Thursday, January 7, 2010

Banking Trojan Horse Hides Its Money Mules

TROJAN HORSES SUCH as Zeus and Clampi have been emptying bank ac - counts for years, but a devious new program tries to deceive investigators about where the money is going. First uncovered by Finjan Soft ware, the URLzone Trojan horse rewrites bank pages so that victims don’t know their accounts have been emptied. Its sophisticated command-and-control interface lets the bad guys preset the percentage of the account balance to remove. RSA Security researchers say that URLzone uses several techniques to spot machines run by crime investigators. Researchers typically create programs that mimic the behavior of real Trojan horses. When URL zone identifies one of these, it sends it bogus information, says Aviv Raff , RSA Security’s Fraud- Action research lab manager. Security experts have long published research on the inner workings of malicious computer programs such as URLzone, according to Raff . “Now the other side knows that they are being watched, and they’re acting,” he says. When URLzone spots a researcher’s program, rather than just disconnecting from the researcher’s computer, the server instructs it to transfer money— but not to one of the mules recruited to move cash overseas. Instead, it chooses an innocent victim—typically someone who has received legitimate money transfers from other hacked computers on the network, Raff says. So far, more than 400 legitimate accounts have been exploited in this way, according to RSA. The idea is to confuse researchers and to prevent discovery of the criminal’s real money mules. According to Finjan, the URLzone Trojan horse infected about 6400 computer users last September, clearing about $17,500 a day during that month.

Source of Information : PC World December 2009

No comments: