Feeds

Raid millions of bank accounts. New easy-to-use tool. Yours for $5,000

F... KINS hell!

Internet Security Threat Report 2014

Cybercrooks have put on sale a new professional-grade Trojan toolkit called KINS that will pose plenty of problems for banks and their customers in the months and years ahead.

KINS promises the ease of use of bank-account-raiding software nasty ZeuS combined with the technical support offered by the team behind Citadel (which withdrew its banking Trojan from sale in December).

KINS - which infects Windows PCs at a very low level and snoops on victims' online banking to drain their accounts - therefore seems to be well poised to exploit a gap in the market created by Citadel's absence, according to Limor Kessem, a security researcher at RSA.

"The moment Citadel was off the market, the deep-web enclaves, where fraudsters congregate, became awash with fraud-as-a-service deals for Trojan binaries and hosting packages," Kessem explains in an engaging blog post.

"During the dry months that had suddenly befallen the lower ranking cyber criminals, a few shady malware developers attempted to make a few bucks by trying to appease them with basic malware and converted HTTP botnets - Trojans that carry out lists of tasks, equipped with a form-grabber - but even the pseudo return of the Carberp Trojan left the underground hungry for more."

"The clear and resounding truth was that botmasters have not had to face such a situation since the Limbo Trojan was released in 2005. The ongoing turbulence since the leak of the Zeus code in mid-2011 has not given way to a stable offering in the underground, and it seems that professional cybercrime malware developers are just not what they used to be," she adds.

Cybercrooks were even willing to team up to finance a banking Trojan project, Kessem reports. RSA researchers first heard whisperings from the digital underground about a new cybercrime tool called KINS in February; other researchers claim they first saw it in use in 2011.

But today, after months of rumours, a software vendor in a closed Russian-speaking online forum announced the open sale of the KINS Trojan to the cybercrime community. The Trojan is on offer for $5,000 via the WebMoney digital currency. For now, KINS only targets Microsoft-powered machines outside of Russia.

The seller denied all ties to other Trojans but RSA reports the newcomer already shares many of the features of Zeus and SpyEye, the two principle agents of malware-powered bank theft worldwide over recent years.

The KINS architecture is built like both Zeus and SpyEye, with a main blob of code and DLL plugins. Crucially, the Trojan toolkit requires no technical skills to use, a pioneering feature of ZeuS.

The new cybercrime toolkit also comes with an anti-Rapport plugin that featured in SpyEye, designed to foil Trusteer's widely deployed transaction security tool. It's unclear how effective this technology is in practice.

Criminals can manage infected PCs using RDP (the Remote Desktop Protocol), a communications channel previously used by SpyEye.

KINS is specifically designed not to infect systems in Russia and the Ukraine by avoiding computers with Russian language keyboard settings, a feature that was first introduced by Citadel in January 2012.

The feature offers a way for cybercrooks based in Russian to avoid the attentions of local cops.

The unknown KINS developer appears to have learned lessons from his predecessors, according to Kessem. For one thing KINS has been kept well away from Trojan trackers, a problem that plagued SpyEye and ZeuS. Trojan trackers log the command-and-control servers associated with banking Trojan attacks, helping to mitigate the consequences of malware compromises as well as assisting zombie network takedown efforts.

KINS is designed to spread using popular exploit packs such as Neutrino. KINS is capable of easily infecting machines running Windows 8 and other x64 operating systems. It also embeds itself in computer drives' volume boot records so that it's activated almost as soon as the machines are powered on. That makes infections both more stealthy and harder to eradicate because the malicious code is executed before the operating system proper starts up.

"With all other major malware developers choosing to lay low to avoid imminent arrest by law enforcement authorities, KINS’ author is very sure to see an immediate demand for his Trojan, so long as he can avoid capture himself and as soon as high-ranking peers sign off on its crime-grade quality," Kessem concluded. "As that happens, anti-fraud teams around the world may be dealing with a new Trojan in the very near future." ®

Remote control for virtualized desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.