Info-stealing Trojans are now the most common net threat

7 Oct 2010

Trojans, which allow online attackers to access and take control of an infected PC, are now the most prevalent category of new threats on the internet and 96pc of them now originate from organised cyber crime gangs, according to a new report.

CA Technologies’ latest half-yearly security white paper, State of the internet 2010: a report on the ever changing threat landscape, dubs this trend “crimeware as a service”. This type of automated software targets sensitive data and attempts to steal money through compromised online banking services, shopping and other internet services.

“Organised cyber criminals understand internet business models and know how to operate to avoid legal prosecution,” the report said. In practice, this means organised criminal groups operate in a modular fashion, performing specific tasks in a cyber crime operation. This allows them to remain anonymous and reduces the chances of their being caught, said Don DeBolt, a director of threat research with CA and one of the report’s authors.

Botnets at work

The approach works like this: spam botnets such as Cutwail, Waledac and Storm distribute threats. Once the attack arrives at a targeted platform, the installation module penetrates and installs the payload. The payload is a part of crimeware that generates revenue for the organised cyber criminal. The payload may install and execute other threat components or modules, such as rootkits, click fraud, sniffers, hack tools, and keyloggers to assist cyber criminals.

As well as using social engineering tactics – convincing people to click on links in an email or on popular sites like Facebook – criminals also use drive-by downloads. In this case, they infect genuine websites so that visitors to those sites unknowingly download a piece of malware that is installed on their computers.

One example of a crimeware toolkit component is Zeus bot, which CA said is mainly designed to steal a user’s information and banking credentials. Financial institutions worldwide were targeted in the phishing element of this scam aimed at obtaining people’s online banking login details. In the first half of this year, Spain, the UK, the US and Germany were the top countries targeted by the Zeus bot. Ireland was also among the countries targeted, the report found.

Zeus bot also looks to steal people’s account information for a range of sites, including Facebook, Amazon, Blogger, Myfarmvillage and Flickr.

Almost one-third of new information-stealing Trojans were focused on grabbing users’ online banking credentials, CA Technologies’ researchers found. All told, they identified more than 400 new families of threats in the first six months of 2010.

The top-ranking type of threat was rogue security software (also known as scareware) which accounted for 18pc of the total. Interestingly, the common or garden “virus” represented just 2pc of all new threats – a sign of how the IT security landscape is changing.

Gordon Smith was a contributor to Silicon Republic