Earlier this year Trusteer's CTO Amit Klein bloggedabout two malware families, Tinba and Tilon, going back tobasics. He observed that we are witnessing an interesting trend– organizations are rolling out advanced malware detection systemsthat force malware authors to drop some of their more advancedtechniques and reuse older techniques that were abandoned yearsago. The latest example of this trend is a Zeus variant that wasdetected by Trusteer's security team this month. Using a uniqueHTML injection mechanism and static mule accounts, this malware isnow targeting banks in Eastern Europe by covertly manipulating andperforming transactions on the end user's behalf.

In the last couple of years many organizations took note of themalware threat and deployed advanced malware detection systems.These new security solutions were familiar with all the latesttricks malware authors had to offer and contained effective countermeasures. Malware authors (and their criminal clients) did not sitidle while their attacks were detected and eliminated – they foughtback!

Here are just three examples of such cases examining theoriginal criminal threat, the banks' countermeasure, and thecriminals' response to the countermeasure:

1. Cybercriminals use stolen usercredentials to commit fraud from their owndevices.

Security solutions startusing device ID and device reputation techniquesto identify criminal devices and logins not originating from theknown end user's device.

Cybercriminals use RDP (RemoteDesktop Protocol) to connect to the victim's device and commit thefraudulent transactions from that trusted device. Device IDsolutions see this as the legitimate client's device and thereforedo not generate an alert.

2. Cybercriminals use automatic scriptsthat create fraudulent transaction right after an infected userlogs in to the account.

Security solutions start performingvelocity tests to all transaction pages. If a transaction form isfilled out in less than a second – it's obviously not a human andthe transaction is challenged or declined.

Cybercriminals created automatic scriptswith a “slow fill” function that fills out the transaction form ina human-like way (characters are entered by the script with 0.1-2second intervals). Velocity tests view the automated script ashuman and do not generate an alert.

3. Cybercriminals useHTML injections to display additional fields to victims who fillthem out and provide the attackers with more data.

Security solutions compare page inputfields to determine if the user is submitting data the bank did notask for.

Cybercriminals respond by having themalware inject full pages (not alter the original bank page) to thevictim. Effectively, the user is unknowingly filling out a malwaregenerated page and not communicating with the bank's website. The bank then only sees the fields expected and does generatean alert.

Trusteer's security team has recently identified a Zeus variantthat uses a rather curious way to overcome malware detectionsolutions. This particular variant targets an Eastern European bankwhose transaction form contains typical data fields such as: thepaying account, transaction amount, beneficiary account,beneficiary name, beneficiary address and a transaction title. AnHTML injection is applied to the transaction page that changes theHTML form field names of the beneficiary account number, name,address and transaction data (while leaving the source accountfield names and transaction amount field name unchanged). This Zeusvariant also injects mule account data with the correct field namesinstead of the altered fields. The victim fills in the transactiondetails (at the HTML level the field names for some data areincorrect), submits the form, and the bank receives an HTTP requestfor the transaction only with the correct fields that now specify areceiving mule account.

(Click on image above to see as separateimage)

To recap – the malware uses a hardcoded HTML injection (withstatic mule account information) to perform fraudulenttransactions. This technique, while simple and simplistic, offerstwo advantages over JS HTML injection: less “moving parts” (dynamicscripts) means tougher detection for anti-virus and anti-malwaresolutions and this technique will work on browsers whose usersdisabled JS for security reasons. Simple, crude – buteffective!

Just as users, organizations and security solutions study andadapt to new threats, malware authors stay vigilant and invest alot of effort into remaining stealthy. Trusteer's Rapport candetect, mitigate and remove this, and other, Zeus variant frominfected devices. Trusteer Pinpoint Malware Detection can identifyand warn organizations of malware infected devices that attempt tologin and transact with their website.