[Infowarrior] - Bank Botnet Serves Fake Info to Thwart Researchers

Richard Forno rforno at infowarrior.org
Tue Oct 6 12:10:23 UTC 2009 

Threat Level Privacy, Crime and Security Online
Bank Botnet Serves Fake Info to Thwart Researchers
	• By Kim Zetter
	• October 6, 2009  |
	• 12:49 am  |
http://www.wired.com/threatlevel/2009/10/urlzone-trojan/
Researchers tracking a gang of online bank thieves found that the  
criminals have deployed a devious means to thwart law enforcement and  
anyone else trying to monitor their activities.

The gang behind the URLZone trojan, which siphons money from online  
bank accounts and then alters a victim’s online bank statement to hide  
the fraud, have also devised a method to hide the accounts of mules  
they use to launder the siphoned funds.

Researchers at RSA’s FraudAction Research Labs say the gang was aware  
that their malware was being tracked by investigators, so they  
programmed their command and control server to generate non-mule  
accounts to make it more difficult for law enforcement and fraud  
investigators to halt laundering through the real accounts.

The URLZone is a Trojan that has been targeting customers of several  
top German banks. The victims’ computers are infected with the Trojan  
after visiting compromised legitimate web sites or rogue sites set up  
by the hackers.

Once a victim is infected, the malware detects when a user is logged  
into a bank account, then contacts a control center hosted on a  
machine in Ukraine to initiate a money transfer from the victim’s  
account, without the victim’s knowledge. The control center tells the  
Trojan how much money to wire transfer from the victim’s online bank  
account and which mule account should receive the transfer.

The money gets transferred to the legitimate bank accounts of  
unsuspecting money mules who’ve been recruited online for work-at-home  
gigs, never suspecting that the money they’re allowing to flow through  
their account is being laundered. The mules then transfer the money to  
the thieves’ chosen account.

Researchers, hoping to extract a list of mule accounts from the  
command and control center, infected honeypot computers with the  
URLZone Trojan. But when the computers contacted the command and  
control center to collect a mule account, the command center fed them  
“fake” accounts.

The fraudsters developed a series of tests to check infected computers  
to determine if they’re “legitimate” URLZone-infected machines. For  
example, every infected computer is assigned a unique identification  
code by the Trojan. If the ID is not a valid Trojan ID known by the  
server, the fake computer gets fed one of 400 non-mule accounts. The  
non-mule accounts are legitimate bank accounts, just not ones the  
criminals are using to launder money.

“Interestingly, when generating a non-mule account in order to dupe  
anti-fraud security researchers,” RSA researchers write on their blog,  
“the Trojan does not display random names and account numbers.  
Instead, it displays real bank account details that were previously  
entered by URLZone victims as the payees of legitimate transactions.”

The RSA researchers call this the “most unique attribute” of the  
botnet, which “speaks to its operators’ caution against having their  
criminal pipelines compromised.”

More information about the Infowarrior mailing list