Zeus Trojan Infiltrates Bank Security Firm
On Sept. 1, security industry start-up Silver Tail Systems held an in-depth online seminar for its bank and e-commerce clients that examined the stealth and sophistication of Zeus, a data-stealing Trojan horse program that organized thieves have used in a string of lucrative cyber heists this year.
A week later, Silver Tail learned that Zeus had infiltrated its own network defenses.
Silver Tail founder Laura Mather said she believes her company was targeted by criminals wielding Zeus specifically because of the recent webinar, which spotlighted the myriad ways in which Zeus can defeat online banking security measures. Still, she said the incident shows this family of malware can be a threat to any business - even security companies.
"Luckily, we were vigilant enough and had things locked down to a degree that the attackers weren't able to get anything of value to them," Mather said.
Silver Tail makes software that it licenses to other companies to use in detecting anomalies that indicate a customer's account (and by extension his or her PC) may be compromised. Oddly enough, the first signs that an internal Silver Tail system was compromised by Zeus came from some fairly "noisy" network activity not typically associated with the normally stealthy Trojan.
Mather said about a week after the webinar first aired, some of her technicians noticed that Web traffic to and from the company's data center had slowed to a trickle. It wasn't long before the engineers zeroed in on the culprit: A machine inside the data center that belonged to a former employee who had provided quality assurance testing on Silver Tail's software had been infected with Zeus.
Turns out, the unknown intruders caused the local network congestion when they started using the former employee's Zeus-infected system to run powerful password-cracking programs against administrator accounts on the internal network, accounts that had the ability to make vital system-wide security changes and access proprietary company data.
Normally, to reach a server from outside Silver Tail's network, an authorized user would need to know a user name and password, as well as a private encryption key, Mather said. Mather didn't know it at the time, but the former employee had disabled the encryption requirement on the server he routinely accessed remotely.
"The big mistake we had was not having auditing in place of people turning of security functionality," Mather said. "But what's scary is this was an employee sitting 10 feet from me and we didn't know he was doing this."
Mather, formerly director of fraud prevention at eBay, said the attack shows the challenges banks face in protecting their customers against fraud.
"Even when everything is under your control, there can be gaps, you're never going to be able to be really sure that all of your customers are hardened," she said.
Mather said Silver Tail scanned the former employee's system with three different anti-virus tools, yet none of them detected any suspicious or hostile files. Company technicians only located the malware by conducting a manual search for telltale files most commonly associated with different Zeus variants.
The Zeus-themed webinar that Silver Tail believes prompted this attack is long, but well worth a watch for anyone involved in defending networks. The ThreatExpert blog also recently published an excellent (yet far more technical) deep-dive on Zeus.
October 6, 2009; 3:30 PM ET
Categories: Fraud , Latest Warnings , Safety Tips , Small Business Victims | Tags: silver tail systems, zeus, zeustracker
Save & Share: Previous: Trove of Hotmail Passwords Posted Online
Next: Hijacked Webmail Accounts Used to Promote Dodgy E-Commerce Sites
Posted by: STSGirl | October 6, 2009 7:27 PM | Report abuse
Posted by: observer31 | October 7, 2009 3:36 AM | Report abuse
Posted by: tojo45 | October 7, 2009 8:06 AM | Report abuse
Posted by: Brian Krebs | October 7, 2009 8:34 AM | Report abuse
Posted by: peterpallesen | October 7, 2009 8:47 AM | Report abuse
Posted by: TwoCentsWrth | October 7, 2009 10:02 AM | Report abuse
Posted by: Heron | October 7, 2009 2:36 PM | Report abuse
Posted by: hitpoints | October 7, 2009 3:24 PM | Report abuse
Posted by: BTKrebs | October 7, 2009 3:48 PM | Report abuse
The comments to this entry are closed.