Feeds

Raid millions of bank accounts. New easy-to-use tool. Yours for $5,000

F... KINS hell!

High performance access to file storage

Cybercrooks have put on sale a new professional-grade Trojan toolkit called KINS that will pose plenty of problems for banks and their customers in the months and years ahead.

KINS promises the ease of use of bank-account-raiding software nasty ZeuS combined with the technical support offered by the team behind Citadel (which withdrew its banking Trojan from sale in December).

KINS - which infects Windows PCs at a very low level and snoops on victims' online banking to drain their accounts - therefore seems to be well poised to exploit a gap in the market created by Citadel's absence, according to Limor Kessem, a security researcher at RSA.

"The moment Citadel was off the market, the deep-web enclaves, where fraudsters congregate, became awash with fraud-as-a-service deals for Trojan binaries and hosting packages," Kessem explains in an engaging blog post.

"During the dry months that had suddenly befallen the lower ranking cyber criminals, a few shady malware developers attempted to make a few bucks by trying to appease them with basic malware and converted HTTP botnets - Trojans that carry out lists of tasks, equipped with a form-grabber - but even the pseudo return of the Carberp Trojan left the underground hungry for more."

"The clear and resounding truth was that botmasters have not had to face such a situation since the Limbo Trojan was released in 2005. The ongoing turbulence since the leak of the Zeus code in mid-2011 has not given way to a stable offering in the underground, and it seems that professional cybercrime malware developers are just not what they used to be," she adds.

Cybercrooks were even willing to team up to finance a banking Trojan project, Kessem reports. RSA researchers first heard whisperings from the digital underground about a new cybercrime tool called KINS in February; other researchers claim they first saw it in use in 2011.

But today, after months of rumours, a software vendor in a closed Russian-speaking online forum announced the open sale of the KINS Trojan to the cybercrime community. The Trojan is on offer for $5,000 via the WebMoney digital currency. For now, KINS only targets Microsoft-powered machines outside of Russia.

The seller denied all ties to other Trojans but RSA reports the newcomer already shares many of the features of Zeus and SpyEye, the two principle agents of malware-powered bank theft worldwide over recent years.

The KINS architecture is built like both Zeus and SpyEye, with a main blob of code and DLL plugins. Crucially, the Trojan toolkit requires no technical skills to use, a pioneering feature of ZeuS.

The new cybercrime toolkit also comes with an anti-Rapport plugin that featured in SpyEye, designed to foil Trusteer's widely deployed transaction security tool. It's unclear how effective this technology is in practice.

Criminals can manage infected PCs using RDP (the Remote Desktop Protocol), a communications channel previously used by SpyEye.

KINS is specifically designed not to infect systems in Russia and the Ukraine by avoiding computers with Russian language keyboard settings, a feature that was first introduced by Citadel in January 2012.

The feature offers a way for cybercrooks based in Russian to avoid the attentions of local cops.

The unknown KINS developer appears to have learned lessons from his predecessors, according to Kessem. For one thing KINS has been kept well away from Trojan trackers, a problem that plagued SpyEye and ZeuS. Trojan trackers log the command-and-control servers associated with banking Trojan attacks, helping to mitigate the consequences of malware compromises as well as assisting zombie network takedown efforts.

KINS is designed to spread using popular exploit packs such as Neutrino. KINS is capable of easily infecting machines running Windows 8 and other x64 operating systems. It also embeds itself in computer drives' volume boot records so that it's activated almost as soon as the machines are powered on. That makes infections both more stealthy and harder to eradicate because the malicious code is executed before the operating system proper starts up.

"With all other major malware developers choosing to lay low to avoid imminent arrest by law enforcement authorities, KINS’ author is very sure to see an immediate demand for his Trojan, so long as he can avoid capture himself and as soon as high-ranking peers sign off on its crime-grade quality," Kessem concluded. "As that happens, anti-fraud teams around the world may be dealing with a new Trojan in the very near future." ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.