Speaking of Security – The RSA Blog and Podcast

The arms race between cybercriminals and security professionals has recently stepped up, with the online gang behind the URLZone Trojan driving one more rung into the evolutionary ladder of online crime.

As man-in-the-browser (MITB) attacks gain momentum and prevalence in the cybercrime space, the criminals who launch these attacks continue refining their tools and techniques to facilitate the cashout of stolen online banking accounts.

The URLZone gang had known that it was being closely watched, researched and scrutinized for quite some time before last Wednesday’s publication of Finjan’s Cybercrime Intelligence Report, (Issue number 3, 2009). The secure web gateway provider details its findings with respect to URLZone, a Trojan that attacked online banking customers in Germany. Aware of their crimeware being probed and examined, the gang took proactive measures in an attempt to prevent their money mules from being exposed by anti-fraud security researchers and law enforcement agencies. (See Business Success in a Dark Market: An Inside Look at the Fraud Underground on the RSA Online Fraud Resource center for more information about mules).

The Fake Mule Method: RSA Discovers its Use by Gang behind the URLZone Trojan

One of the ways to extract mule accounts is infecting a computer with a Trojan and initiating a transaction at which point a fraudster can see the mule account retrieved by the Trojan from its command and control server (C&C) server. In order to try to foil anti-fraud security researchers (like us) looking to identify real mule accounts, fraudsters invented the “fake mules” method. The fraudsters check if the computer used by the researcher is part of the “legitimate” botnet of URLzone-infected machines. If the computer is deemed to be a “foreign” one – in other words, if the criminals do not know the computer – they deliver a fake mule account to the computer used by the researcher. This is the way they prevent their real mules from being exposed. 

To fulfill this task, the criminals behind URLZone added a special server-side code that prevents the extraction of the gang’s genuine mule accounts. Instead of displaying the details of URLZone’s genuine mule accounts, this piece of code delivers the details of more than 400 (and counting) legitimate accounts that do not belong to the gang’s mules. The code is clearly URLZone’s most unique attribute, and speaks to its operators’ caution against having their criminal pipelines compromised.

Since the gang’s mule accounts receive money from stolen online banking accounts, their extraction and subsequent blocking, effectively stops the stolen funds from going down the fraud supply chain pipeline and into the gang’s pockets. The “fake mules” method was conceived in order to ensure that the Trojans’ real mule accounts are not exposed and subsequently blocked.

The code is located on the Trojan’s command and control server and adds to a highly-organized theft scheme which combines MITB attacks with money mules to deplete online banking accounts. This scheme is one that we have seen over the past year, using other Trojans such as Sinowal, SilentBanker, and Zeus. Given these Trojans’ code injection capabilities, not only can they launch MITB attacks – in which the payee’s details are invisibly changed to those of a mule account – but they can also just as easily inject bogus HTML pages, which present customers with fake bank statements that hide the Trojans’ transactions.

How the “GenerateFalseDrop” Function Works

In order to establish whether a machine is part of its “legitimate” botnet of infected machines, URLZone performs a long series of various tests. For example, one of these tests consists of checking the Trojan ID, or unique identification code, assigned by URLZone to each infected computer (See Figure 1). If the ID is not a valid Trojan ID, the command & control server responds by providing the details of a non-mule account through the GenerateFalseDrop function.

Figure 1: URLZone calls the GenerateFalseDrop Function if the Trojan ID Test Fails

Click to view

When researchers attempt to initiate a wire transfer from an infected computer in an attempt to trace genuine mule accounts, URLZone can identify that the machine is not really part of its botnet and it then calls upon the GenerateFalseDrop function (See Figure 2). Each time the function is called it retrieves a non-mule account from a large list of accounts. The details of a non-mule account are thus provided to anti-fraud security professionals researching the Trojan instead of the gang’s genuine mules.

Figure 2: URLZone’s GenerateFalseDrop Function

Click to view

Interestingly, when generating a non-mule account in order to dupe anti-fraud security researchers, the Trojan does not display random names and account numbers. Instead, it displays real bank account details that were previously entered by URLZone victims as the payees of legitimate transactions.

The details of these payee accounts are screened by the Trojan according to various criteria to determine whether they should be added to the list of fake mule accounts. As long as PCs are infected with the Trojan, and victims continue to initiate online wire transfers, URLZone continues to replace payee details through MITB attacks and is growing a longer and longer list of fake mules.

The RSA FraudAction Research Lab has researched the URLZone Trojan extensively, and has reported its findings to affected financial institutions.

•