Tuesday, August 17, 2010
Return to GCFBank.com Home Page
||ANATOMY OF A TROJAN
DISTRIBUTION AND PREVENTION
Are you 55+ and enjoying the golden years? If so, you are eligible
to take advantage of GCF’s Golden VIP checking account. No monthly
service charge, free basic checks for the first year, free Online
Banking including WebPay, free money orders, free Traveler’s Checks,
free SafeLink, 10 percent discount on a GCF safe deposit box and
more! Click for
more details on GCF’s Golden VIP Club! PROGRAM CLOSED AS OF OCTOBER 1, 2011
Our Current Rates:
For a listing of our current deposit and loan rates, visit
ANATOMY OF A TROJAN
It's been quite a few years since I've written a GCFlash piece on a
specific threat. Hundreds of new ones were reported daily, all with
similar characteristics and methods of prevention. Early threats were
merely pranks pulled by smart kids. They became routine. Little harm
was done outside of having to cleanup and rebuild your hard drive,
which we thought was troublesome at the time.
Until now. The ZeuS Trojan is so sophisticated and so elusive that
even Internet security experts are scrambling to stop it.
Crimeware is a sophisticated tool used by global organized crime
rings. It robs you of your identity. It doesn't stop at applying for
credit in your name, it steals your life savings and displays a fake
statement so you don't realize your account has been emptied.
The ZeuS Trojan has several aliases. It's also known as Zbot, PRG,
Wsnpoem, Gorhax and Kneber. It's spread through a variety of methods
that we'll explore in the following article. But no matter the
distribution channel, the purpose is the same. It targets banking
information by keystroke logging.
ZeuS was first discovered in July 2007 when it was used to steal
information from the U.S. Department of Transportation. It became
more widespread in June 2009 when it was discovered to have
compromised over 74,000 FTP accounts on websites of major companies.
Bank of America, NASA, Monster, Oracle, Cisco, Amazon and Business
Week were just a few of those affected. A survey released in April
2010 reported that 88 percent of Fortune 500 companies were infected
by ZeuS to some extent. Even if that number is somewhat inflated, it
still spells trouble.
ZeuS Trojan controlled machines have been detected in 196 countries,
with the highest incidence reported in Great Britain, the United
States, Mexico, Saudi Arabia and Turkey. An estimated 3.6 million PCs
are said to be infected in the U.S. alone.
Criminals don't have to look far to gain access to the Trojan. A
toolkit is readily available online in underground forums for prices
ranging from $700 up to $4,000. A builder kit allows the crook to
customize to their own purpose, and generates a bot executable along
with Web server files to act as the command and control server.
The current version even uses copy protection mechanisms similar to
Windows operating systems that protect against the use of unlicensed
pirated copies. The malware creates a type of fingerprint of the
hardware configuration when it's first started. The vendor then
provides a personal license key for the unique configuration.
Once a system becomes infected, the Trojan remains dormant until the
user visits a targeted list of banks or financial institutions. It
waits until the victim tries to establish an online banking session
and uses various ploys to steal login credentials.
It checks to see if the account holds enough cash, then transfers
money to a "mule" account. These are legitimate bank accounts held by
real customers. They could be cohorts of the villain who agree to
receive the funds and then pass on to someone else after taking a
Or they could be innocent victims themselves, believing they found a
work-at-home opportunity. They could have responded to pleas from
someone in Nigeria who needed access to U.S. funds, or acting on a
response from a classified sale ad they placed. In all cases, the
victim was sent funds in excess of the legitimate value and told to
refund the difference. They unknowingly became mules, laundering
By the time the scam is discovered and investigated, the criminal is
Security software McAfee reports that production of this type of
malware reached a new high in the first six months of 2010, with 10
million new pieces of malicious code being catalogued in that time.
This new breed of attacks was designed to circumvent the multi-
factor authentication banks now use to verify customer credentials.
It intercepts the browser's web page request, hijacks the intended
destination and modifies the page to hide the malicious page
transparently in the background. The page the user is seeing is not
something the actual server sent.
The server may not be seeing what the user sent either. The malware
can modify the transaction details, actually sending the funds
intended to pay your bills to a mule account instead of your
creditor. It then inserts its own html code into your transaction
confirmation to display your intended recipient rather than the true
destination. You believe your payment or transfer has been completed
properly, the bank believes it has honored your legitimate request.
Are you frightened yet? If not, you should be. The ZeuS Trojan is
merely one example of this new breed of crimeware. Others in the same
category are URL Zone, Bzub and Torpig, all distributed through
readily available online toolkits.
While no incidences have yet been reported, it's only a matter of
time before SpyEye dethrones ZeuS as King of Crimeware.
To learn how ZeuS is distributed and how to avoid becoming a victim,
DISTRIBUTION AND PREVENTION
Trojans differ from viruses in that they are not self-replicating.
They will not scour your address book and send themselves to all of
your contacts. They are spread manually, hiding inside websites,
emails, images or downloads with the premise of offering a benefit to
the intended victim.
Since ZeuS is sold as a customizable toolkit, each criminal using it
will deliver the crimeware in their own fashion.
You might think twice about looking for free software. While the
majority of freeware is legitimate, do some research before
downloading a new utility. You'll often find malware downloaded along
with your freebie. This holds true with screensavers as well.
ZeuS has targeted social networks as well as the banking industry.
It has stolen login credentials on Facebook, Yahoo, Hi5, and other
sites where personal information is easily accessible. See our May 18, 2010
issue of GCFlash for examples of how this Trojan infiltrates
In 2009, ZeuS was spread through phishing emails appearing to come
from Verizon Wireless. It's believed nine million of these emails
were sent. It also sent out over 1.5 million phishing messages on
Adobe .pdf files are being increasingly used to deliver malware.
Growth in this type of delivery has been staggering. It accounted for
11 percent of known attacks in 2008. By 2009, that number had reached
The .pdf attacks do not exploit a software vulnerability. Rather,
they are based on Adobe's design function. The victim is prompted to
download and open a document named Royal_mail_delivery_notice-dot-
pdf. The malware is hidden in this download.
Our July 6, 2010
edition of GCFlash explained how cyberthieves are hiding their
crimeware inside of display ads on legitimate websites. This ploy was
used to empty the bank accounts of over 3,000 people in Great
Britain. It was detected, coincidentally, the same date our article
was published and still progressing. Read the full
Most recently, ZeuS has been displaying fake enrollment screens for
the "Verified By VISA" or "MasterCard SecureCode Security" programs
on machines it infects. Once the victim logs into their bank, they're
presented with a notice that new regulations require them to enroll
in Verified By Visa or SecureCode. The Trojan then goes on to capture
the personal information they enter on the fake enrollment screen.
The Zeus Trojan targets machines using Windows XP with Service Pack
2 (SP2) or earlier versions of the operating system. Those who enable
automatic updates are protected.
The same holds true with whichever browser you use and other
software, especially your anti-virus and Adobe products. They are
only targets because of their popularity, not because they are
particularly vulnerable to threats.
Configure your firewall to its highest level. For more on firewalls,
read an archived version of our May 5, 2010 edition from the Security Articles page.
Don't open junk emails, not even out of curiosity. And if a message
from someone you know seems strange to you, delete it immediately.
They may have become a victim.
The major anti-virus vendors all protect against the ZeuS Trojan.
But you must keep your dat files updated for the best protection.
These, too, should be set to automatically update when new releases
If you think your computer may be infected with the ZeuS Trojan,
contact your financial institution immediately to prevent
Clean your computer thoroughly using your virus scan program. But
before you do, disable your System Restore. The malicious file may be
stored there as a backup file.
You've heard all of this advice before. But if this threat doesn't
scare you into taking it seriously, nothing will.
Prevention is in your hands with the tools readily available through
security programs you should already have installed on your system.
The good guys are still one step ahead of the villains. For now.
Let's hope it stays that way.
Small Business will lead the recovery according to President Obama.
A bill pending in Congress would create a $30 billion small-business
lending fund, add tax breaks and expand loan guarantees from the
Small Business Administration.
With unemployment stuck at 9.5 percent and job growth shaky,
supporting "small business" has become the focus for both parties.
Republicans continue to list the hardships added taxes will have on
small business in areas such as expanding health care, tightening
financial regulations or raising taxes on the rich.
According to the Bureau of Labor Statistics, larger companies
provide the most jobs. About 43 percent of the jobs are from
corporations with more than 500 workers, with another 24 percent from
firms with 20 to 500 workers. Small businesses, or companies with
less than 250 workers, provide almost half of all private-sectors
jobs. About 38 percent of all workers are in companies with fewer
than 100 employees.
In a July survey by the National Small Business Association, 41
percent of companies said they couldn't raise as much money as
needed, the highest in 17 years. So, if the aide flows through to
small businesses, this could well be a strong stimulus to the economy
and a resulting boost to employment!
Today’s Market Rates
Tuesday, August 17, 2010
Dow Jones Industrial Average
(Down 22.20 or 0.21% since 12/31/09)
(Down 22.56 or 2.02% since 12/31/09)
(Down 59.71 or 2.63% since 12/31/09)
|10 Year Treasury Bond Yield
On The World Wide Web
The CERT® Coordination Center (CERT/CC) is a center of Internet
security expertise. This renown federally funded research and
development center is operated by Carnegie Mellon University. They
offer a complete list of antivirus software vendors on their Web site.
Before investing, check out the validity of that offer. Quatloos.com
is a public educational website maintained by Financial and Tax Fraud
Education Associates, Inc. Visit their Cyber-Museum of Scams and
Auto racing is a dangerous sport for all participants; the driver,
crew and spectators alike. Tragedy struck this past weekend when
eight spectators were killed during an off-road race in California.
Support the victim's families by donating
here. Even the smallest amounts can
Tip of the Week
Looking for something you once saw on a website without its own
search function? It's easy to conduct a site specific search on
Google. In the search box, start by typing
"site:www.sitename.com." Enter a space and enclose your search
criteria in double quotation marks.
Example: In looking for an article on firewall
configuration you read in GCFlash, enter search criteria as
"Control your own destiny or someone else will." - Jack Welch
Today in History
1896 - Prospectors discovered gold in Alaska, sparking the Klondike
Only about 161,000 metric tons of gold have been mined in all of
Have a comment about something you read in GCFlash? Suggestions for
future articles? Drop us an
GCFlash is a weekly e-mail sent only to its listed
customers and associates free of charge. GCFlash informs customers of
special product offerings which may be of interest, current interest
rates on both deposit and loan products, selected financial news and
other financial tidbits. GCFlash is intended to supplement the more
comprehensive information listed on the GCF Web site at
For more comprehensive information, visit our Web site at
http://www.gcfbank.com or call (856) 589-6600 Ext: 337 (Timothy P.
GCF maintains your e-mail address in a confidential and secure
database along with much of your other account information, such as
mailing address and telephone number, etc. Before aggregating our e-
mailing list each week, we filter out any duplicates. In most cases,
this inhibits the unintended e-mailing of multiple copies of GCFlash
to a single e-mail address. However, because these account records
are kept by both individual and account, there is a chance members of
the same household could each receive a copy of GCFlash or any other
transmission at the same e-mail address - resulting in multiple
copies. For example, a husband and wife that both have accounts with
GCF may both receive a copy because the names are different but
listed at the same e-mail address. This is similar to the manner in
which each individual may share a common telephone number. To handle
this situation, GCF recommends you simply delete any extra copies of
GCFlash as this will ensure that ALL individuals receive any future
promotional mailings, which might only be targeted or offered to
specific accountholders meeting certain criteria. GCF has the
capability to suppress customer e-mail addresses so they are omitted
from our transmission list. If you would rather have a specific
household member’s e-mail address suppressed in our electronic
database, simply send us a reply, as stated below, and indicate the
accountholder for which you would like to have e-mail suppressed.
Please keep in mind that this suppression will mean that NO future e-
mails are sent, including special promotional offers. If you have any
questions about this process or need additional information, please
contact us at email@example.com.
If you would like to be removed from this electronic mailing list,
please hit reply and place the word REMOVE in the subject line.
Please note, removing your name from our electronic mailing list
means GCF will send NO FUTURE NEWS or SPECIAL OFFERS.
381 Egg Harbor Road
Sewell, NJ 08080