Security experts expect a spike in malware that steals banking credentials to emerge thanks to a leaked copy of a toolkit used to build such malware.
Criminals on the prowl for online banking credentials have a new treat available that could create problems for the banking sector and its customers.
According to researchers at independent security outfit MalwareMustDie, in late June a free copy of the toolkit to build KINS 2.0 — a version of the well known Zeus banking malware — was leaked online, giving criminals all they need to create new banking malware and a network used to control infected machines.
The Zeus banking trojan and variants of it, including ZeusVM, have a long history of targeting online banking accounts, typically by modifying banking websites when an infected machine visits the site.
A researcher with MalwareMustDie told CSO Australia that anyone who has access to the toolkit, including non-technical people, will be able to make new variants of ZeusVM and use it to target online banking credentials.
“They can use it to steal other people's credit card, login information and credentials and send the information to the botnet panel, which was also in the leaked package,” a MalwareMustDie spokesperson said.
The botnet panel for KINS shows the number of infected machines and their location by country.
The spokesperson added that the particular version also produces malware with a configuration file that is an image file. The image file helps the malware evade detection by antivirus software — a technique known as steganography that is popular among banking malware, .
MalwareMustDie stressed in a blogpost that the source code for KINS 2.0 itself was not released but the software that would allow others to build that version.
It’s not clear who leaked the software but the researchers noted that it came alongside the release of KINS 3.0, which is now available on an underground forum for $5,000.
So far the leaked software has had a limited impact. According to MalwareMustDie, there are currently 10 botanist using the KINS setup and six of those are live. Still, that’s six malicious sites that weren’t published last week and it suggests that criminals are looking to exploit KINS 2.0.
MalwareMustDie said it was attempting to takedown pages that lead to the leaked source code. It is also making an archive of the files available to security researchers, antivirus firms and CERTs.
This article is brought to you by Enex TestLab, content directors for CSO Australia.