By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    Does Your Mobile Device Spy on You? -Kaspersky Daily
    8 months ago
    How to Deal with Vulnerable Facebook and Google OpenID Logins
    8 months ago
    Kaspersky Safe Kids Protects Your Child From Cyberbullying
    8 months ago
    Latest News
    Triangulation: Trojan for iOS | Kaspersky official blog
    2 days ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
    2 days ago
    Safeguards against firmware signed with stolen MSI keys
    4 days ago
    WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
    4 days ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    How To Configure Cloudflare To Maximize WordPress Speed + Security
    8 months ago
    Windows 11 build 25179 rolls out in the Dev Channel
    8 months ago
    How to set a static IP address on Windows 11
    8 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    4 months ago
    Now you can speed up any video in your browser
    4 months ago
    How to restore access to a file after EFS or view it on another computer?
    4 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    5 months ago
  • How To
    How ToShow More
    Dynamic data collection with Zaraz Worker Variables
    Dynamic data collection with Zaraz Worker Variables
    1 day ago
    Reduce latency and increase cache hits with Regional Tiered Cache
    Reduce latency and increase cache hits with Regional Tiered Cache
    2 days ago
    Cloudflare is deprecating Railgun
    Cloudflare is deprecating Railgun
    2 days ago
    What is two-factor authentication | Kaspersky official blog
    5 days ago
    Acer refreshes Windows 11 PCs for work and play: Swift Edge 16 and Predator Triton 16
    1 week ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    Hidden Chrome gestures on iPhone
    8 months ago
    What should I do if my phone falls into water? What can't be done?
    8 months ago
    How to get paid VKontakte stickers for free
    8 months ago
    Latest News
    How to add CPU, GPU, RAM widgets on Windows 11
    2 days ago
    How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
    5 days ago
    How to enable Taskbar End Task option to close apps on Windows 11
    5 days ago
    How to check USB4 devices specs from Settings on Windows 11
    5 days ago
  • Glossary
  • My Bookmarks
Reading: The Big Four Banking Trojans- Kaspersky Daily
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
ThreatsWordpress Threats

The Big Four Banking Trojans- Kaspersky Daily

Vitus White
Last updated: 13 October
Vitus White 8 months ago
Share
10 Min Read

Banking trojans are like rats, you kick a trashcan and six of them go scurrying off in every direction. Most of them you’ll read about once and never again. But there is a big four of sorts that just never seem to go away:  Carberp, Citadel, SpyEye, and especially Zeus.

Semantically speaking the problem with calling these things banking trojans, is that sometimes we catch them doing other bad stuff not related to the theft of financial information. It’s all very murky in the seedy underworld of cybercrime, but, semantics aside, each of these pieces of malicious software represents a real problem: they are damn good at stealing online and other banking information.

It’s a bit difficult to write a compelling story about a handful of different banking trojans seeing that they all do essentially the same thing, but nonetheless, here is a run down of the four most prolific ones in a rough reverse order of notoriety:

Carberp

The original version of Carberp was something of a typical Trojan. It was designed to steal users’ sensitive data, like online banking credentials or username-password combinations for other high-value sites. Carberp relayed the information it stole back to a command and control (C&C) server under its creator’s control. Simple and straightforward. The only tricky component was the complicated rootkit functionality, allowing the Trojan to remain unnoticed on the victim’s system.  The next generation of Carberp added plug-ins: one that removed anti-malware software from infected machines and another that tried to kill off other pieces of malware should they exist.

Things got more interesting when its maintainers gave their trojan the ability to encrypt stolen data as it passed between affected machines and their C&C server. According to researchers, Carberp represented the first time that a piece of malware used a randomly generated cryptographic cipher rather than a static key.

At one point, Carberp started working in conjuncture with the most-notorious Blackhole exploit kit, generating an enormous uptick in infections. All was going well for Carberp and its authors. They had even managed to develop a Carberp module on Facebook that tried to trick users into handing over e-cash vouchers as part of a ransomware-type scam.

According to researchers, Carberp represented the first time that a piece of malware used a randomly generated cryptographic cipher rather than a static key.

From there, things went downhill a bit. Russian authorities nabbed eight men believed to be responsible for controlling the malware, but Carberp did not die. Since then there has been no shortage of Carberp sabotage attempts and arrests. At one point, criminals seeking to deploy the tool would have to pay $40,000 for access to it until its source code was released last year, giving nearly anyone with enough know-how access to the trojan.

Citadel

The Citadel trojan is a variation of the king of financial malware, Zeus. It emerged, along with a number of other one-off trojans, after the Zeus trojan’s source code leaked in 2011. Citadel’s initial noteworthiness has a lot to do with its creator’s novel adoption of the open the open-source development model that let anyone review its code and improve upon it (make it worse).

The group or groups of criminals responsible for Citadel developed a community of customers and contributors around the globe that would suggest new features for the malware, contributing code and modules as part of a criminal social network of sorts. Some of the most fascinating capabilities included AES encryption of configuration files and communications with the C&C server, an ability to evade tracking sites, the capacity to block access to security sites on victim machines, and a functionality that could record videos of victim activities.

The network of Citadel contributors continued adding newer and more dynamic features to the trojan, making it more adaptive and faster, until it became utilitarian that criminals began using it for all stripes of credential theft.

Citadel saw big success until Microsoft and a coalition of other companies launched an operation that would eventually disable some 88 percent of its infections.

SpyEye

The SpyEye trojan was supposed to be the banking trojan that would come to compete with Zeus. In the end, SpyEye was like all the men said to be heirs to Michael Jordan’s greatness. They had hype, they had potential, but they couldn’t take down the king. Zeus is the king, no doubt, but SpyEye made a fast disappearing splash.

At one point, parts of SpyEye botnet operation merged with Zeus’s into a meg-banking-botnet, but it would ultimately burn out without living up to the hype. It had its successes though. Attackers deployed SpyEye in an attack targeting Verizon’s online billing page pilfering users’ sensitive personal and financial information for more than a week without notice. It showed up on Amazon’s Simple Storage Service, using the cloud provider as a platform for attacks, it showed up on Android devices at one point, but a series of arrests and perhaps just a lack of effectiveness ended SpyEye’s run.

Three Baltic men were arrested in the summer of 2012 for using SpyEye to operate a highly organized banking information theft operation. In May of this year, an alleged SpyEye developer was arrested in Thailand and extradited to the United States, where he faces more than thirty counts of botnet and bank fraud related charge.

Since then, we haven’t heard a whole lot about SpyEye.

Zeus

And then there was Zeus. Aptly named for the king of the Grecian Gods, Zeus unparalleled in scope, use, and effectiveness. Since its source code was leaked in 2011, it seems that nearly every banking trojan has flavors of Zeus built into it. Among these, only Zeus is notorious enough to have its own Wikipedia page. There are 22 pages, each containing ten stories, on Threatpost (the site where all these hyperlinks go to) making reference to the Zeus trojan. You could write a Leo Tolstoy or Marcel Proust length novel about the shenanigans of the Zeus trojan, so it’s nearly impossible to briefly synopsize the threat, but we’ll throw out some highlights.

It burst onto the scene in 2007 after it was used in a credential-theft attack targeting the United States Department of Transportation. Since then Zeus has infected tens of millions of machines and resulted in the theft of hundreds of millions of dollars until its creator reportedly called it quits in 2011, publishing the malware’s source code online. Many hundreds or individuals served or are serving jail time for their involvement in Zeus-related scams.

It was among the first pieces of malware sold via license. Until its source code was made public, Zeus was the scourge of banks and corporations alike. The list of it’s victims is too long to list, but includes prominent banks, corporations, and government agencies.

Zeus is also known for innovative usage of mobile “younger brother” called ZitMo to circumvent popular two-factor authentication schemes with security code being provided via text message. SpyEye and Carber developed their respective mobile counterparts as well.

Banking malware aside, the Zeus trojan is among the most notorious of all malware, second only perhaps to Stuxnet.

The protection

Each malware in The Big Four share the same essential properties: it tries to evade detection by your antivirus, it intercepts keystrokes, browser data, stored files and basically everything that helps to sneak into your banking account and initiate an illegal money transfer. It even tries to install mobile malware on your smartphone, which enables criminals to steal one-time security codes, often used by banks to approve transactions. Among other types of malware, banking Trojans have the potential to inflict direct financial damage to their victims, that’s why modern protection software must include specific countermeasures against every aspect of the “banking” Trojan functionality. Kaspersky Lab has packaged these protection measures into Safe Money technology, which is implemented in recent versions of Kaspersky Internet Security – Multi-Device and Kaspersky PURE. Learn how to enable Safe Money with this tip.


Source: kaspersky.com

Translate this article

TAGGED: Authentication, Encryption, Facebook, Malware, Microsoft, Phishing, RC4, Rootkit, RTF, SASE, Security, Software, Source code, Targeted Attack, Threat, Threats, Trojan
Vitus White October 13, 2022 October 7, 2022
Share this Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Dynamic data collection with Zaraz Worker Variables
Dynamic data collection with Zaraz Worker Variables
Apps 1 day ago
How to add CPU, GPU, RAM widgets on Windows 11
News 2 days ago
Reduce latency and increase cache hits with Regional Tiered Cache
Reduce latency and increase cache hits with Regional Tiered Cache
Apps 2 days ago
Cloudflare is deprecating Railgun
Cloudflare is deprecating Railgun
Apps 2 days ago
Triangulation: Trojan for iOS | Kaspersky official blog
Threats 2 days ago

Recent Posts

  • Dynamic data collection with Zaraz Worker Variables
  • How to add CPU, GPU, RAM widgets on Windows 11
  • Reduce latency and increase cache hits with Regional Tiered Cache
  • Cloudflare is deprecating Railgun
  • Triangulation: Trojan for iOS | Kaspersky official blog

You Might Also Like

Dynamic data collection with Zaraz Worker Variables
Apps

Dynamic data collection with Zaraz Worker Variables

1 day ago
Cloudflare is deprecating Railgun
Apps

Cloudflare is deprecating Railgun

2 days ago
Threats

Triangulation: Trojan for iOS | Kaspersky official blog

2 days ago
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
Wordpress Threats

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)

2 days ago
Show More

Related stories

How to Use Cloudflare to Secure Your WordPress Site
How To Starting Chrome from the command line
How to fix error 0x80070057 in Chrome?
Windows 10 How To Disable Slide to Shutdown
Windows search not working (FIX)
How to watch movies and TV series for free on Kinopoisk?
Previous Next

10 New Stories

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
Safeguards against firmware signed with stolen MSI keys
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
How to enable Taskbar End Task option to close apps on Windows 11
How to check USB4 devices specs from Settings on Windows 11
Previous Next
Hot News
Dynamic data collection with Zaraz Worker Variables
How to add CPU, GPU, RAM widgets on Windows 11
Reduce latency and increase cache hits with Regional Tiered Cache
Cloudflare is deprecating Railgun
Triangulation: Trojan for iOS | Kaspersky official blog
10alert.com10alert.com
Follow US

© 10 Alert Network. All Rights Reserved.

  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?