In the multitude of trojans spreaded in the wild these days, a special category named banking trojans as Zeus, Bzub or Torpig deserves the name of the most dangerous trojans for online banking transactions.
The most known and scaring is Zeus and his features include a Polymorphic Engine which make it able to re-encrypt itself each time he infects a computer, as a consequence the common detection methods based on virus binary signature are not for any help–each time the trojan has another signature. It’s true the Zeus trojan is around from 2005 year, but now he has new and scaring features. Until now, the trojan was able to hook only on Internet Explorer browser, now it is able to hook as well on Mozilla Firefox processes. It looks for HTTPS traffic that is sent using the POST method, which more than likely will be log-on credentials or transaction information and send the stolen data to a Command and Control server–(owned by the hacker) in real time. That’s very important, because of Safety Pass used by some banks as another layer of security. User name and password are not enough to login to a bank account and the bank send via SMS another code to the user mobile phone with 3 minutes expiry time. Only when the user introduce that code in the login credentials boxes the bank consider the user as legitimate and authenticated. Well, the Zeus trojan with his abilities to modify the HTTP traffic or generate a fake one visible only in the user browser can trick the user adding extrafields in the original HTML file (webinject), requesting the Safety Pass via the web browser and stealing that code from the browser. The real time data stolen come in help for the hacker who has 3 minutes available to log in the compromised account. Also during an online transaction, Zeus can modify the POST data of the browser changing “on the fly” the account where an user transfer money for example or the amount authorised by the user. Even the user can see the transaction as succesful but another bigger amount of money was transfered in another account in fact. This account can be a “money mule” used by hackers to hide their tracks. All these modifications of HTML code are made just before the browser rendering of HTML data for the end user.
Zeus trojan has a such massive power because of the method used to steal the data. It intercepts all the wininet.dll operations. Wininet.dll is a Windows component used for many internet functions so intercepting its WinAPI give to the trojan a big advantage in its operations.
The Zeus trojan can take screenshots of the infected computers, can upload or download files and execute different executable files or malware uploaded by itself, it has a full computer “administration” power.
For preventing computer infection with Zeus trojan the best is to use a separate computer only for online transactions, with all the operating system, antivirus and browser patches up-to-date. If you can not afford a separate computer, the common sense rules as not opening suspicious e-mail attachments, not visiting porn sites or download warez come in our help.
Now think the URLZone trojan is more advanced like Zeus.