Network News

X My Profile
View More Activity

Zeus Trojan Infiltrates Bank Security Firm

On Sept. 1, security industry start-up Silver Tail Systems held an in-depth online seminar for its bank and e-commerce clients that examined the stealth and sophistication of Zeus, a data-stealing Trojan horse program that organized thieves have used in a string of lucrative cyber heists this year.

A week later, Silver Tail learned that Zeus had infiltrated its own network defenses.

Silver Tail founder Laura Mather said she believes her company was targeted by criminals wielding Zeus specifically because of the recent webinar, which spotlighted the myriad ways in which Zeus can defeat online banking security measures. Still, she said the incident shows this family of malware can be a threat to any business - even security companies.

"Luckily, we were vigilant enough and had things locked down to a degree that the attackers weren't able to get anything of value to them," Mather said.

Silver Tail makes software that it licenses to other companies to use in detecting anomalies that indicate a customer's account (and by extension his or her PC) may be compromised. Oddly enough, the first signs that an internal Silver Tail system was compromised by Zeus came from some fairly "noisy" network activity not typically associated with the normally stealthy Trojan.

Mather said about a week after the webinar first aired, some of her technicians noticed that Web traffic to and from the company's data center had slowed to a trickle. It wasn't long before the engineers zeroed in on the culprit: A machine inside the data center that belonged to a former employee who had provided quality assurance testing on Silver Tail's software had been infected with Zeus.

Turns out, the unknown intruders caused the local network congestion when they started using the former employee's Zeus-infected system to run powerful password-cracking programs against administrator accounts on the internal network, accounts that had the ability to make vital system-wide security changes and access proprietary company data.

Normally, to reach a server from outside Silver Tail's network, an authorized user would need to know a user name and password, as well as a private encryption key, Mather said. Mather didn't know it at the time, but the former employee had disabled the encryption requirement on the server he routinely accessed remotely.

"The big mistake we had was not having auditing in place of people turning of security functionality," Mather said. "But what's scary is this was an employee sitting 10 feet from me and we didn't know he was doing this."

Mather, formerly director of fraud prevention at eBay, said the attack shows the challenges banks face in protecting their customers against fraud.

"Even when everything is under your control, there can be gaps, you're never going to be able to be really sure that all of your customers are hardened," she said.

Mather said Silver Tail scanned the former employee's system with three different anti-virus tools, yet none of them detected any suspicious or hostile files. Company technicians only located the malware by conducting a manual search for telltale files most commonly associated with different Zeus variants.

The Zeus-themed webinar that Silver Tail believes prompted this attack is long, but well worth a watch for anyone involved in defending networks. The ThreatExpert blog also recently published an excellent (yet far more technical) deep-dive on Zeus.

By Brian Krebs  |  October 6, 2009; 3:30 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips , Small Business Victims  | Tags: silver tail systems, zeus, zeustracker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Trove of Hotmail Passwords Posted Online
Next: Hijacked Webmail Accounts Used to Promote Dodgy E-Commerce Sites

Comments

Brian - thanks for the great article. If anyone is interested in learning more about this, we're having a webinar to go through the details of this on 10/13 at 10am Pacific time. You can register here: tinyurl.com/ydm3mw3.

-Laura

Posted by: STSGirl | October 6, 2009 7:27 PM | Report abuse

I clicked on the link "telltale files most commonly associated with different Zeus variants." but Firefox told me it was a risky link and asked me if I wanted to connect anyway (I am currently working from a non-English based computer, so the wording I am giving is my translation). I did not.

Any comments ?

Posted by: observer31 | October 7, 2009 3:36 AM | Report abuse

This type of thing is what makes me think about going back to a Cash / Money Order method of bill payment, and having nothing online that really matters. But even then checking or savings accounts can be accessed thru the bank itself. And my social security number is in a few government systems. Using the net is starting to feel like walking down a street in a bad part of town, without a cop in sight.

Posted by: tojo45 | October 7, 2009 8:06 AM | Report abuse

@observer -- that's because Zeustracker uses a self-signed encryption cert, and firefox treats sites that do with extreme prejudice. you just need to add an exception, and then click through several times. There's nothing dangerous about Zeustracker, except maybe dangerous to the bad guys.

Firefox will do the same thing if you Visit https://www.gmail.com with Firefox 3 for the first time and you'll encounter the browser's warning page. The same goes for https://mail.yahoo.com and https://www.us.army.mil, to name just a few.

Posted by: Brian Krebs | October 7, 2009 8:34 AM | Report abuse

There's a cheesy TV ad running these days that talks about the "Human Element." Until we eliminate the human element from these security activities, I guess there will always be these gaffes.

Posted by: peterpallesen | October 7, 2009 8:47 AM | Report abuse

What is equally disturbing to me is that the detection had to be done manually. I know that mal-ware like Zeus constantly change their signatures, but if the techs used manual methods, the anti-virus suites, updated, should have been able to do it also. Does anybody know if Microsoft's malicious software removal tool would have detected it?

Posted by: TwoCentsWrth | October 7, 2009 10:02 AM | Report abuse

Man, this blog sure is making me feel paranoid lately. Is any company taking the proper steps to secure its networks as much as possible, and we just don't hear about it? Some good news would be nice for a change.

Posted by: Heron | October 7, 2009 2:36 PM | Report abuse

Regarding the certificate error: Gmail's cert is signed by Thawte, yahoo's by Equifax, and the Army's by DoD. They are not self-signed. Firefox 3 comes with all these certificate authorities. A self-signed cert is not something to blithely click 'ok' to if you intend to have secure and valid data transmissions. If I redirected traffic to zeustracker.abuse.ch through DNS poisoning or other method, I could create a cert on my web server, sign it, and all the people who trust Zeustracker to be who they claim to be would send info to and from ME. But I wouldn't be able to have a cert signed by a trusted authority for that domain. There's a reason why browsers show such a warning.

That said, I don't really understand why zeustracker bothers with SSL since no personal data appears to be provided by the client.

Self-signed certs are for testing and development purposes.

Posted by: hitpoints | October 7, 2009 3:24 PM | Report abuse

@hitpoints: nobody said gmail or the dod's site uses self-signed certs. what i said in the comment was that firefox users will see the same behavior when visiting https://www.usarmy.mil for the first time.

if you haven't already added an exception for that .mil address in FF, try it for yourself and see what I mean. the point of my comment was to say that just b/c a site is flagged this way doesn't mean you automatically can't trust it.

Posted by: BTKrebs | October 7, 2009 3:48 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company