Criminals are advertising a new banking Trojan on Russian forums, one going for a hefty price and being marketed as a method of evading detection and analysis.
To date, however, security researchers have yet to obtain a sample of Kronos, which is available on a few forums for pre-order at a cost of $7,000.
Kronos does what most banking Trojans do: steals credentials and uses Web injects made for every major browser to modify legitimate banking websites. Once a user logs in, the web injects look for additional information from the victim, details that are generally not required upon log-in such as ATM PIN numbers or personal information to help with security questions.
Going a step beyond, the ad says Kronos comes with a Ring3 rootkit to help defend it against other Trojans. Ring3 is the least privileged protection ring, usually associated with the user’s privileges compared to Ring0 which is the kernel.
“By running as a Ring3 rootkit, other processes, including other Trojans, can’t see the elements this Trojan is using: its directories and files, registry entries, and processes,” said Dana Tamir, drector, enterprise security at IBM Trusteer, which disclosed the ad for the Trojan yesterday. “Some financial Trojans look to remove other Trojans that are already running on the infected machine, to allow the new Trojan to steal the information. After all, cyber criminals compete with each other to gain as much information as possible.”
Kronos’ ad also promises features that may be able to bypass some antivirus protection as well as sandbox protections. Communication between bots and command and control servers to which information is sent, is encrypted.
“The increased focus on developing techniques to evade detection and analysis comes as a response to the efforts the IT security community is putting into stopping these threats. As new security controls and detection technologies are introduced, it is becoming more difficult for cybercriminals to execute their attacks,” Tamir said. “However, the financial reward of successful attacks is still attractive enough that it’s worthwhile for cybercriminals to invest in the development of new evasion techniques.”
The $7,000 price tag covers a lifetime product license fee, and is not outrageously priced compared to similar Trojans. The ad says users will also get free updates and support, but new modules will not be free. The criminals say they accept Bitcoin, PerfectMoney, WMZ and BTC-E.com as payment options.
“The hefty price tag is likely due to the fact that this malware is part of a new and unique malware family which gives an attacker a better opportunity to steal information while evading detection,” Tamir said. “The price is not unusually high if the malware delivers on its promise. The fraudster market price for top tier malware revolves around this price range.”
Carberp, for example, sold for anywhere between $10,000 and $15,000 as long as four years ago. However some of the capabilities that were new in Carberp and other banking malware at the time, are considered standard fare today. That, and the fact that source code for Carberp, Zeus and other banking malware is available online, keeps the price generally in this range, experts said.