Study of banking malware analyzes underground economy
By Marcia Savage, Features Editor Information Security magazine | Dec 29, 2008
A recent study of keyloggers and banking Trojans provides a view into the underground economy of stolen bank account credentials, passwords and credit card numbers.
The study, published earlier this month by Thorsten Holz, Markus Engelberth and Felix Freiling at the University of Mannheim in Germany, analyzed malware designed to steal sensitive information from infected machines. The researchers developed techniques for studying the "dropzones" -- servers that are used by attackers to store stolen information.
Over a seven-month period, they were able to access more than 70 unique dropzones and found about 33GB of stolen data from more than 170,000 compromised machines. Among the stolen data, the researchers found more than 10,700 stolen online bank account credentials, about 149,000 stolen email passwords, and 5,600 full credit card details.
Using a Symantec Corp. study, the researchers estimated the potential value of the stolen credentials at several millions of dollars. Symantec released a report in November on the value of stolen data.
"The results of analyzing the potential income of an attacker indicate that an attacker can earn several hundred dollars per day based on impersonation attacks with keyloggers -- a seemingly lucrative business." Holz, one of the founders of the German Honeynet Project, wrote in the Honeyblog.
The analysis also showed that nearly one-third of the infected machines are located in either Russia or the U.S.
Researchers looked in detail at two pieces of malware -- ZeuS/Wsnpoem and Limbo/Nethell -- that fall into a class of attacks they call impersonation attacks, where criminals want to steal a credential in order to impersonate a victim at a banking or other website. The attack channel for the ZeuS/Wsnpoem family of malware is spam that contains a keylogger as an attachment, while Limbo/Nethell malware often lures victims to malicious websites, according to the study.
Due to the sensitive nature of the data collected in the study, the research team gave it to AusCERT, the national Computer Emergency Response Team for Australia, Holz noted in his blog posting.
He also said the best ways to protect against the threats described in the study are patching, not clicking on all links and attachments, and using two-factor authentication when conducting bank transactions.