This article provides an analysis of recent developments regarding attacks launched by malicious programs against the clients of financial organizations. This article will focus primarily on the struggle for control between financial malware, also known as crimeware1, and the antivirus industry and will also examine the confrontation arising between crimeware and the financial sector as a whole.This article will not stop to look at the methods employed to infect users’ computers, nor will it detail the other malign tactics, such as phishing and social engineering, etc. used by the cybercriminals against financial organizations. Whilst these topics remain as hot as ever, they have been addressed in detail elsewhere in previously published articles. For example, here is one such piece written by a colleague: Attacks on banks.
This article aims to answer the question – is it possible to effectively stem the tide of malware targeting the financial industry under present day conditions?
This article is aimed primarily at experts and specialists working in financial institutions, as well as IT professionals with an interest in this particular area.
Before we proceed any further, let me first emphasize that all of the financial organizations' ratings included in this article do not in any way reflect their reliability (or lack thereof) and have no correlation whatsoever to their vulnerability relative to other market players. These ratings often depend on the popularity of the system that a user happens to be working with. It would be inappropriate to draw any conclusions about the reliability of a bank's security system based on the materials referenced below.
More and more frequently these days, we hear about successful attacks perpetrated by the cybercriminals against the clients of financial organizations. More often than not, these malware-based attacks follow a well-trodden path: the search for a suitable victim and the infection of their computer, the theft of their online banking login credentials, followed by the subsequent withdrawal of the victim’s funds.
One recent classic example comes from the Zbot-toolkit family , which is also known as ZeuS.
This is a malicious tool designed to steal the very data mentioned above – users’ login credentials for online banking accounts. ZeuS was very active throughout the whole of 2009 and continues to pose a considerable threat, seemingly laughing in the face of IT security professionals who have on many occasions attempted to shut down ZeuS botnets. More than 700 centers are still regularly up and running. Each command center controls an average of twenty to fifty thousand infected computers and based on those sorts of figures, one can only wonder at the number of potential victims out there. These command centers are spread right across the globe (see Figure 1):
Such widespread geographic diversity ensures the longevity of the botnet. As recent practice has shown, the botnet cannot be destroyed by merely closing down a few of the hosting sites. On 9 March, Roman Husse who was monitoring the botnet with the assistance of ZeuS Tracker noticed an abrupt decrease in the number of control centers and saw that it correlated with the disconnection of an Internet Service Provider by the name of Troyak. By 11 March the number of control centers had decreased to 104, however, two days later Troyak found a new teleservices provider and by 13 March the number of control centers had increased to more than 700 again, so the good news was short-lived.
The ZeuS family of malware is a long way from being the only toolkit that has been designed for stealing users’ login credentials with the aim of gaining access to their online finances. For example, the Spy Eye toolkit is not only capable of stealing the required data, but can also destroy its ZBot/Zeus competitor, meaning that there is a virtual war going on under our very noses. Equally notorious was the Mariposa botnet consisting of 13 million computers worldwide and which was shut down by Spanish police in December 2009.
On the control panel of the Spy Eye botnet, the cybercriminals have chosen icons in the style of little sacks of money to represent each user of an infected computer in the botnet.
These botnets act as greenhouses for the propagation of financial malware. It is with this kind of malware that the cybercriminals steal users’ money most readily, and they are constantly finding new victims. The numbers clearly show an increase in the quantity of malicious programs targeting the clients of banks and other financial organizations over the past few years (see Figure 2):
Figure 2. The increase in the number of unique malicious programs
used to steal money from Internet users Source: Kaspersky Lab
The figures provided show an exponential quarterly increase in financial malware from the time when it first appeared to the present moment. What makes the situation worse is the fact that a large percentage of the malware in question is not detected by the antivirus programs of the majority of manufacturers when it first appears. For example, according to information provided by the ZeuS Tracker Center, during the middle of March more than half of the malware distributed by the ZBot/Zeus botnet has not been detected. That means that the malware attack was successful. By the time that users received adequate protection from the antivirus companies, the cybercriminals had already made off with all the information that they needed.
So why is this happening? For the sake of clarity, we will examine how the ‘treatment’ process works with typical antivirus databases. The process itself may differ somewhat from one antivirus developer to another, but in general, they all involve the same key steps (see Figure 3):
Now let’s take a closer look at each step:
It can be several hours between the appearance of a malicious file and a user receiving an antivirus update. This delay is due to the time required for each step of the above process. Of course, at the end of the delay, the user will have reliable protection. But the paradox is that this protection is usually a case of shutting the stable door after the horse has bolted. If a user's computer is infected, then the victim's personal data will already have been stolen by the cybercriminal. In the end, the antivirus database might help to alert a user to the fact that their system has been compromised, but the loss of data is irredeemable.
The cybercriminals are all too familiar with the update release process, from start to finish. They know all about the time it takes to update a database, and they are well aware that it is only a matter of time before their creations are detected. That is why they often choose the following plan of attack: they release a malicious file, then a few hours later when the antivirus programs have started to detect it, they launch a new attack with another of their creations, each time gaining a small window of opportunity a few hours wide — and so on, and so on. As a result, even though the antivirus industry is capable of providing reliable threat detection, the good old antivirus technologies of yesteryear struggle to keep up, meaning that protection is not always as immediate as it really needs to be.
Given the situation described above, when antivirus updates lag noticeably behind the contemporary threat level, financial organizations try establishing and implementing their own methods of client authentication in order to minimize risk and maximize their resistance to the efforts of the cybercriminals.
It must be acknowledged that of late, many leading financial organizations have started to introduce additional solutions and methods for the electronic authentication of their clients. Some of them are listed below:
We are not going to stop and talk about the methods that the cybercriminals use to overcome these obstacles as this has already been covered in detail in the ‘Bank Attack’ article mentioned above. However, we ought to point out that they do know how to ‘cheat’ the protection systems in place and that their methods are indeed quite successful.
Certainly, the measures taken by the financial institutions have made life for the cybercriminals much more difficult, but at the same time, these measures have not become a panacea. News about such losses continues to flow in much the same way that reports continue to be received from any front line.
According to data from Kaspersky Lab based on the results for Q1 of 2010, the list of the most popular financial organizations targeted by the cybercriminals is as follows:
|Organization||Percent of total attacks|
|Banco Santander group||4.71%|
|Banco do Brasil||3.92%|
|Banco de Sergipe||2.84%|
|Bank Of America||2.36%|
|ABN AMRO banking group||2.28%|
|Banco Nossa Caixa||1.39%|
Table 1. The top ten financial institutions targeted by malicious users (Kaspersky Lab)
This list has remained practically unchanged for the last few years.
Most of the targets are Brazilian banks. This trend is examined in Dmitri Bestuzhev's article "Brazil: A country rich in banking Trojans".
According to data provided by Kaspersky Lab, the number of banks that suffered from similar attacks during the first three months of 2010 is approaching one thousand.
Thus it is obvious that the cybercriminals are constantly finding new and more sophisticated ways of getting their hands on users’ information, despite the introduction of additional protective measures taken by the banking fraternity to protect their online clients.
Now we will try to answer the main question: is it possible to counteract crimeware given today's realities?
Let's consider an overview of the problems outlined above that affect banks and other financial institutions and which need to be resolved as soon as possible.
One could be forgiven for thinking that the picture looked very bleak indeed. The antivirus industry's response time simply isn’t quick enough, malicious users remain at large and bank clients are not always sufficiently protected. However, all is not lost. Technologies are constantly developing and today’s leading antivirus companies do have solutions capable of repelling the attacks of the cybercriminals.
At this moment, some of the players in the antivirus market are already using in-the-cloud technologies. These assist greatly in detecting and blocking malware content, as well as limiting its sources. Here we are speaking about client-server technologies that analyze metadata containing information about malware activity on the users’ computers. However, the metadata can only be sent with the permission of the user and does not contain any private information.
This technology differs from antivirus database detection methods in how it analyses the sample. The antivirus engine can only analyze a sample according to fixed rules, such as recognizing odd behavioral patterns for example. The online analysis of metadata received from many users simultaneously allows the detection of ‘suspicious activity’ and the consequent blocking of the detected threat, thereby preventing the problem from spreading. In practice, users of such distributed networks can receive protection just a few minutes after the appearance of any threats.
As a result, using in-the-cloud antivirus technologies offers a number of advantages:
So what does it bring to the financial organizations? The solutions described can warn the financial institutions about the appearance of any new threats aimed at their clients automatically and in real-time. Such warnings may contain detailed information about the threats and instructions on how to fight them.
Also in demand is a service to provide financial organizations personal access to a so-called ‘situation room’. This is a type of web resource that requires a personal login name and password. Visitors can obtain a great deal more information than what is available in email notifications. For example, an online situation room would include reports and analyses relevant to an organization, its region, and the sources of attacks against an organization's clients.
However, the result of introducing this kind of notification and reporting system may not be optimal for a number of reasons:
All of these factors complicate the identification of targeted attacks.
To get a complete picture of the cybercriminals’ actions in relation to the banking world, the most opportune method is direct cooperation between the antivirus companies and the financial institutions.
As a result, stronger collaboration among antivirus companies and financial institutions in the fight against crimeware could help kill two birds with one stone. Financial organizations could take this approach in an effort to minimize risks and reduce payments incurred from these types of incidents. Antivirus companies would be afforded the opportunity to more effectively combat targeted attacks.
Up to this point we have been looking at two parties who are locked in combat with the cybercriminals: the antivirus companies and the financial organizations. However, there is one more participant who despite all the opportunities it has to become involved is not playing anything like an active enough role – it is the government.
Without governmental support the possibility of defeating the cybercriminals is minimal. Countries have borders, but the Internet does not and this gives the cybercriminals complete freedom to act at will. For example, is it possible for a Korean bank to quickly shut down a Brazilian malware host, sticking strictly to all the procedures of state and respecting international law along the way? Or is it possible for a Brazilian bank to do the same in China? The answer is obvious, in both cases it is a resounding ‘No!’ To take the fight to the cybercriminals without any efficient mechanisms for the cooperation of the necessary authorities from the different countries is problematic to say the least. Such a struggle resembles a tug-of-war. As soon as any new technologies appear that target the cybercriminals activities, the cybercriminals respond by developing some new means to bypass it. The process then starts all over again, ad infinitum.
The table below identifies the geographical distribution of malicious hosting services spreading crimeware in the first quarter of 2010.
|Country||Percent of total attacks|
Table 2. The top ten countries hosting resources to which crimeware is most often linked. Source: Kaspersky Security Network (KSN)
We have touched on a number of difficulties that antivirus companies and financial institutions face today in the fight against cybercrime and the theft of money from online banking clients. We have also examined one potential solution to the problem.
This solution can be applied to other systems in addition to online banking. It could also be used to effectively monitor attacks against online gamers, e-money systems and exchange platforms. It is worth noting that these attacks are registered a great deal more often than attacks against online banking systems.
It is without doubt necessary to mention once again the major role that governments should be playing in this field. Without state support very little will ever be accomplished in the fight against cybercrime. The problem will remain unresolved until such times that effective and efficient mechanisms exist for the necessary communication and interaction to take place between the relevant authorities.
2011 Aug 30, 19:47
Impediment to intergovernmental cooperation
One impediment to the intergovernmental cooperation called for in this article is the existence of state-protected Internet crime. There have been a number of incidents, some reported on this blog, in which Internet criminals have been traced to their home country and dossiers for prosecution have been handed over, only to have the home country ignore the cases or impose minimal penalties that punish or deter no one. The prospect of such states cooperating in international efforts is minimal.