Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2013
    S M T W T F S
    « Jul   Sep »
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for August 20th, 2013

    Malware targeting online banking sites naturally cause alarm among users, as they are designed to steal not only information but also money from its users. Thus it is no surprise that the surfacing of KINS, peddled as “professional-grade banking Trojan” in the underground market, raised concerns that it might become as successful as ZeuS/ZBOT had been in previous years.

    During our investigation, we acquired several KINS variants (detected as TSPY_ZBOT.THY and TSPY_ZBOT.THX) and found that it is not really a “new” Trojan. It uses a different packer and contains sophisticated anti-debugging and anti-analysis routines, but underneath it’s still ZeuS: it uses the same folders and file names, injects the same processes, creates the same registry entries, etcetera.

    To thwart analysis and debugging, these KINS variants search for and stop running if it finds it is being run inside several popular virtual machine servers (specifically, VMWare and VirtualBox) or a Windows emulator (WINE). Similarly, other security tools like Sandboxie will also cause the malware to stop running.

    In terms of functionality, KINS is essentially identical to to ZeuS/ZBOT; for example, it downloads a configuration file that contains the list of targeted banks, drop zone sites, and webinject files. KINS steals online banking data such as user credentials by injecting a specific code onto the user’s browsers when they visit certain URLs in real time. Once done, the malware shows fake but legitimate-looking pop-ups that ask for banking credentials and additional information such as social security number.

    As we are on the latter half of 2013, our prediction of old but reliable threats resurfacing remains true in this year’s threat landscape. In our 2Q Security Roundup, we noted the boost in online banking malware last quarter, in particular of ZeuS/ZBOT variants after being under the radar the past year.

    With KINS, we can see the ongoing efforts of cybercriminals to refine dated threats with methods to avoid antimalware detection. We can also expect that KINS won’t be the last of its kind. As well-known Trojan toolkits like SpyEye and Ice IX are now available for free and the “leaked” source code of CARBERP easily accessible, it will be easier for the bad guys to create and distribute their own versions of these malware.

    Trend Micro detects and deletes the related malware, while Deep Security offers latest protection against exploits that may lead to KINS infection.

    Posted in Malware | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice