Banking Malware On The Rise – Hitting Highest Level Since 2002

Posted: November 14, 2013 in Articles
Tags: , , , ,

Trend MicroSophisticated malicious software by cybercriminals designed to silently steal banking credentials from victimized systems has been swimming the World Wide Web since 2002. However, it recorded its highest infections in the past three months.

According to a new report from Trend Micro, they recorded over 200,000 new infections from July through September which is the highest number within a three-month period in 11 years. Cybercriminals are not only targeting the Europe and the Americas with the banking malware, but are also diversifying the banking customers they target by distributing the malware throughout the globe.

United States made up 23 percent of the new infections, Brazil 16 percent and Japan 12 percent. Other affected countries include India, Australia, France, Germany, Vietnam, Taiwan and Mexico.

What Trend Micro Found

Banking malware is a malicious software program which is sophisticated and designed to self-resist detection by employing several tricks to deceive anti-malware programs. In an attempt to decipher this malware, Trend Micro identified couple malware programs including ZeuS, also called Zbot with a history that dates back to 2006. ZeuS is planted on websites from where it attacks a visitor’s machine. If the machine has software vulnerability, it exploits this and gets the malware installed. Once the machine is infected, the malware can then steal online banking credentials and send the details to a remote server. According to Trend Micro, this is but one of the many malicious functions identified with this banking malware.

Additionally, Trend Micro also uncovered two other banking malware programs, KINS and Citadel. KINS is a professional-grade banking Trojan designed after ZeuS and used by cybercriminals to infect systems and siphon banking details from them. Citadel is a banking credential stealer with the ability to modify or replace websites opened with infected computers.

How the Banking Malware Evades Detection

The banking malware hides its tracks by using Domain Generation Algorithm (DGA) to pass phone-home traffic through couple IPs which it creates with self-signed SSL certificates. This makes it almost impossible for traditional network monitoring solutions to interfere or dissect packets from malicious transactions.

DGA has a trickery background activity that has been harnessed by several other malware families like PushDo, ZeuS and TDL/TDSS to keep them from detection services and software. The algorithm generates and tests new domain names and decides if a command and control server responds to a request. This ensures that the attacker don’t have to manage a command and control infrastructure of servers thereby evading researchers and law enforcement agencies.

How Sophisticated Is The Banking Malware?

It comes with features that both aid its malicious operations and those that help it evade security detection software and services. It can install on compromised machines on the fly with webinjects, and can spread over Skype instant messages with the help of certain plug-ins which are all well integrated in the program. Additionally, attackers had been reportedly found using some javascript from MaxMind GeoIP IP address location database. This assists them in collecting enough data regarding the location of new victims. This proves that malware writers can also leverage legitimate services to equip their programs.

Furthermore, the malware is created to fight for its survival and persistence on a compromised machine. It can detect if it is been run in a virtual machine and whether the host machine is online, and can even create an autorum registry entry and augments system processes which prevents its removal from an infected machine.

The malware also tries to get victims to install a mobile component on their Symbian, Blackberry or Android phone. Once a victim’s computer is infected, it pulls up a malicious webpage requesting for the person’s cellphone model and number – when supplied it will send a text message to the phone with a link to the malicious mobile app for installation. The mobile app is designed to break, bypass and hijack bank’s two-factor authentication – a user authentication security measure currently used by some banks.

Steven is a technology writer who reviews internet security and antivirus software and applications. You can find more at the

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s