Phishers and cyber thieves have been casting an unusually wide net lately, blasting out huge volumes of fraudulent email designed to spread password-stealing banking Trojans. Judging from the number of victims who reported costly cyber heists in the past two weeks, many small to medium sized organizations took the bait.

These fake NACHA lures were mailed the week of Sept. 19, even though the sent date on the message says Aug. 3. Source: Commtouch.

Security firm Symantec says it detected an unprecedented jump in spam blasts containing “polymorphic malware,” — malicious software that constantly changes its appearance to evade security software. One of the most tried-and-true lures used in these attacks is an email crafted to look like it was sent by NACHA, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services.

Using NACHA’s name as bait is doubly insulting because victims soon find new employees — money mules — added to their payroll. After adding the mules, the thieves use the victim’s online banking credentials to push through an unauthorized batch of payroll payments to the mules, who are instructed to pull the money out in cash and wire the funds (minus a commission) overseas.

On Sept. 13, computer crooks stole approximately $120,000 from Oncology Services of North Alabama, a component of the Center for Cancer Care, a large medical health organization in Alabama. John Ziak, director of information technology at the center, said he suspects the organization’s accounting firm was the apparent source of the compromise. That means other clients may also have been victimized. He declined to name the accounting firm.

Ziak said the bank was able to block some of the fraudulent transfers, but that it was too soon to say how much the thieves got away with. But the center may have better leverage than most victims in convincing the bank to accommodate them: Many of its doctors are on the board of directors of the organization’s bank.

“We still don’t know how much is going to be coming back,” Ziak said. “We can chalk it up to lessons learned, but we’re going to be making some changes with the bank…forcing them to implement a higher level of security for our account.”

Last month, computer crooks also robbed the North Putnam Community School Corporation, which serves the children of six northern townships of Putnam County, Indiana.

Mary Sugg Lovejoy, superintendent of the K-12 school system, said thieves stole about $98,000 from school coffers, sending the money to numerous individuals who had no prior business with the school district. Fortunately for North Putnam, all of the fraudulent transfers were returned shortly after the attack, Lovejoy said.

In a separate attack on a public institution, malicious hackers last month struck the City of Oakdale, Calif., according to a story in the Modesto Bee. High-tech criminals stole $118,000 from a city bank account, the publication reported last week. Oakdale city officials are confident that its insurance carrier would reimburse the loss, minus a $2,500 deductible.

But that story ended on a sour note. The reporter quoted officials from the city’s bank, Oak Valley Community Bank, wrongly laying blame for the incident on a lack of technology and security.

“It’s the same story we hear from a lot of institutions,” Oak Valley President Chris Courtney said. “It’s about safekeeping the information on your computers, scanning for viruses and having a state-of-the-art security system.”

Blocking these attacks has little to do with state-of-the-art computer systems or scanning files with anti-virus. It’s not clear what malware family was used in any of these attacks, although the first two mentioned in this story involved a cyber gang that favors the ZeuS Trojan (the fraudulent NACHA messages in the screen shot above contained a malware dropper that installs ZeuS). But organizations should understand that these attacks have far more to do with social engineering and tricking humans than with defeating technology and security solutions.

As I’ve noted in past stories, all of the victims I’ve interviewed were running anti-virus software: Very few of them had protection against the malware used in the attack until after their money was stolen.

Most commercial banks have significant room for improvement in securing the transaction and authentication space for their customers. But businesses that rely on their financial institutions to detect fraudulent activity are setting themselves up for an expensive lesson.

No single approach or technology will stop all of these account takeovers, but preventing the theft of your online banking credentials is a critical first step. That’s why I continue to advise that small- to mid-sized organizations use a dedicated computer for online banking. Using a non-Windows PC — such as a Live CD or a Mac — is the safest approach, but not necessarily the most practical or affordable. An alternate approach is to access bank accounts from an isolated PC that is locked-down, regularly updated, and used for no other purpose than online banking.

Zeustracker.abuse.ch tracks antivirus detection rates for new variants of the ZeuS Trojan. The average detection rate is about 38 percent.

Computer crooks and spammers are abusing a little-known encoding method that makes it easy to disguise malicious executable files (.exe) as relatively harmless documents, such as text or Microsoft Word files.

The “right to left override” (RLO) character is a special character within unicode, an encoding system that allows computers to exchange information regardless of the language used. Unicode covers all the characters for all writing systems of the world, modern and ancient. It also includes technical symbols, punctuations, and many other characters used in writing text. For example, a blank space between two letters, numbers or symbols is expressed in unicode as “U+0020″.

The RLO character (U+202e in unicode) is designed to support languages that are written right to left, such as Arabic and Hebrew. The problem is that this override character also can be used to make a malicious file look innocuous.

This threat is not new, and has been known for some time. But an increasing number of email based attacks are taking advantage of the RLO character to trick users who have been trained to be wary of clicking on random .exe files, according to Internet security firm Commtouch.

Take the following file, for example, which is encoded with the RLO character:

“CORP_INVOICE_08.14.2011_Pr.phylexe.doc”

Looks like a Microsoft Word document, right? This was the lure used in a recent attack that downloaded Bredolab malware. The malicious file, CORP_INVOICE_08.14.2011_Pr.phyldoc.exe, was made to display as CORP_INVOICE_08.14.2011_Pr.phylexe.doc by placing the unicode command for right to left override just before the “d” in “doc”.

I wanted to see this work on my Windows 7 system, but found that I had to enable a registry tweak to allow the insertion of unicode into file names. After a reboot, I was able to rename any executable by holding the ALT key, then pressing the “+” sign on the keypad and typing “202e” in front of the targeted area while renaming a file.

According to Commtouch, this technique is being used to conceal malicious files in an unusually aggressive series of spam blasts that have been ongoing since mid-August.

“The average outbreak during 2010 occurred every 10-14 days and consisted of 5-10 billion messages sent by botnets,” Commtouch co-founder Amir Lev said. “The outbreak distribution kept enough bots alive to manage [a] certain level of malicious activity.”

In contrast, Lev said, recent malware spam outbreaks have been far more frequent – sometimes three per day. The malware variants embedded in the spam include many password-stealing bots used in high-profile cyber heists, such as SpyEye and Zbot/ZeuS, in addition to Sasfis and fake antivirus. The lures used include UPS package notifications, credit card errors, inter-company invoices, and supposed notifications from NACHA, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services.

Some email applications and services that block executable files from being included in messages also block .exe programs that are obfuscated with this technique, albeit occasionally with interesting results. I copied the program that powers the Windows command prompt (cmd.exe) and successfully renamed it so that it appears as “evilexe.doc” in Windows. When I tried to attach the file to an outgoing Gmail message, Google sent me the usual warning that it doesn’t allow executable files, but the warning message itself was backwards:

Unfortunately, many mail applications don’t or can’t reliably scan archived and zipped documents, and according to Commtouch and others, the malicious files manipulated in this way are indeed being spammed out within zip archives.

This class of attack is a good reminder that there is no substitution for being careful with unbidden documents and attachments sent to you via email. If you receive a message with an attachment you weren’t expecting — even if it appears to come from someone you know — the safest option is to take a second and reply back to the person to verify the contents of the message and that they meant to send it.

I have not had an opportunity to test this on other operating systems or email clients (although my Mac happily displayed the cmd.exe file as evilexe.doc). I’d be interested in comments from readers who have broader experience with this approach in manipulating file types.

Hybrids seem to be all the rage in the automobile industry, so it’s unsurprising that hybrid threats are the new thing in another industry that reliably ships updated product lines: The computer crime world. The public release of the source code for the infamous ZeuS Trojan earlier this year is spawning novel attack tools. And just as hybrid cars hold the promise of greater fuel efficiency, these nascent threats show the potential of the ZeuS source code leak for morphing ordinary, run-of-the-mill malware into far more efficient data-stealing machines.

Researchers at Trusteer have unearthed evidence that portions of the leaked ZeuS source code have been fused with recent versions of Ramnit, a computer worm first spotted in January 2010. Amid thousands of other password-stealing, file-infecting worms  capable of spreading via networked drives, Ramnit is unremarkable except in one respect: It is hugely prolific. According to a report (PDF) from Symantec, Ramnit accounted for 17.3 percent of all malicious software that the company detected in July 2011.

A sample Ramnit injection. Image courtesy Trusteer.

Trusteer says this Ramnit strain includes a component that allows it to modify Web pages as they are being displayed in the victim’s browser. It is this very feature — code injection — that has made ZeuS such a potent weapon in defeating the security mechanisms that many commercial and retail banks use to authenticate their customers.

As this Ramnit variant demonstrates, the real threat from the ZeuS source leak is that it greatly facilitates the addition of this code-injection capability into tons of other ordinary malware. I think we can expect other established malware families to undergo a similar metamorphosis in the months ahead.

It is fitting that the ZeuS leak was the apparent outcome of an earlier hybridization: The merger of ZeuS with SpyEye. One of the more tantalizing conspiracy theories I’ve heard to explain the release of the ZeuS code is that it was done intentionally as part of a marketing ploy to create demand for peripheral code and services. This is not so far-fetched. As I wrote in July, malware writing gangs have taken to posting banner ads to lure talented programmers into the lucrative market for “Web injects” and other innovations designed to make existing malware stealthier and more feature-rich.

Security experts this week cataloged another evolution tied to the ZeuS source spill: On Tuesday, Kaspersky Lab published a blog post on Ice IX, which it claimed was the first crimeware based on the leaked code. Kaspersky said Ice IX, sold in the criminal underground for $1,800, “is the first new generation of web applications developed to manage centralized botnets through the HTTP protocol based on leaked ZeuS source code.”

It’s horrifying enough when a computer crook breaks into your PC, steals your passwords and empties your bank account. Now, a new malware variant uses a devilish scheme to trick people into voluntarily transferring money from their accounts to a cyber thief’s account.

The German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short) recently warned consumers about a new Windows malware strain that waits until the victim logs in to his bank account. The malware then presents the customer with a message stating that a credit has been made to his account by mistake, and that the account has been frozen until the errant payment is transferred back.

When the unwitting user views his account balance, the malware modifies the amounts displayed in his browser; it appears that he has recently received a large transfer into his account. The victim is told to immediately make a transfer to return the funds and unlock his account. The malicious software presents an already filled-in online transfer form — with the account and routing numbers for a bank account the attacker controls.

The BKA’s advisory isn’t specific about the responsible strain of malware, but it is becoming increasingly common for banking Trojans to incorporate “Web injects,” custom designed plug-ins that manipulate what victims see in their Web browsers.

This attack is an insidious extension of the tactic that was pioneered by the URL Zone Trojan, which specializes in manipulating the balance that victims see when they log into their (cleaned-out) bank accounts.

If you log in to your bank account and see something odd, such as a “down for maintenance” page or an alert about a wayward transfer, your best option is to pick up the phone and call your bank. Make sure you are using the bank’s real phone number: Malware like the ZeuS Trojan has been known to present newly-fleeced victims with messages about problems with the bank’s Web site, along with a bogus customer support phone number.

The global economy may be struggling to create new jobs, but the employment outlook for criminally-inclined computer programmers has never been brighter. I’ve spent some time lurking on shadowy, online underground forums, and lately I’ve seen a proliferation of banner ads apparently placed by criminal gangs looking for talented programmers to help make existing malware stealthier and more feature-rich.

Many of the ads highlight job openings for coders who are skilled in devising custom “crypters,” programs designed to change the appearance of known malware so that it goes undetected by anti-virus software. Anti-virus signatures are based on snippets of code found within known malware samples, and crypters can try to help hide or obfuscate the code. When anti-virus firms update their products with the ability to detect and flag files that are shrouded by this layer of obfuscation, malware writers tweak their creations in a bid to further evade the new detection mechanisms.

The composite banner ad pictured above is a solicitation from a crime gang that offers a base salary of $2,000 per month in exchange for a “long-term partnership” creating crypters that include customer support. The ads lead to a sign-up page (below) where interested coders can leave their résumé and contact information, and state why they think they are qualified for the position.

The Russian text in the above ad translates to:

“We invite you to join our team of crypto-programmers, including programmers with no experience in this field.

We offer:

* Base salary from $2,000 per month, with an increase in salary, depending on the quality and timeliness of your work.
* Payments are made ​​weekly.
* Long-term cooperation (with many programmers, we have been in business for more than two years).

Please fill in your application only if you understand what is at stake. Thank you.”

Other ads, like the one below, seek qualified candidates for similar jobs with a promise of as much as $5,000 per month for creating custom crypters and providing customer support.

There also appears to be a high demand for programmers who can code so-called “Web injects,” plug-ins for malware kits like the ZeuS and SpyEye trojans, and they’re designed to inject custom content into a Web browser when the victim browses to certain sites, such as a specific bank’s login page.

A common Web inject used with ZeuS inserts requests for the answers to the victim’s challenge questions when the user logs in to his bank account. Coding decent Web injects can be challenging because Web sites display differently in different Web browsers, and a poorly-designed inject may  alert the victim that something isn’t quite right, prompting him to contact his bank. The ad below promises enterprising coders at least $2,000 for every completed Web inject written to work with ZeuS and/or SpyEye.

These ads are priceless because they offer insights into the mechanics of the cybercrime economy today. Specifically:

• Malware gangs are reinvesting at least some of their earnings into research and development. They understand that if they fail to innovate, they don’t get paid.
• A lot of malware is developed not by a single person, but by teams of programmers, each of which may specialize in and maintaining one component or function of the malware.
• Coding teams doing all this hiring know that good customer support is a major driver of sales, and that selling a product and then leaving the customer high and dry is the fastest way to drive users away from upgrading to future versions of your software and services.

So how about it? Ready to quit your day job as a code jockey at a software firm and go to work for the dark side? Okay, but you might want to sign up for those COBRA benefits first. I couldn’t find any ads for malware gangs that were offering health or dental insurance…yet.

New and novel malware appears with enough regularity to keep security researchers and reporters on their toes. But, often enough, there are seemingly new perils that  really are just old threats that have been repackaged or stubbornly lingering reports that are suddenly discovered by a broader audience. One of the biggest challenges faced by  the information security community is trying to decide which threats are worth investigating and addressing.  To illustrate this dilemma, I’ve analyzed several security news headlines that readers forwarded  to me this week, and added a bit more information from my own investigations.

I received more than two dozen emails and tweets from readers calling my attention to news that the source code for the 2.0.8.9 version of the ZeuS crimekit has been leaked online for anyone to download. At one point last year, a new copy of the ZeuS Trojan with all the bells and whistles was fetching at least $10,000. In February, I reported that the source code for the same version was being sold on underground forums. Reasonably enough, news of the source leak was alarming to some because it suggests that even the most indigent hackers can now afford to build their own botnets.

A hacker offering to host and install a control server for a ZeuS botnet.

We may see an explosion of sites pushing ZeuS as a consequence of this leak, but it hasn’t happened yet. Roman Hüssy, curator of ZeusTracker, said in an online chat, “I didn’t see any significant increase of new ZeuS command and control networks, and I don’t think this will change things.” I tend to agree. It was already ridiculously easy to start your own ZeuS botnet before the source code was leaked. There are a number of established and relatively inexpensive services in the criminal underground that will sell individual ZeuS binaries to help novice hackers set up and establish ZeuS botnets (some will even sell you the bulletproof hosting and related amenities as part of a package), for a fraction of the price of the full ZeuS kit.

My sense is that the only potential danger from the release of the ZeuS source code  is that more advanced coders could use it to improve their current malware offerings. At the very least, it should encourage malware developers to write more clear and concise user guides. Also, there may be key information about the ZeuS author hidden in the code for people who know enough about programming to extract meaning and patterns from it.

Are RATs Running Rampant?

Last week, the McAfee blog included an interesting post about a cross-platform “remote administration tool” (RAT) called IncognitoRAT that is based on Java and can run on Linux, Mac and Windows systems. The blog post featured some good details on the functionality of this commercial crimeware tool, but I wanted to learn more about how well it worked, what it looks like, and some background on the author.

Those additional details, and much more, were surprisingly easy to find. For starters, this RAT has been around in one form or another since last year. The screen shot below shows an earlier version of IncognitoRAT being used to remotely control a Mac system.

IncognitoRAT used to control a Mac from a Windows machine.

The kit also includes an app that allows customers to control botted systems via jailbroken iPhones.

Incognito ships with an app that lets customers control infected computers from an iPhone

The following video shows this malware in action on a Windows system. This video was re-recorded from IncognitoRAT’s YouTube channel (consequently it’s a little blurry), but if you view it full-screen and watch carefully you’ll see a sequence in the video that shows how the RAT can be used to send e-mail alerts to the attacker. The person making this video is using Gmail; we can see a list of his Gchat contacts on the left; and his IP address at the bottom of the screen.  That IP traces back to a Sympatico broadband customer in Toronto, Canada, which matches the hometown displayed in the YouTube profile where this video was hosted. A Gmail user named “Carlo Saquilayan” is included in the Gchat contacts visible in the video.

The IncognitoRat kit is sold on a English-language script kiddie hacker forum called HackForums.net by “Mr. Incognito,” but acquaintances on the forum refer to him as “Carlo.” Carlo describes himself on HackForums as a 19-year-old college student; he did not respond to repeated requests for comment. Anyway, so much for going incognito: This Facebook account belongs to a Carlo Saquilayan from Toronto, Ontario, and includes a nice picture of a young man in sunglasses and a leather jacket.

CrimePack Resurfaces

Several security forums were abuzz last week over the apparent leak of another crimekit. It’s a recent version of CrimePack, an exploit kit that I’ve profiled on this blog a few times. Will this lead to an outbreak of newly-hacked Web sites infected with the CrimePack exploit kit? I don’t think it’s likely, for a couple of reasons. First, this was initially leaked last fall, not long after its author released it. Second, I reached the author of this crimekit via instant message, and got his reaction. He told me that a main component of the kit — the part that tries to attack vulnerabilities in Adobe’s PDF Reader — was broken in the version that got leaked, and remains largely non-functional.

“I deliver this copy to like 20 people without the domain lock as a last copy, but it got leaked to someone, same day,” said “Crim,” the CrimePack author. “After I saw that the PDF exploit was not working, so pretty much no exploits will work as it will generate error when sending exploits. I was so pissed off when it leaked, so I refused to send out fixed copies.” A strongly-worded snippet of chatter from an exclusive hacker forum where Crim is co-administrator is included in the screen shot above, and seems to support his claim.

Sunspots are Nothing New

Security firm Trusteer said it has identified a little-known Windows malware platform that rivaled ZeuS in sophistication and functionality. In a blog post on May 11, 2011, Trusteer’s Amit Klein described the novelty of this malware, which the company dubbed “Sunspot”. Klein said Sunspot “reveals a new approach to financial malware development. Unlike purpose built financial fraud platforms like Zeus, SpyEye, Bugat, and others, it appears Sunspot was not originally developed as crime ware. If this is the case, we could be witnessing a sea change in malware development where general purpose and little know[n] malware platforms are re-programmed to carry out financial fraud. This will make it even more difficult to defend against attacks since banks will be ambushed by a growing number of unique financial malware platforms.”

When I first read Trusteer’s blog post, I pinged a number of security experts who study malware for a living, to get their thoughts on whether this was a unique threat. Aviv Raff, CTO and co-founder of security alert service Seculert, told me on Wednesday that he’d wrangled a copy of the malware and that it appeared to be a souped-up version of a well-known bot released in the middle of the last decade called Nethell, but also known as Limbo and Ambler. Then on Thursday, Microsoft‘s Tareq Saade & Tim Liu chimed in, saying they’d also pegged Sunspot as an evolved version of Ambler.

Trusteer’s Klein acknowledged that there appeared to be similarities between Sunspot and Limbo/Nethell/Ambler, but said there are major innovations in the way that Sunspot attacks the victim’s browser. He observed that much as the leak of the ZeuS code may soon give some enterprising malware coder ideas about how to extend the capabilities of an existing malware family, it appears that someone has taken a tried-and-true bot family and jazzed it up with a new set of wheels.

“Whether this is an evolution of Limbo/Nethell/Ambler, or merely ‘cannibalizing’ pieces of that malware to build a completely new malware is anyone’s guess,” Klein said in an email to KrebsOnSecurity. “Clearly they are both built with access to some common source code, but beyond that it’s difficult to accurately tell. From our perspective the difference [outweighs] the similarities, so we feel that a new name is in place.”

Keep the tips coming, please  – they are usually helpful and always much appreciated. But do turn a skeptical eye to reports of “new” threats -  many times we discover that something new is really not news at all.

A new crimeware kit for sale on the criminal underground makes it a simple point-and-click exercise to develop malicious software designed to turn Mac OSX computers into remotely controllable zombie bots. According to the vendor of this kit, it is somewhat interchangeable with existing crimeware kits made to attack Windows-based PCs.

The Mac malware builder in action.

KrebsOnSecurity has spilled a great deal of digital ink covering the damage wrought by ZeuS and SpyEye, probably the most popular crimeware kits built for Windows. A crimeware kit is a do-it-yourself package of tools that allow users to create custom versions of a malicious software strain capable of turning machines into bots that can be remotely controlled and harvested of financial and personal data. The bot code, generated by the crimeware kit’s “builder” component, typically is distributed via social engineering attacks in email and social networking sites, or is foisted by an exploit pack like Eleonore or Blackhole, which use hacked Web sites and browser flaws to quietly install the malware. Crimeware kits also come with a Web-based administration panel that allows the customer to manage and harvest data from infected PCs.

Crimekit makers have focused almost exclusively on the Windows platform, but today Danish IT security firm CSIS Security Group blogged about a new kit named the Weyland-Yutani BOT that is being marketed as the first of its kind to attack the Mac OS X platform.

The seller of this crimeware kit claims his product supports form-grabbing in Firefox and Chrome, and says he plans to develop a Linux version and one for the iPad in the months ahead. The price? $1,000, with payment accepted only through virtual currencies Liberty Reserve or WebMoney.

The CSIS blog post contains a single screen shot of this kit’s bot builder, and references a demo video but doesn’t show it. I wanted to learn more about this kit, and so contacted the seller via a Russian language forum where he was advertising his wares.

The author said he is holding off on including Safari form-grabbing capability for now, complaining that there are “too many problems in that browser.” Still, he was kind enough to share a copy of a video that shows the kit’s builder and admin panel in action. Click the video link below to check that out.

ZeuS and SpyEye are popular in part because they support a variety of so-called “Web injects,” third-party plug-ins that let botmasters manipulate the content that victims see in their Web browsers. The most popular Web injects are designed to slightly alter the composition of various online banking Web sites in a bid to trick the victim customer into supplying additional identifying information that can be used later on to more fully compromise or hijack the account. According to the author, Web injects developed for ZeuS and SpyEye also are interchangeable with this Mac crimekit. “They need to be formatted and tagged, but yes, you can use Zeus injects with this bot,” he told me in an instant message conversation.

Fans of the movie series “Alien” will recognize the name Weyland-Yutani as the fictional corporation that was sent ahead to establish habitable bases and dwellings on extrasolar planets in advance of the arrival of new human colonies. If this crimekit takes hold, or is an indicator of a broader interest in attacking Mac users, we could soon witness cyber crooks starting to colonize the Mac user community as well. The author of this Mac crimekit said he knows of several other independent coders who are working on Mac malcode projects that aren’t quite ready for prime-time, although he declined to elaborate on that claim.

Each time this subject comes up, I am struck by how fervently the Mac community denies that Mac users might ever have to deal with anywhere near the level of malware that currently besieges the Windows world. The Mac, these apologists explain, is far more secure than Windows, and that is why we have not seen malware writers attack the platform with the same vigor and interest. As one commenter on this blog reasoned, OS X simply doesn’t allow programs to be installed without user permission. My response is, assuming for the moment that the above statement about the Mac’s superior security is true, the operating system does nothing to stop the user from being tricked or cajoled into installing malware. What’s more, social engineering attacks are one of the primary ways that Windows users get infected today, so why would it be any different for Mac users?

Consider the scourge of rogue anti-virus attacks: Each day, thousands of Windows users are tricked into running and installing a bogus security “scanner” foisted on them by some hacked Web site. The attackers’ goal with these “scareware” muggings is to not only trick the user into installing malicious software, but also paying for it with their credit cards!

Image courtesy Intego.com

Earlier today, MacRumors.com carried a story about a new threat discovered by Mac security software vendor Intego that uses social engineering in a bid to install scareware known as “MACDefender.”

The nice thing about social engineering attacks is that defending against them doesn’t require buying or installing some type of security software. As I noted in a column last week, it merely requires the user to accept the notion that “security-by-obscurity is no substitute for good security practices and common sense: If you’ve installed a program, update it regularly; if you didn’t go looking for a program, add-on or download, don’t install it; if you no longer need a program, remove it.”

The latest version of the SpyEye trojan includes new capability specifically designed to steal sensitive data from Windows users surfing the Internet with the Google Chrome and Opera Web browsers.

The author of the SpyEye trojan formerly sold the crimeware-building kit on a number of online cybercrime forums, but has recently limited his showroom displays to a handful of highly vetted underground communities. KrebsOnSecurity.com recently chatted with a member of one of these communities who has purchased a new version of SpyEye. Screenshots from the package show that the latest rendition comes with the option for new “form grabbing” capabilities targeting Chrome and Opera users.

SpyEye component in version 1.3.34 shows form grabbing options for Chrome and Opera

Trojans like ZeuS and SpyEye have the built-in ability to keep logs of every keystroke a victim types on his or her keyboard, but this kind of tracking usually creates too much extraneous data for the attackers, who mainly are interested in financial information such as credit card numbers and online banking credentials. Form grabbers accomplish this by stripping out any data that victims enter in specific Web site form fields, snarfing and recording that data before it can be encrypted and sent to the Web site requesting the information.

Both SpyEye and ZeuS have had the capability to do form grabbing against Internet Explorer and Firefox for some time, but this is the first time I’ve seen any major banking trojans claim the ability to target Chrome and Opera users with this feature.

Aviv Raff, CTO and co-founder of security alert service Seculert, said that both SpyEye and ZeuS work by “hooking” the “dynamic link library” or DLL files used by IE and Firefox. However, Chrome and Opera appear to use different DLLs, Raff said.

This strikes me as an incremental yet noteworthy development. Many people feel more secure using browsers like Chrome and Opera because they believe the browsers’ smaller market share makes them less of a target for cyber crooks. This latest SpyEye innovation is a good reminder that computer crooks are constantly looking for new ways to better monetize the resources they’ve already stolen. Security-by-obscurity is no substitute for good security practices and common sense: If you’ve installed a program, update it regularly; if you didn’t go looking for a program, add-on or download, don’t install it; if you no longer need a program, remove it.

Business gurus have long maintained that time = $$, but that doesn’t mean that playtime necessarily decreases the bottom line. Many corporations have discovered that their employees tend to be more productive when they have time to give their brains a break, and gameplay is the perfect escape. So it’s not surprising that some cyber criminals have taken this lesson to heart, and are crafting crime machines to include games that allow their evildoing customers to steal money and set their hi-scores at the same time.

I had a laugh when I stumbled upon the administrative panel shown in the video below. It’s a back-end Web database designed to interact with a collection of Windows PCs infected by the ZeuS Trojan. This panel receives financial data stolen from victim machines, including PayPal and Bank of America account credentials. This video shows the Bank of America tab of the tool, which also allows the criminal to inject specific “challenge/response” questions into BofA’s Web page as displayed in the victim’s browser, as a way to steal the answers to these questions should the criminal later be asked for them when later logging in to victim accounts.

Directly to the right of an option to export all stolen credentials to an easy-to-read .csv file is a button labeled “Pacman”. Clicking launches a playable, exact replica of the 1980s arcade game (enlarge the video by clicking the icon in the bottom right corner of the video panel):

I can’t help but wonder whether we will witness some perverse kind of Moore’s law with future criminal Web administration panels. I can just see it now: In 18 months, crooks writing these panels will be bundling Halo 3 and Counter-Strike with their creations!

On a more serious note, the tab labeled “Arcot” is interesting: Arcot Systems is the company whose software powers the authentication system used by MasterCard’s SecureCode and Visa’s Verified by Visa programs. What’s interesting is that the thieves could defeat these security systems by gathering personal data on victim card holders, which they appear to have done here. This panel, like others used in tandem with ZeuS (for example, Jabberzeus) also is set up to alert the botmaster via Jabber instant message when a new set of credentials is stolen.

Security experts often warn computer users about “keystroke-logging” malware, digital intruders capable of recording your every keystroke. But the truth is, real bad guys don’t care about your everyday chit-chat: They’re after the financial information. I was reminded of this reality by a feature built into a recent version of the infamous ZeuS trojan that makes it even easier for the crooks to ignore everything except for the goods they’re seeking.

Pictured here is part of an administration panel for a botnet of PCs infected with the ZeuS trojan (version 2.0.8.9). ZeuS’ data-stealing components are legion, but one of its most useful features is what’s known as a “form grabber,” which will automatically steal any data the victim submits to a Web site inside of a form, such as an address, credit card number or password. It doesn’t matter if the Web site the victim is on uses encryption (https://), ZeuS extracts and stores user-submitted data before it can be encrypted and sent by the browser.

But even when a botmaster has configured his bots to only record data when the victim browses to https:// sites, the amount of data harvested from the entire botnet can easily exceed hundreds of megabytes per day, because many botnets are lifting this data from thousands of infected systems simultaneously.

So what if you only want only the cream of the crop? The ZeuS control panel I encountered has a handy feature, called “Enable No-Shit reports,” which when checked only stores very specific information sought by the criminals, such as 16-digit credit card numbers, and data that victims are submitting to pre-selected online banking sites.