LinkedIn Attack Also Spread Bugat Trojan -- Not Just Zeus

All eyes have been on the prolific Zeus Trojan with its numerous attacks during the past year-and-a-half, as well as the recent high-profile international arrests of members from two separate cybercrime rings suspected of infecting machines with the Trojan and stealing a total of $73 million from their victims' bank accounts. But while Zeus, indeed, is the undisputed king of financial fraud malware today, a handful of other banking Trojans in the wings are slowly and quietly gaining ground.

The Bugat Trojan is one such malware family that has been overshadowed by Zeus, and it turns out it was also distributed in the recent LinkedIn phishing attack -- not just Zeus, as some experts had believed. Amit Klein, CTO at Trusteer, says his firm spotted Bugat spreading in the attacks. "There were a lot of malicious payloads being distributed, but the interesting one that we kept seeing was Bugat," Klein says.

The LinkedIn phishing attack last month, which was considered the largest-ever such attack, sent LinkedIn members email messages reminding them of messages in their accounts, and included a malicious URL that directed them to a phony site that installed the Bugat executable, according to Trusteer researchers.

Bugat was initially discovered in February by SecureWorks and has some features similar to those found in banking Trojans Zeus and Clampi, but with a few twists. It uses an SSL-encrypted command-and-control (C&C) infrastructure using HTTP-S, and also steals FTP and POP credentials in those sessions. It was originally distributed via the Zbot botnet that spreads the pervasive Zeus.

Then there's Carberp, a banking Trojan that was first spotted spreading in May and now appears to be morphing into an even more sophisticated piece of malware, according to researchers at TrustDefender Labs. It disables other Trojans on the machine it infects and can run without administrative privileges. It also goes after Windows Vista and Windows 7, as well as XP.

"The Carberp Trojan delivers almost all functionalities of a Zeus Trojan, but it is in some ways even more sophisticated," says Andreas Baumhof, CTO at TrustDefender. It can fully control any Web session and steal data or inject HTML to get around dynamic password schemes, he says. Carberp also contains a vast plug-in system, he says.

"Most worryingly, it can be installed with nonadministration rights. This is a feature that Zeus has only recently added," Baumhof says. "In regard to the HTML injection functionality, Carberp is now a part of a fairly 'elite' group of Trojans, such as Zeus, Silentbanker, Gozi, Mebroot, or Spyeye: All of these Trojans have been used for highly sophisticated fraudulent attacks against financial systems."

Carberp injects itself into Windows components and operates as a man-in-the-browser attack. It's also able to see and control HTTP-S and EV-SSL sessions, he says. "Whenever information is submitted over an encrypted HTTP-S session, including username/passwords and login details, Carberp will steal these and send them off to a C&C server in real time," Baumhof explains. "In addition to this, Carberp has the ability to change the current Web page to inject arbitrary HTML to perform more advanced tasks. This is typically used to steal dynamic passwords, such as one-time-passwords from two-factor authentication tokens."

That's bad news for online banking customers who feel relatively safe with their bank's two-factor authentication process. "One possible way is to steal one [one-time password] and simply reply back to the user that something was wrong and she/he should do it again. This would now give them [the attackers] a valid one-time password," he says.

TrustDefender witnessed some new Carberp samples yesterday, but is still awaiting its first big attack, Baumhof says.

The emergence of these and other rivals to the Zeus Trojan highlights how the bad guys are constantly reinventing the threat landscape to achieve their ultimate goal of making money. In this case, it's by creating new, less-detectable ways to steal the online financial credentials of mostly consumers and small to midsize businesses (SMBs).

"In some regard, the 'Dark Cloud' has its fixed players: big kids on campus. It's inevitable over time that new threats will evolve that can disrupt the threat landscape, challenge the old, innovate faster, and become more subtle. Carberp is an example of this ... and essentially it's shaking up the way the Dark Cloud is formed," says Sam Curry, chief technologist for RSA. "As with other businesses, the takeaway is that there are younger, hungrier, faster, and more competitive technologies that can and will challenge the status quo. Carberp isn't remarkable for its symptoms: It's remarkable for what it tells us about the people behind the scenes."

TrustDefender's Baumhof says Carberp has the potential to eventually overtake Zeus. "As Carberp is growing in sophistication at such a rapid rate, it potentially has the capabilities to outgrow and extend its reach beyond the Zeus model. We anticipate that Zeus will still be the No. 1 choice for quite a while, but the fact that there are new Trojans of similar quality popping up, shows just how lucrative this market is," he says.

Next: Zeus could ultimately fall to new family of Trojans

Meanwhile the creators of Bugat and Carberp appear to be different than those of Zeus. But given the complicated network of creators, distributors, and ultimate users of the Trojans, it's often difficult to determine their actual roots. In the case of Zeus, for example, a dozen cyber thieves were recently charged with raiding the bank accounts of SMBs, municipalities, churches, and individuals, infecting their computers using a version of the Trojan. In addition, some 80 individuals were busted for stealing money using Zeus, most of whom were money mules that moved the money to the bad guys' accounts.

Trusteer says Carberp is currently targeting nine banks in the United States, Denmark, The Netherlands, Germany, and Israel, and is expected to eventually begin competing head-to-head with Zeus as the new Trojan of choice for fraudsters.

"The bad guys don't want to be popular. They want to make money and that has clearly been the major design goal for Carberp," TrustDefender's Baumhof says.

Bugat initially was focused on attacking U.S. banks, but has since been discovered targeting banks around the world. Jason Milletary, security researcher with SecureWorks Counter Threat Unit, says his team has witnessed an uptick in Bugat and Carberp activity. The newer, lesser-known malware can more easily remain under the radar than Zeus, he says. But that's not to say Zeus is simple for anti-malware tools to detect: It's constantly being tweaked to evade detection, he says.

Like in any other marketplace, Zeus has become the product of choice because it's easy to obtain and use, and is relatively inexpensive. There are even free toolkits available online, Milletary says. If one of the alternative Trojan families becomes as easily accessible and useful, then it could ultimately usurp Zeus at some point, he says.

But unseating Zeus any time soon would be akin to coming up with a brand-new operating system to rival Windows, Trusteer's Klein says. Even so, markets breed competition, he says, so in the end the alternative banking Trojans could give Zeus a run for its money. "I don't expect any real competition for Zeus in the next six months or so," however, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.