Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    Malware targeting online banking sites naturally cause alarm among users, as they are designed to steal not only information but also money from its users. Thus it is no surprise that the surfacing of KINS, peddled as “professional-grade banking Trojan” in the underground market, raised concerns that it might become as successful as ZeuS/ZBOT had been in previous years.

    During our investigation, we acquired several KINS variants (detected as TSPY_ZBOT.THY and TSPY_ZBOT.THX) and found that it is not really a “new” Trojan. It uses a different packer and contains sophisticated anti-debugging and anti-analysis routines, but underneath it’s still ZeuS: it uses the same folders and file names, injects the same processes, creates the same registry entries, etcetera.

    To thwart analysis and debugging, these KINS variants search for and stop running if it finds it is being run inside several popular virtual machine servers (specifically, VMWare and VirtualBox) or a Windows emulator (WINE). Similarly, other security tools like Sandboxie will also cause the malware to stop running.

    In terms of functionality, KINS is essentially identical to to ZeuS/ZBOT; for example, it downloads a configuration file that contains the list of targeted banks, drop zone sites, and webinject files. KINS steals online banking data such as user credentials by injecting a specific code onto the user’s browsers when they visit certain URLs in real time. Once done, the malware shows fake but legitimate-looking pop-ups that ask for banking credentials and additional information such as social security number.

    As we are on the latter half of 2013, our prediction of old but reliable threats resurfacing remains true in this year’s threat landscape. In our 2Q Security Roundup, we noted the boost in online banking malware last quarter, in particular of ZeuS/ZBOT variants after being under the radar the past year.

    With KINS, we can see the ongoing efforts of cybercriminals to refine dated threats with methods to avoid antimalware detection. We can also expect that KINS won’t be the last of its kind. As well-known Trojan toolkits like SpyEye and Ice IX are now available for free and the “leaked” source code of CARBERP easily accessible, it will be easier for the bad guys to create and distribute their own versions of these malware.

    Trend Micro detects and deletes the related malware, while Deep Security offers latest protection against exploits that may lead to KINS infection.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice