quarter. As has been often said, cybercriminals will continuously enhance their tools to constantly evade security efforts—they have and continue to do so.

Figure 1. SpyEye 1.3.4.x’s new user interface

CARBERP C&C Server Takedown

CARBERP, another malware family known for stealing user information, first reared its ugly head early last year. Armed with ingenious stealth tactics to effectively evade detection, the family finally caught the attention of the security industry in September 2010.

One of CARBERP variants’ primary capabilities that allows them to efficiently go about their malicious routine is to hook network application programming interfaces (APIs) in WININET.DLL. This enables them to monitor affected users’ browsing activities as well as to download their configuration files and to receive malicious commands from remote users.

To go about their business, CARBERP variants drop copies of themselves into locations where administrative privileges are not required. Trend Micro senior threat researcher Douglas Otis added that these usually targeted certain government offices, schools and universities, as well as financial institutions. Apart from account names and other personal information, these also steal social security numbers.

The recent effort to take down a CARBERP command-and-control (C&C) server allowed us to understand how the bot went about stealing information from its victims and helped us better protect our customers from similar threats.

Trend Micro senior threat researcher Douglas Otis said CARBERP variants usually

targeted certain government offices, schools and universities, as well as financial institutions. Apart from account names and

other personal information, these also steal social

security numbers.

5 2Q2011Crimewarereport

routinedevelopments

As security measures constantly improve, so do cybercriminals come up with more ingenious tricks of their own. They create new features and augment the specifications of already-existing threats to continue profiting from the online transactions users conduct. The following are noteworthy routine developments in the previously discussed threats:

• ZeuS source code developments. Our researchers initially thought the toolkit’s code would no longer undergo further enhancements due to rumors of a ZeuS-SpyEye merger. Trend Micro senior threat researcher Kevin Stevens, however, found that ZeuS’s code is still being updated to allow the toolkit to produce new and improved ZBOT variants.

• SpyEye 1.3.4.x comes with notable enhancements. The SpyEye author recently released a new version that came with several noteworthy enhancements, which can help users come up with even nastier malware. These improvements include but are not limited to the following:

• The toolkit now utilizes a MySQL Database to store the files users upload as binary large objects (blobs). In previous versions, these files were stored in a folder located in \bin\upload where they could easily be found.

• The toolkit’s CN1 control panel now also sports the Logs button, which makes viewing logs more convenient for bot masters. The Create Task panel was also added to CN1 to enable users to more easily perform actions such as updating the SPYEYE binary, changing a bot’s configuration, and loading various kinds of executable files (e.g., ZBOT and FAKEAV).

Figure 2. SpyEye 1.3.4.x’s Create Task panel

• The toolkit’s Files option also underwent a noticeable change, as it now only accepts .EXE and .BIN files, which, according to Trend Micro senior threat researcher Loucif Kharouni, will make it more arduous for security researchers to obtain binary samples.

SpyEye 1.3.4.x’s Files option underwent a noticeable change,

as it now only accepts .EXE and .BIN files, which, according

to Trend Micro senior threat researcher Loucif Kharouni,

will make it more arduous for security researchers to obtain

binary samples.

6 2Q2011Crimewarereport

• A closer look at SpyEye 1.3.4 x also revealed certain similarities with ZeuS. For instance, it now comes with a Jabber Notifier, which was a prominent ZeuS Builder feature. This enables users to effectively obtain victims’ banking credentials even without using the control panel.

• Finally, the toolkit now comes with an installer page, which allows users to create a gate.php file that is used for POST requests between the bots and the CN1 control panel. The new gate.php file does not require data from external files, as all of the information it needs is already in the said file.

Figure 3. SpyEye 1.3.4.x’s gate.php file

Based on our underground research and observations, however, the similarities between the ZeuS and SpyEye codes do not necessarily translate to a merger. Trend Micro senior threat researcher Kevin Stevens, in fact, believes that both ZeuS and SpyEye are currently undergoing separate enhancements and that SpyEye author, Gribodemon, just added parts of ZeuS’s code and some of its features to his own toolkit in order to produce better SPYEYE variants.

what’stoCome?

As cybercriminals strive to enhance their respective crimeware kits, security researchers, along with law enforcement agencies, will continue to collaborate with one another to take down their malicious creations.

The CoreFlood botnet takedown this April is a good example of a result of the collaborative effort between law enforcement agencies, particularly the Federal Bureau of Investigation (FBI) and the U.S. Department of Justice, and security researchers.

Trend Micro senior threat researcher Kevin Stevens

believes that both ZeuS and SpyEye are currently undergoing separate enhancements and that SpyEye author, Gribodemon, just added parts of ZeuS’s code and some of its features to his own

toolkit in order to produce better SPYEYE variants.

TREND MICRO™

Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware, and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our website at www.trendmicro.com.

TRENDLABSSM

TrendLabs is Trend Micro’s global network of research, development, and support centers committed to 24 x 7 threat surveillance, attack prevention, and timely and seamless solutions delivery.

©2011 by Trend Micro, Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.

7 2Q2011Crimewarereport

Trend Micro senior threat researchers Loucif Kharouni and Kevin Stevens believe that the people behind crimeware such as ZeuS and SpyEye are going to further expand their list of targets to include mobile users. This is not really surprising, as cybercriminals will always be on the lookout for all kinds of ways to instigate malicious schemes for the sake of earning even larger profits. Note, however, that we have yet to see reports on how much data obtained from mobile devices are worth even though our researchers believe this will soon become a lucrative business.

The battle against cybercrime may be far from over but collaboration and cooperation between the security industry and law enforcement agencies will serve as a great means for the good guys to win the war.

Trend Micro senior threat researchers Loucif Kharouni and Kevin Stevens believe that the people behind crimeware such as ZeuS and SpyEye are going to further expand their list of

targets to include mobile users.