As befitting its name, Zeus – King of Gods - is the most powerful Trojan kit on earth.
Some Trojans you cannot buy – take
Sinowal, for instance; it’s a commercial grade infrastructure featuring a state of the art Trojan. It’s operated by an organized crime group that invests back in the business. You won’t find Sinowal as a kit for sale.
But when it comes to Trojan kits you can buy and distribute to unsuspecting victims, Zeus is today’s best seller. It costs a minimum of $1000 (a more expensive ‘professional’ version exists; it packs additional features and has a large library of target
templates) but worth every penny – if you’re an aspiring fraudster, that is.
The popularity of Zeus stems from its superb usability – unlike many other Trojans it is very easy to control and configure – and its rich set of functionality.
But one thing still remains largely unsolved.
Zeus, like many other Trojans, records everything you do in SSL protected pages and sends it to a ‘drop zone’ site. In the drop zone, huge amount of data is collected. Zeus does a good job at indexing the data, so it’s easier to sell; but what if you’re
interested in cashing out the victim’s account almost in real time?
If you are, then this becomes an issue. In the typical fraud eco system you have one fraudster stealing data, and another fraudster specializing in cash-out. How would they ‘talk’ to each other in real time?
Or, what if it’s a single organized group, but people who specialize in cash-out need a steady feed of fresh credentials from the various drop zones?
Fraudsters always prefer the fastest way to hit the bank. That’s why according to the August
Online Fraud Report from the RSA FraudAction lab, several Zeus variants are now connected to an open-source Instant Messaging (IM) software called Jabber.
Jabber is open-source software similar to ICQ or Windows Messenger. The fraudsters like the fact it’s not controlled by Microsoft or AOL – can’t trust these guys not to sniff on the communication – so instead they download
the Jabber server to a host they control, and now the problem is solved.
Now they have a way to instantly send any fresh credentials stolen by Zeus to a another fraudster waiting on the other side of the globe to receive them and engage in the cash-out activity, almost in real time.
The report discusses the exact flow of the Jabber use. It should be noted that real time integration between harvesters and cash-out fraudsters was considered a major operational barrier to real-time fraud until recently, but this new Zeus functionality
allows two groups – one engaged in spreading the Zeus Trojan and steal credentials, and one interested in receiving the credentials ASAP and cash out the account – to communicate effectively and complete the lifecycle of fraud within less than a minute.
What does this mean? It means we’ll see the time between credential harvesting and cash-out get shorter and shorter. I’d project that by mid 2012, over half of cash outs in US and West Europe will be within an hour of the credential theft by a Trojan.