Trojans produced by criminal gangs are on the warpath

• Article 20 of 33
• SC Magazine, March 2010
• View the original article online

To many ISPs looking after enterprise security, anti-virus or anti-malware software is a simple box that needs to be checked before moving on to more pressing concerns. Stick AV software on the gateway and on client machines, make sure it has a robust auto-update schedule and that's most of the work done. Provided everything's kept up to date, malware is more of a consumer issue than an enterprise issue, surely?

Contrary to popular belief, most Trojans are now produced by criminal gangs whose technical expertise far surpasses that of lone ‘script kiddies' working in their bedrooms. Modern Trojans, such as Zeus 2.0, Torpig and Clampi, are ‘polymorphic' – they can be changed to look like different programs. The gangs behind the Trojans, who will sell them complete with customisation kits for $500-$3,000, have their own testing labs that can determine how well a variant does. If it gets detected, a click of a button on the customisation program can alter Zeus until it can slip past the AV software: a two-byte change to Zeus was all that was needed in January to bypass all current AV software's signatures, says Rodney Joffe, senior technologist at Neustar and director of the Conficker Working Group.

Once installed, Trojans can steal data through keyloggers or simply uploading files; they can redirect information sent through web forms so that security questions such as date of birth and mother's maiden name can be found out easily; add extras fields to online banking sites's logon forms to find out additional information, such as ATM card PINs; and hijack banking sessions, even those that use two-factor authentication, and set up bank transfers that won't appear on the infected machine's online banking displays. They can disable AV programs' auto-updates; they also have their own auto-update mechanisms, so they too can stay up-to-date and avoid detection.

Depending on whom you talk to, the efficacy of AV software in fighting this new breed of Trojans varies. The likes of Graham Cluley, senior technology consultant for Sophos, argue that a combination of signatures, the company's research labs and heuristics designed to spot typical malware behaviour rather than their file signatures, means that known Trojans get spotted quickly – and unknown Trojans, too. “It's something of a conveyor belt. There's so much new malware – we see 50,000 new examples every day, but 90 per cent of malware we're detecting proactively.”

Cluley says that with a new variant of an existing Trojan, there are “enough boxes checked” that it will usually be spotted, and a specific defence against it within half an hour of the malware's arrival in the research labs.

Joffe says even AV programs with heuristic capabilities have limitations. “They can be gamed, they still miss things.” He likens AV vendors' struggles with Trojan developers to a game of ‘whack a mole'.

SentryBay COO Marcus Whittington agrees that even up-to-date AV software can miss all the variants of Zeus. “This type of polymorphic Trojan continually evades signatures, but also changes its method of behaviour to outsmart heuristic-based solutions. AV and internet security suites are continuously chasing their tail – they cannot keep up.” He says SentryBay research shows that up-to-date AV software can only detect 69 per cent of confirmed versions of Zeus, but believes that if you take the latest variants into account, “it is less than 50 per cent”.

Figures about malware infections seem to back this up. Despite the widespread use of AV software, the past year has seen a huge increase in the number of PCs infected with Trojans. Uri Rivner, head of new technologies at RSA, estimates that the total number infected is equal to all previous years' infections combined. The rise has come from ‘drive-by downloads': criminal gangs have sought out popular websites with security vulnerabilities on the hosting servers, including the innocuous paulmccartney.com, and installed ‘bugs' into web pages. These are typically one-pixel wide