Put simply, cybercrime, especially financial malware, has the potential to be quite the lucrative affair. That's only because the bad guys have the tools to make their work quick and easy, though. Cripple the automated processes presented by certain malware platforms, and suddenly the threats — and the losses — aren't quite so serious.
CSO Online had the opportunity to chat with Shape Security's senior threat researcher, Wade Williamson, at this year's Black Hat conference, and he offered a brief background of these types of popular malware platforms before putting the threat landscape into perspective.
Williamson maintains that, despite its perceived "downfall," Zeus is still one of the most popular botnet platforms out there, and that's for a number of reasons. For one, the source code for Zeus previously leaked, allowing people who know how to code to more or less build on top of it for free. Also, it was one of the most common building blocks for many of the high-profile piece of malware that came after it; it's the very reason that it can be difficult to distinguish between Citadel and Zeus, for example. Ultimately, Zeus served as the "innovative wedge" that can be seen in man-in-the-browser financial malware today,
That said, there's a new up and comer in town in the form of Pandemiya.
"If you rewind about six years ago, SpyEye was actively marketing and saying, 'We're better than Zeus,'" says Williamson. "But they eventually merged and then you got iterative changes on top of the Zeus codebase. Pandemiya, on the other hand, is the new entrant and you're starting to see it challenge the monolith [Zeus]."
Be it Pandemiya or Zeus, however, the goals behind them are more or less the same. According to Williamson, there are two major branches to attack strategies now. The first is working on making the botnet harder to take down, which some coders have accomplished by implementing P2P communication between the bots.
"It used to be that C&C servers are the brain behind this big botnet and everyone wants to take that down," says Williamson. "But now botnets are using P2P communication, so there is no central server. They spread over the machines themselves, just like a P2P network, and it becomes hard to root this thing out even if you knew who was behind it."
The other branch has less to do with the older approach of password theft and more about automating the transfer of money, which is where Williamson says the "state of the art" technology is now.
"Pandemiya and Zeus are all ultimately about automation and the man-in-the-browser process," he says.
While it used to be easy for attackers to hit victims with a man-in-the-browser attack and simply wait for a login, banks got wise to the practice and implemented secondary authentication mechanisms; it was no longer enough for attackers to just acquire usernames and passwords. As such, they had to adopt a different approach.
Sign up for CIO Asia eNewsletters.