RSA 2015 Banking botnets persist as a threat despite recent high-profile takedowns which only achieve a temporary calming effect, according to a new study from Dell SecureWorks.
Between mid-2014 and early 2015, coordinated efforts involving law enforcement and private-sector industry disrupted three of the most active banking botnets (Gameover ZeuS, Shylock, and Ramnit).
Dyre, Bugat v5 (also known as Dridex), and Vawtrak (a Gozi variant) emerged after the Gameover ZeuS and Shylock takedowns. Activity from ZeuS and its variants decreased in the second half of 2014, while Dyre, Gozi/Vawtrak, and Bugat v5 activity steadily increased.
“Cybercriminals quickly adapt to countermeasures and takedowns by improving their software and establishing new sophisticated banking botnets,” Dell SecureWorks warns.
“New threats arise with emerging technologies, and attacks on mobile banking platforms and advancements in bypassing standard authentication mechanisms evolved in 2014," it added.
Takedowns and arrests temporarily reduced banking botnet activity in 2014 and early 2015. More banking trojans are using hidden network services, such as Tor or the Invisible Internet Project (I2P), to resist surveillance and takedowns, the security intelligence outfit warns.
More than 90 per cent of banking trojans targeted financial institutions located in the US, but finance house in the UK, Germany, Italy, Spain, and Australia were also affected. Attackers used banking trojans to target more than 1,400 financial institutions across more than 80 countries.
Aside from banks, the expanding target list for credential-snaffling botnets now also includes stock trading, corporate finance and payroll systems, employment portals, entertainment websites, and even dating portals.
Social networking sites and email services are also targeted by ID thieves with hosting providers and phone companies among other organisations on the target list.
Dell SecureWorks’ latest annual Top Banking Botnets study reports that the Citadel trojan continues to thrive, going after 1170 unique targets. Meanwhile, the original ZeuS banking trojan (discovered in 2007 by Dell SecureWorks) continues to be a top financial threat, going after 740 unique targets.
Pallav Khandhar, a researcher in Dell SecureWorks’ Counter Threat Unit working on its banking botnet report, told El Reg that the ‘open sale’ strategy of ZeuS and Citadel helps to explain their persistence.
“ZeuS had been around for almost seven years now and Citadel for four years,” Khandhar said. “Botnet such as ZeuS and Citadel basically employed different strategies compared with some other banking botnets."
“They were not maintained privately such as banking botnets (Dyre); they were openly sold in underground markets right from the beginning. This strategy stretched their longevity,” he added.
The open sale stager also made relatively sophisticated cybercrime toolkits available to unskilled wannabe cybercrooks.
“The ZeuS/Citadel toolkit is made up of three parts: a builder, the actual Trojan horse malware, and a C2 web panel,” Khandhar explained. “It is very easy to setup a new instance of this threat on a bulletproof or compromised host." ZeuS/Citadel kits were also leaked in the underground market.
“Easy availability of these kits allows anyone and everyone to create an instance of this threat and run a campaign. Lots of ZeuS and Citadel instances found on compromised servers indicate that not only bad guys but even script kiddies are able to use this threats,” he concluded.
Dell SecureWork report — published at the RSA Conference on Wednesday — will be summarised in a blog post here (but may not be available at the time of publication). ®