New Online Banking Trojan "BlackEnergy" Packs a Double Wallop

On Wednesday, SecureWorks Joe Stewart talked at the RSA Conference about the BlackEnergy Banking Trojan and how it hit's banks with a double-whammy.  It steals online banking credentials (Don't Type/Swipe) and then wages a DDoS attack on the banks as a cover.  Forbes did a story on this yesterday in which they stated:



On Wednesday cybersecurity researchers at Secureworks issued a report describing a new cybercriminal group that aims a one-two punch at banks. First it collects banking customers' passwords using a variation of the so-called Black Energy software, which has infected thousands of computers worldwide to create a "botnet" of hijacked machines. The machines use the collected passwords to move funds into the hackers' accounts, and then typically delete files from the user's computer to cover their tracks.

Today, DarkReading's Kelly Jackson Higgins writes about BlackEnergy.  Again.  If we stop typing our online banking credentials into boxes in browsers and instead, swipe our bank issued card and enter our bank issued PIN, then the bad guys would get a bunch of 3DES DUKPT encrypted gobblygook.

New BlackEnergy Trojan Targeting Russian, Ukrainian Banks

Botnet lets attackers steal online banking credentials and DDoS Russian and Ukrainian banks

Mar 04, 2010 | 09:24 AM

By Kelly Jackson Higgins | DarkReading

SAN FRANCISCO -- RSA Conference 2010 -- Russian hackers have written a more sophisticated version of the infamous BlackEnergy Trojan associated with the 2008 cyberattacks against Georgia that now targets Russian and Ukrainian online banking customers.



Joe Stewart, a security researcher with SecureWorks, says Russian hackers are using the Trojan spread via the BlackEnergy botnet to hit Russian and Ukrainian banks with a two-pronged attack that steals their customers' online banking credentials and then wage a distributed denial-of-service (DDoS) attack on the banks as a cover: "They may be emptying the bank accounts while the banks are busy cleaning up from the DDoS," Stewart says.



Dubbed by Stewart as "BlackEnergy 2," this new version of the Trojan is a full rewrite of the code that features a modular architecture that supports plug-ins that can be written without access to its source code. It currently comes with three different DDoS plug-ins, as well as one for spamming and two for online banking fraud, according to Stewart.

While the Zeus Trojan remains the most popular Trojan, Stewart says BlackEnergy 2 can do things Zeus cannot, such as stealing online credentials plus DDoS'ing. BlackEnergy 2 also steals the user's private encryption key. Stewart has written an analysis of the Trojan, available here.

Continue DarkReading

Thanks for Visiting - Bookmark us or Add to your Favorites and Find Out What's Going on Tomorrow in the Payments Industry

Related articles by Zemanta

• URLZone - It Outsmarts Law Enforcement Investigators... (pindebit.blogspot.com)


• Botnet targets major Web sites with junk SSL connection (infoworld.com)

Bugat Trojan Aims Sights at Business Customers

New Banking Trojan Discovered Targeting Businesses' Financial Accounts

Bugat Trojan spread via the Zbot/Zeus botnet, say SecureWorks researchers



Feb 09, 2010 | 04:27 PM By Kelly Jackson Higgins

DarkReading



The infamous Zbot botnet that spreads the pervasive Zeus Trojan has been seen distributing a brand-new banking Trojan -- one that researchers say could serve as a lower-cost alternative to the popular Zeus and Clampi malware for cybercriminals.



The new Bugat Trojan, which was discovered by researchers at SecureWorks, appears to be aimed at mostly business customers of large and midsize banks. It's built for attacks that hack automated clearinghouse (ACH) and wire transfer transactions for check and payment processing -- attacks in which U.S.-based SMBs and state and local governments are losing an average of $100,000 to $200,000 per day, according to data from Neustar.



To date, Zeus and Clampi Trojans have mostly been used for stealing financial credentials. But Jason Milletary, security researcher with SecureWorks' Counter Threat Unit (CTU), says Bugat has some of the same features as other banking Trojans, but with a few twists: It uses an SSL-encrypted command and control (C&C) infrastructure via HTTP-S, and also goes after FTP and POP credentials via those encrypted sessions. Milletary says SecureWorks has witnessed around 1,200 to 3,000 Bogat attack attempts during the past week against its clients. "We saw in the wild that it was being distributed from a specific Zeus botnet," he says. "Oddly enough, its purpose is the same as Zeus ... but it's something not as recognizable as Zeus or that's cheaper [to purchase] in the long term."



Bugat's main targets so far are business financial accounts...



Continue "Dark Reading"



 

Related articles by Zemanta

• New Russian botnet tries to kill its larger rival (infoworld.com)


• Botnet sends fake SSL pings (robbiz1978.blogspot.com)


• Botnet Targets Web Sites With Junk SSL Connections (it.slashdot.org)


• ZeuS tracker shrinks takedowns from days to minutes (go.theregister.com)


• Survey: Data breaches from malicious attacks doubled last year (news.cnet.com)


• FBI Warns: Use a Separate Machine for Online Banking (pindebit.blogspot.com)


• Malware Infects One in 150 Legitimate Sites vs. One in 20,000 in 2006 (pindebit.blogspot.com)


• Botnet Sends Fake SSL Connections to Major Websites (pindebit.blogspot.com)


• Online Banking Passwords at Risk - Chances to Fight it...SLIM and NONE! (pindebit.blogspot.com)


• URLZone and the News (pindebit.blogspot.com)


• Two Arrested in Zeus Online Banking Trojan Case (pindebit.blogspot.com)


• URLZone - It Outsmarts Law Enforcement Investigators... (pindebit.blogspot.com)