The Trojan Zeus continues to cause problems for both businesses and consumers.
Last month, M86 Security Labs discovered a new malicious code being used to attack PCs. According to a release from M86:
Based on information M86 Security Labs found on the malicious Command & Control (C&C) server, we assume that close to 675,000 [US$1.05 million] was stolen from the bank between July 5 and Aug. 4, 2010, and approximately 3,000 customer accounts were compromised. These cybercriminals used a combination of the new Zeus v3 Trojan and exploit toolkits to successfully avoid anti-fraud systems while robbing bank accounts.
How it worked went like this: The Zeus v3 got into computers while users surfed the Internet. The software stole a customer's online banking ID and, if there was more than 800 [US$1,250] in the account, money was transferred to a different account. The Trojan, after clearing out the bank account, served up a fake bank statement page that made it look like all of the money was still there, but in fact the account was practically empty.
This particular attack happened in the UK, but that doesn't mean it can't -- or won't -- infect U.S.-based computer networks. I spoke with John Viega of Perimeter E-Security about the risks this particular Trojan poses to U.S. businesses and their customers, particularly banks. He told me that what was particularly disturbing about this Trojan was its stealth maneuvering -- no one knew the money was missing because the Trojan made it look like the money was still there -- and that users were infected by visiting well-known websites.
It was also pointed out that the Trojan infected computers that were protected by antivirus software. This wasn't very surprising, said Viega.
Most antivirus products take on average 30 to 60 days to catch up with new malware, so there is a big window of vulnerability from when a new Trojan comes out to when you are protected. Anyone who builds a Trojan tests it against major products and makes sure the Trojan gets through before releasing into the wild.
Unfortunately, there was little users could do to protect against becoming infected, since antivirus programs didn't work. So how can the banking industry and customers keep money safe? Viega recommended banks, if they don't do so already, to institute a verification plan to ensure a customer initiated the transaction. He said:
Some banks already do this. After the customer finishes an online banking transaction, the bank automatically sends a text to the customer's cell phone to verify.
However, too many customers see that extra step as a nuisance, so not enough financial institutions will use verification methods like these, he added. It's too bad. Hopefully consumers will realize how dangerous malware attacks are and that responding to one more text message could end up saving them a lot of grief, frustration, and money.