New Trojan can Avoid Capture

Thursday, May 30, 2013 @ 05:05 PM gHale

A new banking malware can now target ecommerce and comes with features to help it avoid capture from the common security approaches.

Beta Bot underwent a refinement over the last few months and it is now ready to go, according to research conducted by RSA Security’s Limor Kessem. The bot started out in January as an HTTP bot and then made the gradual transition to a banking Trojan. Kessem, who’s part of RSA’s Cybercrime and Online Fraud Communications’ division, said Beta Bot has quite a few attack vectors.

Botnet Builds off Ruby on Rails Bug
Ruby on Rails Patches Holes
Botnet Comes Back with DGA Gusto
Botnets Attack Israeli Websites

The malware has been seen targeting everything from large financial institutions to social networking sites, along with “payment platforms, online retailers, gaming platforms, webmail providers, FTP and file-sharing user credentials … domain registrars for the common malware use of registering new resources,” Kessem said.

The bot deploys on machines after a user clicks through and allows it. Once it’s in though, the malware has an array of self-defense mechanisms.

Users whose machines end up infected by the malware will find themselves unable to reach whatever antivirus and security provider websites the attacker selects, he said. When trying to reach one of those sites, they will end up redirected to an IP address of the attacker’s choosing instead.

The malware knows better than executing in virtual machines and can avoid sandboxes as well, Kessem said. It can even block other types of malware from spreading on the system by “terminating their processes” and blocking code injections.

The Trojan goes on to log stolen data in a MySQL database, download malicious files, remotely control the infected PC and trick users into making fake banking transactions.

Kessem said he spoke with Beta Bot’s developer who said he is selling binaries for the malware and providing technical support but doesn’t plan to sell the builder, opting instead to keep it private. Builds can be purchased though for between $320 and $500 with a customized server-side control panel interface in underground online forums.

Banking Trojans are continuing to grow more sophisticated in order to stay ahead of curve of advanced detection methods.

Shylock, the credential-swiping Trojan that relies mainly on man-in-the-browser attacks, began to weed out less profitable banks last month and updated its infrastructure to avoid downtime. Developers behind the Zeus Trojan started selling tweaked versions of the malware in April, complete with customized botnet panels, via social networks like Facebook.

Leave a Reply

You must be logged in to post a comment.