Malware Attacks - Leave Those [Banks] Alone
by lg0p89
First, all apologies to the Pink Floyd fans for modifying the noted lyric.
Bank breaches have been in the news with an increased frequency lately.
The banks tend to be a good target for the deviants and their respective malware for two primary reasons. First, this is where the cash is located, and a lot of it. This can be transferred out with some ease, dependent on the system and structuring of the transfers. This is also where the client's information is in a digital and downloadable format. This includes all of the information that can be sold to other parties for their own nefarious uses.
Unfortunately for everyone, the bank clients are becoming numb and apathetic to information security.
They have been inundated, from their perspective, with having to change their passwords too often (in their own view), the breaches and thefts in the news, and emails telling them their computer is infected (be it infected or not).
In this day and age, it would seem to be intuitive for the bank's clients to be hyper-vigilant, especially with the potential for loss to them. The Help Desk and bank, however, still is receiving complaints regarding security, ranging from having to change their password for the ATM too often, sending personal documents with their private information (i.e., tax returns, W-2s, etc.) securely, and being asked for state- or federal-issued identification or other identifying information to verify the person's identity, and everything in between.
Previous Banking Malware
Banks as a target have not and probably won't change in the future.
As noted, the banks have what the criminals want.
Within the last couple of years, the ZeuS malware was in the news. This also was directed at the banks and their clients. ZeuS did quite a bit of damage to the affected banks. Also, banks have had the pleasure of feeling the negative effects of the Gameover malware, which was shut down back in June of 2014.
Shylock's demise recently made the headlines.
This has been operating since approximately 2011. This case of malware received its name due to quotes from Shakespeare's Merchant of Venice being in its code. This is also known as Caphaw. The coding for this was rather inventive and sophisticated. These coders are believed to be located outside of the U.K. and first targeted the U.K. computers and banks' clients, and later widened their target base to banks in Germany, Turkey, Italy, and Denmark. Of the targeted banks, three quarters were British.
Modus Operandi
With this malware, the coders learned from the prior generations.
Generally building on past experiences is a good thing, except with this incident there is a malware application involved. This did, however, use much of the same methods as the other significant malware occurrences.
The malware can be spread via spam.
Here, the user clicks on the link that appears to be fine from their view, and their system becomes infected. Shylock waits patiently in the background as the user continues to go about their business on the Internet, looking at news stories and different products to buy. When the user eventually logs onto their bank's website, the malware may either display a false website, which appears to be perfectly legitimate (man-in-the-middle usage) or keylogs the user's system.
As an alternative, the malware may also utilize screenshots to gather the information it wants. The user's credentials for the bank are then captured and sent to the command and control center. This may then be used or sold abroad in the dark web.
This sounds very basic and much like any other malware that is present.
There is, however, a new aspect to this in that the malware is rather dynamic and not static. This was not released into the wild in one format and allowed to run rampant through users' compromised systems, but developed over time. This began with the basic code for the malware. This later incorporated other aspects, e.g. Skype's chat function, into the attack.
It was written to be of a somewhat modular design and incorporated certain aspects of the malware when wanted. This is somewhat like ordering from the restaurant what you would like with your steak.
Shut Down
For obvious reasons, this caught the attention of law enforcement.
The task force, led by the National Crime Agency, a U.K. law enforcement agency, and involving the FBI, Europol, German Federal Police (BKA), and several infosec firms, searched for information on the malware and its infrastructure.
Due to their efforts, Shylock's infrastructure was found and shut down.This was done via the task force eventually finding and seizing the command and control servers and domains. These were used by Shylock to communicate with and control the infected computers.
Malware attacking banks and their clients is not going to slow down any time soon.
The rewards (e.g. cash, personal identifying information, etc.) far outweigh the risks.
The malware has shown itself to adhere to a simple trend. This will continue to become more advanced and allow for the utilization of different forms. This will continue to make it more difficult to find and later quarantine the malware. The potential losses to the banking system continue to be massive. To fight this, a layered approach and different agencies have to be involved. Each of these brings a slightly different viewpoint and method of working. With these entities working together, the threat is removed long before it would be with the agencies working alone.
Malware is, unfortunately, all around us.
It can come from email sent to people by strangers. It can come from visiting different websites. Each of these instances may include another version of malware. There used to be a limited number of coders who were talented enough to write effective malware. With the wiser use and understanding of the Internet, computers, and additional training, this skill has grown exponentially. The coders are always looking for different malware to write to affect different users.
Tinba
Tinba is also known as Zusy.
The name came from a shortening of "Tiny Banker."
This example of malware is very small, only taking up 20k. Although the size is small, this is still very useful and functional for the criminal aspect, and works as good as other malware that is much larger. This was written to steal bank login credentials, credit card numbers, financial information, and other data. Tinba can also be modified and customized.
This was discovered in mid 2012.
At that point, more than 60,000 computers in Turkey were infected. The source code was published. Initially, it appeared to have been a bonus for law enforcement. After all, the appropriate law endorsement agencies would know what to scan for. Once you know the specifics of the target malware, this should then be easier to track. This actually meant, however, that others would be using the malware with more regularity and spreading the known version of the malware, along with the modified versions. This made the tracking and enforcement more difficult.
This was also seen previously with the ZeuS malware.
With this, however, the source code was leaked in 2011. Once this occurred, ZeuS' use by the criminal element increased significantly.
Deconstructed
Tinba was written to steal data from consumers visiting their bank's website.
This was coded to use a "man-in-the-browser" (MitB) attack.
This works by injecting code into the browser, which changes the bank's website and content. The modified browser may take the form of additional fields in the bank's website. These additional fields are required to be completed prior to moving to the next site.
This also places the malware in the user's system.
The infected system can also be set up to be used as a botnet. A later version of Tinba made changes to the user's interface.
Pertinence
The banks and their clients continue to be targeted by malware.
As mentioned, this will not slow down and will grow indefinitely.
Tinba likewise followed this route via targeting online banking. At first, this was focused on banks in Turkey, and eventually expanded its target market and range.
Tinba provided yet another tool for the criminals to use.
The modification and later versions are useful but have a tendency to make it more difficult to track. As this is the case, this piece of malware will continue to be important and something to watch for.