Trojan Turns Smash & Grab Into Grab & Smash
Imagine being in charge of your organization's finances, and learning from your bank one morning that thieves had stolen tens of thousands of dollars from company coffers overnight using your online banking credentials. Now imagine your frustration when you go to log in to your PC to assess the damage, only to find that the computer you typically use to access the account has been kneecapped by the bad guys.
This is precisely what happened to Kathy Dake, office manager for St. Isidore Catholic Church in Danville, Calif. Dake had infected her PC with the Zeus Trojan after opening a malicious e-mail disguised as notice from the IRS about "unreported income" (see New IRS Scam Could Be Costly).
The thieves used Zeus to steal the credentials Dake uses to administer the church's bank account, and a week ago Friday she came in to work to find her computer would not boot up; Windows complained that key files had been corrupted. That same day, she also found out from her bank that in the wee hours of the morning someone had tried to transfer $87,000 out of St. Isidore's account. The attackers had instructed the bank to send the funds to more than a half dozen money mules, willing or unwitting accomplices across the country hired through work-at-home job scams.
"I came in that morning and didn't have a computer; the virus had corrupted everything," Dake said, noting that her computer was fine the day before -- when she first opened the e-mail -- and that none of her co-workers experienced similar problems. "Everyone else in the office got the same e-mail, but I'm the only one who opened it."
Dake and the church may never know for sure, but in all likelihood her computer was corrupted on purpose by the attackers, in a bid to buy them time, said Ben Greenbaum, senior researcher manager with Symantec Security Response.
Among the Zeus Trojan's many diabolical features is a command called "KOS," which stands for "kill operating system." According to the help file distributed with Zeus (the malware is sold as a kit on criminal online forums), the KOS command can crash the infected system as soon as it's issued - resulting in the dreaded "blue screen of death." Alternatively, the KOS command can be used to trash the Windows registry, usually allowing the system to function properly until it is rebooted, at which point it will simple fail to start up.
Greenbaum said some security researchers have speculated about the true purpose of this feature in Zeus. Indeed, earlier this summer, Security Fix wrote about a researcher who witnessed the implosion of a botnet of some 100,000 Zeus-infected computers, after the person(s) in control of that botnet issued the KOS command to all infected systems simultaneously (see Zeustracker and the Nuclear Option).
Greenbaum said he wasn't familiar with particulars of the St. Isidore incident, but he doubts that the bootup problems on Dake's computer were merely a coincidence.
"There have been some theories that some [Zeus] botnet masters are issuing this command after significant fraudulent transactions simply to complicate the process on the part of the victim of being able to find out what happened and perhaps take steps to retrieve their funds," Greenbaum said. "In stealing smaller amounts, a botnet master might not bother [issuing the KOS command], but if they were able to get $80,000 in one fell swoop, issuing that command would probably buy them more time to get away with the loot."
Fortunately for St. Isidore's, the bank blocked the transfers before they could be sent through.
But Irving Canner wasn't so lucky. Canner, the director of finance for The Pease Development Authority, the New Hampshire state agency that manages ports in the Portsmouth area, learned early this month that his computer had been hacked and used to initiate roughly $100,000 worth of bogus transfers to a number of money mules. When he went to log in to his employer's account at TD Bank North, he found the bank's site was unavailable.
For two days straight.
As it happens, Canner was unable to access his account online not because the hackers had trashed his machine, but because of a glitch in TD Bank's systems that blocked customers up and down the East Coast from being able to log in to the bank's site.
TD Bank ran full page ads in The Washington Post and other major newspapers apologizing for the outage, which it said stemmed from planned upgrades that encountered some unexpected "issues" that led to delays in updating account balances. "Online banking was temporarily unavailable for short periods of time," the company acknowledged.
Canner said he has been working with bank officials via the phone to get the unauthorized charges reversed. So far, the bank is still trying to retrieve about $30,000 worth of bogus transfers.
October 14, 2009; 4:22 PM ET
Categories: Fraud , Latest Warnings , Safety Tips , Small Business Victims | Tags: ACH fraud, pease development, zeus
Save & Share: Previous: Adobe Plugs 29 Critical Reader, Acrobat Holes
Next: Mozilla: Firefox Users, Check Your Plug-ins
Posted by: pmoriarty | October 15, 2009 1:59 PM | Report abuse
Posted by: BTKrebs | October 15, 2009 2:09 PM | Report abuse
Posted by: blasher | October 15, 2009 3:03 PM | Report abuse
Posted by: pmoriarty | October 15, 2009 4:50 PM | Report abuse
Posted by: raskins | October 20, 2009 1:55 PM | Report abuse
The comments to this entry are closed.