Zeus P2P variant against Facebook,Hotmail,Yahoo & Google Mail

Pierluigi Paganini May 17, 2012

The experts of Trusteer firm have discovered a new variant Zeus malware responsible of  a series of attacks against principal internet service providers. The variant carried out attacks using the P2P network architecture targeting users of Facebook, Hotmail and Yahoo and  Google Mail.

What is Zeus?

The Zeus Trojan is one of most notourios malware that we have found in several cases, we can consider it as one of the better products of the malware industry. The malware is really appreciated by cyber criminals that have improved its feature over the months. Zeus Trojan is born as an agent able to steal banking information by logging keystrokes and form grabbing, it is spread mainly through phishing and drive-by downloads schemes.

With an eye on the malware distribution model and support services, commonly referred to as “software-as-a-service”, I point out the ZeuS offshoot, Citadel, to true web store advertised on several members-only forums that proposed malicious hackers developments .

Recently I reported the news on the commercial distrubution of the famous Zeus Trojan, a malware designed as an open project that can be customized with new features to meet customer demands. Consider that the several Zeus botnets are estimated to include millions of compromised computers (around 3.6 million in the United States). As of October 28, 2009 over 1.5 million phishing messages sent on Facebook Were with the purpose of spreading the Zeus’ Trojan . Regarding ZeuS diffusion I suggest the consultation of the web site https://zeustracker.abuse.ch/ that provides updated statistics on the localizzation of the Command&Control servers of the botnet based on the agent. Between the huge quantity of statistics presents I have found a couple of issue that I consider really indicative the Average Antivirus detection rate (last 60 days) and the list of the Top C&C servers.

The  schema of the new scam

The principle used to trick unsuspecting users is simple, the cyber criminals behind the malware with the intent to steal user’s debit card data, have offered discounted product through the famous platform. The malware relies on the psychological conditioning of the user that seeing attractive discounts offered on the famous platforms is pushed to believe them as genuine.

The scams exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users’ debit card data. Let’s in details the features of the principal attacks observed.

The malware variant that hit Facebook uses a web injection mechanism to propose to the  victim a special price reduced of 20% for purchases made with Visa or MasterCard debit card using their Facebook account. The scam promises in fact that after registering debit card information, the victim will earn cash back when they purchase Facebook points.

Of course to the user is proposed a form for the registration of debit card info that is equivalent to a legitimate one also in term of proposed layout.

A transaction using Verified by Visa/SecureCode will initiate a redirect to the website of the card issuing bank to authorize the transaction. Each issuer could use any kind of authentication method (the protocol does not cover this) but typically, a password-based method is used, so to effectively buy on the Internet means using a password tied to the card.

Different schema has been implemented in the attacks against Hotmail, Google Mail and Yahoo users, in this cases Zeus variant offers an new way of authenticating to the 3D Secure service offered by the Verified by Visa and MasterCard SecureCode programs.

3-D Secure is an XML-based protocol designed to be an added layer of security for online credit and debit card transactions. It was developed by Visa with the intention of improving the security of Internet payments and offered to customers as the Verified by Visa service. Services based on the protocol have also been adopted by MasterCard, under the name MasterCard SecureCode.

The basic concept of the protocol is to tie the financial authorization process with an online authentication. This authentication is based on a three domain model (hence the 3-D in the name). The three domains are:

  1. Acquirer Domain (the merchant and the bank to which money is being paid).
  2. Issuer Domain (the bank which issued the card being used).
  3. Interoperability Domain (the infrastructure provided by the card scheme, credit, debit, prepaid or other type of finance card, to support the 3-D Secure protocol).

The protocol uses XML messages sent over SSL connections with client authentication (this ensures the authenticity of both peers, the server and the client, using digital certificates).

The malware operates in the phase of the online transaction used by merchants to require cardholders to authenticate using their personal 3D Secure password.

In the scam that circumvents Google Mail and Yahoo users claims, the customer is convinced that linking his 3D code to the mail account making it available for future purchases. The malware propose a sort of single sign on schema, convincing the user that simply registering its data on the mail platform he wil be able to perform purchases logging to its email account using the protected services Google Checkout and Yahoo Checkout.

The advantage proposed to the user is of course a secure channel for his online transactions. Also in this case is proposed to the user a fake page to collect the victim’s debit card information reporting the logos of Visa and MasterCard circuits.

A similar schema has been adopted also against Hotmail offering a free new security service.

A multi purpose malware

Zeus is undoubtedly one of history’s longest-running malware used for different purposes, just remember that the dangerous malware was used to strike the hacktivists of Anonymous. On that occasion, a modified variant of the tools used in the attacks infected with Zeus malware, in this case the tool Slowloris, was spread using the standard channels as Pastbin. The hackers have copied and pasted an original entry Pastebin Anonymous Replacing the download link with an infected version. In this way the agent was extremely rapid diffusion.

The example is purely demonstrative, we don’t know who is behind the hack, but what really worried about is the extensive use of malware by cybercrime an governments for operations of cyberespionage.
The approach pursued for these agents is evolutionary and permanently eradicate a threat that evolves over time in unexpected ways in the future will require an increasing effort.

Pierluigi Paganini


you might also like

leave a comment