Channels ▼


Criminals Diversifying Financial Attack Malware

Secure browsing specialist Trusteer is highlighting internal research that points to a new version of the Bugat Trojan. Originally uncovered in January, Bugat is labeled as financial malware and has been used to commit fraud through a recent phishing campaign targeting LinkedIn users. The emergence of this new version of Bugat appears to be an attempt by cyber criminals to diversify their attack tools using a platform that is less well known and therefore harder to detect and block.

Trusteer says that Bugat is similar in functionality to its better known financial-focused malware cousins Zeus, Clampi and Gozi. It targets the Internet Explorer and Firefox browsers and harvests information during online banking sessions. The stolen financial credentials then are used to commit fraudulent Automated Clearing House (ACH) and wire transfer transactions mostly against small to midsized businesses. Bugat is three times more common in the U.S. than Europe, but its distribution is still fairly low.

In last week’s attack, LinkedIn users received emails reminding them of pending messages in their account and providing a malicious URL. When a victim clicked on the link they were directed to a fraudulent website where a Java applet fetched and installed the Bugat executable.

"Criminals are stepping up their malware distribution efforts by continuously updating configurations of well known malware like Zeus, and using new versions of less common Trojans like Bugat, to avoid detection," said Mickey Boodaei, CEO of Trusteer. "We are in an arms race with criminals. Although Zeus gets a lot of attention from law enforcement, banks and the security industry, we need to be vigilant against new forms of financial malware like Bugat and SpyEye which are just as deadly and quietly expanding their footprint across the internet."

Trusteer warns that the recent industry focus on Zeus is making it easier for other Trojans, like Bugat, SpyEye, and Carberp which are less wide spread but equally sophisticated, to avoid detection. Also falling into the lesser known category is the Carberp variant, which currently targets customers of nine banks in the United States, Denmark, The Netherlands, Germany and Israel.

If there is a lesson here for security focused developers and other software engineering professionals it may be that variant production could be the next major theme to be aware of in terms of Internet security. Providing security layers within a corporate network to detect, eradicate and cleanse malware should not be a static process and simply installing business edition security suites only scratches the surface. Social networks are increasing the number of user 'touchpoints' to the web and this in itself represents an additional challenge for IT administrators and managers. Once a major Trojan like Zeus has been pinned down, it appears that the next most obvious shape for trouble to arrive in may be very similar to the last threat identified.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.