Speaking of Security – The RSA Blog and Podcast

The FraudAction Research Lab has recently analyzed a Zeus 2.1.0.1 variant downloading an additional Trojan into infected PCs by fetching a Citadel Trojan. RSA is witness to many Zeus botmasters who upgraded and moved up to Ice IX neighborhoods, and now, to yet another summer home – Citadel infrastructures.

Since the Zeus source code was leaked, one of the predictions security researchers were convinced of was that independent code writers, wishing to enter cybercrime coder’s world, would be glad to do it by using a ready-made baseline. One such code to have surfaced in underground and hacking forums soon after the code leak was Trojan Ice IX. But is it all what it is cracked up to be?

Warlike tactics are employed by each of the factions; security companies and financial institutions – the main defensive arm of the faction – build barricades to stop attackers. The fraudsters, on the other hand, try to outflank them by finding ways to circumvent these defenses, whether those are based on technology or on social engineering. Another tactic that is often used in real-life wars is the targeting of the enemy’s infrastructure.

On Friday, January 14, 2011, McAfee posted a blog entry titled “Combined Zeus/SpyEye Toolkit Announced”, based on a fraud forum post by “Hardersell”, in which this individual supposedly offers the much-anticipated SpyEye-Zeus hybrid Trojan for sale. Hardersell’s comments were published in an open, low-grade Russian-speaking hacking/carding forum, making its credibility lower than the more prestigious, exclusive, closed Russian-speaking forums.

WikiLeaks, the largest leak of data the world has seen? Nonsense! Trojans like Zeus lurk on millions of personal, corporate and government PCs, stealing data 24 by 7. Everything you do online – either private or work related – is sent to a mother ship halfway across the globe.

Zeus 2.1 offers additional improvements worth noting such as helping botnet operators to gain better insight into his/her victims – insight which could later be monetized.

I don’t know about you, but I was a bit disappointed with the whole WikiLeaks thingy. I mean, come on. The build up was brilliant: you would have thought we’ll finally have irrefutable evidence that a UFO landed in Roswell, that JFK’s assassination was indeed a CIA ploy, and that the 1969 moon landing was a NASA concocted hoax.

Underground fraudsters currently debate whether the Zeus – SpyEye merger reported by Brian Krebs is real or just propaganda by SpyEye authors following a period of mysterious silence from the Zeus writers. One thing is clear: the dramatic announcement has left the fraud scene with more questions than answers.

Two years ago I wrote about Curse of the Were-Laptop, which highlighted the fact PCs are used for both personal use and work; your employees can get themselves infected outside the corporate firewall, and then just but bring the problem into the office.