Zeus Botnet still going strong... targetting NACHA members

Filed Under: Botnet, Data loss, Malware, SophosLabs, Spam

JavaScript code related to Zbot attackChances are, you or someone you know has received an email purporting to be from NACHA saying your ACH membership has expired. Unless you're in the Financial Payments industry however, you might not know what this is.

NACHA is a "not-for-profit association, led by ... financial institutions and payments associations, that is responsible for the administration, development, and governance of the ACH Network."

In other words, they're responsible for overseeing and running the North American electronic payments system. This includes online payments, but also includes cheque cashing, money transfers and international wires.

It encompasses banks, healthcare providers, online boutiques, and the local corner store. We're talking large sums of money and large volumes of transactions.

So why is everyone under the sun receiving these messages ? Because everyone includes ACH Network subscribers. As mentioned in a recent Sophos Threat Spotlight, these emails are being used to socially engineer the recipients into installing a Zeus botnet node on their computer.

NACHA malicious spam

This is significant because the Zeus botnet (or Zbot) software is designed such that it can do much more than perform DDoS attacks and send out emails saying your ACH membership has expired -- it also silently collects financial information residing on, or passing through your computer -- including ACH transactions.

Zbot has been so successful at this that it continues to use almost the exact same method of distribution and information collection it used back in 2009. This is due in part to the continuing weaknesses in internet and business infrastructure that it targets.

Verizon has compiled a list of the top fifteen Threat Action Types based on data breaches in the past year. Zbot makes use of the following breach types from Verizon's top 15 Threat Action Types:

Page 26, Table 8: Top 15 Threat Action Types by number of breaches and number of records:

Verizon Threat Action Types

The botnet only fails to take advantage of three of the top fifteen, all of which involve manual (personally attended) attack mechanisms. Most of these threats are bundled into the malware's functionality by default, and the others are able to be leveraged through remote control of the system.

So from this, you can probably see that if someone is involved in electronic funds transfer activities, they should be running the latest anti-virus and anti-spam software, have web protection and a solid firewall policy.

They should also have a defined data retention and encryption policy and some form of DLP (Data Loss Prevention) technology. Agreed? It's your money they're leaking, after all.

If you are not a member of NACHA, Zbot also is happy to send you malicious eCards and online banking notifications, and will be quite pleased to add your computer to the botnet and gather your personal banking information.

This might sound like a classic case of Fear, Uncertainty and Doubt (FUD) about not using security products, but it isn't. It's about education and awareness.

Your money _is_ being stolen as you read this. If it's not coming directly out of your bank account, it is being taken from you in the form of increased product pricing when the merchants have to absorb the thefts. Botnets like Zeus impact everyone.

If you can't afford a dedicated information security team, then assemble what you can, with the resources you have.

ISSA logoFor those with no resources readily available, there are user groups you can join in your community that have members who would be happy to help you set up a secure computing system for free or for a low fee.

In the end, it all boils down to us, the people. Don't click on links you aren't expecting. Don't run software you don't trust, even if it promises you the stars, or threatens you with doom if you don't.

Don't store personal information you don't need to store (on your PC, or on Facebook). If you're feeling suspicious that something might be awry, calling someone on the telephone and feeling a bit silly about it is much better than keeping silent.

, , , ,

You might like

5 Responses to Zeus Botnet still going strong... targetting NACHA members

  1. Alan · 1619 days ago

    The Naked Security blog publishes a lot of interesting and useful information but occasionally the posts favor flogging your products over actual security. If you are doing ACH and wire transactions from a computer the security solution isn't Antivirus, DLP, encryption or anything else. It's a stand alone computer with a completely clean OS install or a Linux LiveCD that connects to nothing but the bank. No e-mail, no web browsing, no network connections except to/from the bank, no removable media support. And put it in a locked room. The solution is a dedicated and isolated machine.

    • Thank you for your comment Alan, I completely agree with the ideal setup for ACH processing. The article however is about people more than systems.

      As I state, "This might sound like a classic case of Fear, Uncertainty and Doubt (FUD) about not using security products, but it isn't. It's about education and awareness. "

      People who operate isolated systems still need to access the system and pull data from it, or access their account some other way. People still need to set up and manage those accounts, deal with processing issues, etc. None of this gets done on an ACH processing terminal; it gets done on their personal computer.

      This post isn't about flogging products; it's about convincing people to actually protect their data; not just the ACH processing details, but the stuff they leave on their PC, or even take home with them. ALL financial data handling should at least follow PCI standards in my opinion; that includes information about accessing the sensitive data, not just the sensitive data itself.

      In the real world, the sad fact is that most information security policies are an afterthought; a reaction to past events or to local laws mandating action. This article is intended to point out to people that even if they aren't the explicit target of a malicious phishing expedition, they're still affected, and need to take reasonable precautions with all of their data.

  2. Alan · 1619 days ago

    "So from this, you can probably see that if someone is involved in electronic funds transfer activities, they should be running the latest anti-virus and anti-spam software, have web protection and a solid firewall policy. "

    Anti-virus and all this other stuff has a poor track record of detecting and stopping Zeus, not to mention malicious PDFs and other files used to propagate Zeus infections. None of this stuff is an adequate defense.

    As for "Don't click on links you aren't expecting." Good advice but this isn't an adequate defense either. A user will click the link or open the attachment because it will be hard to distinguish the e-mail from normal business e-mail from a trusted source when it's a well-researched targeted attack.

  3. Peter Billard · 1606 days ago

    Please tell us the effect, if any, clicking on the fake '.pdf.exe' has for a Macintosh user. If there is a bad side for Mac users, what action do you recommend? Can it cause damage or compromise private information? Is it harmless to the Mac host? Can a Macintosh user inadvertently act as a conduit to PC users?

  4. We've gotten these emails here twice already in the past month. They don't quit.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Andrew Ludgate is a Threat Researcher for SophosLabs Canada. His research areas include Mac, Spam and Data Leakage related threats.