“Zberb” -- Banking Trojan du Jour – Here We Go Again

Share Button

trojanThis week we were greeted with news of a new banking trojan malware variant named Zberb. This trojan was described breathlessly by the security community as an “evil monster” and a “hybrid beast” in one hyperbole-laced article. Why is Zberb so terrifying and why should we take all of our money out of the bank, convert it to bullion and bury it in the yard? Well, from a technical perspective, Zberb was designed and built by combining features already in the wild from two major bank trojan families, Zeus/Zbot and Carberb.

Both of these trojans have been in the wild for a long time and have been consistently improved with new attack vectors, new detection migitations and new communications mechanisms.

The market thrives on all the media coverage that trojans like this generate.  But frankly, there have been 100 articles written about trojans over the last 10 years - insert a new name here, insert an industry specialist’s quote there, add some new cool sounding features like “stenography”, “invisible persistence” and boom. New trojan, new story. Fear generated. Next.

As someone who has worked to help solve infosec problems and anti-fraud problems, the dichotomy here is quite interesting. Malware/hacker “porn” like this makes for interesting industry news, but what does it mean to an anti-fraud program manager—the guy or gal who holds the bag if money walks out of the door?

Let’s examine what Zberb is and what it means in the anti-fraud context:

  1. Does the seemingly apocalyptic merger of two evil forces in the malware universe happen but once a century to produce a hellspawn that will invalidate everything that I know and hold dear?

No, it pretty much happens all the time.

http://www.eweek.com/c/a/Security/Zeus-Trojan-Merger-with-SpyEye-Other-Banking-Malware-Worry-Researchers-648865/

http://en.kioskea.net/contents/759-the-klez-virus

http://en.wikipedia.org/wiki/Michelangelo_(computer_virus) <-- Remember this one?

 

  1. OMG malware authors are using steganography now, what will they think of next?

Ok, I have to admit, this is pretty cool. Stego works, it’s cool, but it’s not used that much because you really don’t need to. This is really just showing off.

  1. Is Zberb going to cause the Earth to stop spinning and unleash a global cataclysm?

No. Malware should be seen as a family of organisms that are constantly evolving, governed by the artificial selection instead of natural selection. Once a feature is built, tested and proven—assume that it will be everywhere soon, selected by authors based upon probability of success. Assumptions like this one are critical to fraud risk managers. They are bread and butter. The best way to guarantee that Zberb or its progeny will pick your pocket is to rely completely on anti-malware technology as the linchpin of your anti-fraud program.

Anti-fraud is a battle of inches and it's an exercise in constant self-examination and criticism. The right question to ask is—“As an article of faith, I expect malware to evolve and adapt indefinitely—with this in mind, how do I maintain a high-level of confidence in the controls I have in place and the controls I plan for the future?”

A well-designed anti-fraud program that is designed to model multi-channel risk and the current and future effectiveness of overlapping controls is the best approach to making sure that Zeus, SpyEye, Catberb and Zberb are nothing more than a “berb” and seen as one constant, yet controllable risk.

Related Posts

Customer Success Story: How Scanning the Dark Web Has Changed Elements Financial’s Security Scanning the dark web for stolen credentials isn’t necessarily on the radar of every financial institution – but it should be.
Account Takeover – What You Need to Know About This $7 Billion Scheme Account takeover (ATO) – it’s the ultimate goal of most fraud attacks, and already causes at least $6.5 billion to $7 billion USD in annual losses across multiple verticals.

Leave a Reply

Your email address will not be published. Required fields are marked *