Blog: How-Tos

New Zeus variant may get lost in the clamour of Heartbleed

Tom Roberts 11 Apr 2014

New issues come out all the time. I did read that at one time as many as 80 new issues were disclosed across all the IT sector every week. A recent article on Dark Reading highlighted that:

“Overall, Secunia received reports on 13,073 new vulnerabilities in software products in 2013 — comprising 2,289 products from 539 different vendors — and said 16.3% of the bugs were rated “highly critical,” meaning they can be used to remotely exploit systems. Finally, 0.4% of the vulnerabilities rated as “extremely critical,” meaning bugs that could remotely exploit systems and which were also being actively targeted by in-the-wild attacks.”

That is a lot of issues, more than 35 every day! Of those, about 6 a day are classed as “Highly Critical” as we have seen only the tiniest handful get the kind of press Heartbleed does. That doesn’t mean they aren’t JUST as dangerous. Take for instance the newest form of Zeus variant as disclosed by Comodo: https://blogs.comodo.com/e-commerce/comodo-av-labs-id-zeus-trojan/.

This has the potential to be just as concerning as it is after bank details specifically and will often be used as part of a more targeted campaign. The typical style of attack will be to get a user to visit and impacted site, infect the victim with a specialist form of malware which avoids detection by antivirus products (called packing) and then wait for the user to go to their online portal and adjust any transfers made to a malicious recipient.

The user won’t be aware of the issue and it will appear to be normal. It won’t be till someone audits the bank account they find the money went elsewhere and while people try to decide if it was malware or unfortunate mis-key by the user the attackers have run off with your money.

The sting in the tail of this particular variant is that it comes signed by Microsoft and for a domain called isonet.ag. The fact that the digital signature appears to be trusted may mean the software installs without prompt or is allowed to be installed because to all intents and purposes it comes from a trusted source. If the hapless victim installs it then the software embeds itself with a rootkit and various other aspects and just waits for some bank details to fall into its lap.

How to stay safe:

  1. A simple solution and one I am starting to detail to others. Use a special account on Windows that is ONLY for online banking. No surfing, no email, no other activities other than just the banking. Make sure the account is NOT admin and make sure the machines is patched but the only place that account will ever go to is your bank and ONLY your bank. It’s the rule of least privilege carried to an extreme but it does start to separate your normal online activities from those of the most important aspect of your finances. This isn’t fool proof and you still need to ensure that your AV is working AND that you don’t have the same password for this special banking user as other users on the same machine.
  2. If you can, try and adopt a singular machine in your home or workplace just for finance transactions. Again, no email, no nothing… just for online banking and NOTHING else. We all have spare machines often in our home and rather than throw them out.. repurpose them into specialist usage machines. Singularly purposed and thus removed from your other activities.
  3. Keep patched. As always, good patching is required to keep your services safe. Also make sure you have a recognised anti virus application and that it too gets regular updates.
  4. Change your passwords once in a while. We are all guilty of this. But you need to alter your passwords to passphrases for key accounts and once a year should be seen as a minimum.
  5. I will get flak for this… but think about keeping “special” passwords for banking and other activities in a passbook at home. Keep it on the shelf and let your spouse (only) know where it is. This means you don’t have to keep it stored on the machine and if someone does break into your home, that small notebook on the shelf that only you and one other person know about is unlikely to be the target of criminals looking for items like tablets and expensive phones. This air gapped solution is only then breakable by those in your circle of trust. If you can’t trust your spouse… then this blog is not what you need and I suggest a marriage councillor instead. ;-)
  6. If you ever get suspicious emails from someone purporting to be your bank, ring them and confirm before you do anything with it. Don’t click on the link “just to be curious” or “to make sure it’s them”. The link, once clicked, is the trigger to let attackers know you are there and a human responded. Ring the bank and if they say “no”, delete the email and do nothing more with it. The one exception is the bank may ask you to forward it to a specialist address for their records and to warn others.

Of all the things you could lose on the internet, your money is the one thing you are most likely to lose sleep over. Your google mail account may appear to be the thing you need most in your life, but it’s not the thing that pays the bills.

And last of all… there is one other approach as highlighted by XKCD: http://xkcd.com/1353/ Use “old school” banking approaches, like wandering into a branch. I for one have started to lament our loss of the high-street shops as the centre of most towns become derelict and in need of purpose, and bringing back face to face communications and jobs for people is no bad thing. It might be that the internet has brought us new and faster ways of doing things, but it’s brought along with it, new ways of stealing that which is yours.