Feeds

Raid millions of bank accounts. New easy-to-use tool. Yours for $5,000

F... KINS hell!

Providing a secure and efficient Helpdesk

Cybercrooks have put on sale a new professional-grade Trojan toolkit called KINS that will pose plenty of problems for banks and their customers in the months and years ahead.

KINS promises the ease of use of bank-account-raiding software nasty ZeuS combined with the technical support offered by the team behind Citadel (which withdrew its banking Trojan from sale in December).

KINS - which infects Windows PCs at a very low level and snoops on victims' online banking to drain their accounts - therefore seems to be well poised to exploit a gap in the market created by Citadel's absence, according to Limor Kessem, a security researcher at RSA.

"The moment Citadel was off the market, the deep-web enclaves, where fraudsters congregate, became awash with fraud-as-a-service deals for Trojan binaries and hosting packages," Kessem explains in an engaging blog post.

"During the dry months that had suddenly befallen the lower ranking cyber criminals, a few shady malware developers attempted to make a few bucks by trying to appease them with basic malware and converted HTTP botnets - Trojans that carry out lists of tasks, equipped with a form-grabber - but even the pseudo return of the Carberp Trojan left the underground hungry for more."

"The clear and resounding truth was that botmasters have not had to face such a situation since the Limbo Trojan was released in 2005. The ongoing turbulence since the leak of the Zeus code in mid-2011 has not given way to a stable offering in the underground, and it seems that professional cybercrime malware developers are just not what they used to be," she adds.

Cybercrooks were even willing to team up to finance a banking Trojan project, Kessem reports. RSA researchers first heard whisperings from the digital underground about a new cybercrime tool called KINS in February; other researchers claim they first saw it in use in 2011.

But today, after months of rumours, a software vendor in a closed Russian-speaking online forum announced the open sale of the KINS Trojan to the cybercrime community. The Trojan is on offer for $5,000 via the WebMoney digital currency. For now, KINS only targets Microsoft-powered machines outside of Russia.

The seller denied all ties to other Trojans but RSA reports the newcomer already shares many of the features of Zeus and SpyEye, the two principle agents of malware-powered bank theft worldwide over recent years.

The KINS architecture is built like both Zeus and SpyEye, with a main blob of code and DLL plugins. Crucially, the Trojan toolkit requires no technical skills to use, a pioneering feature of ZeuS.

The new cybercrime toolkit also comes with an anti-Rapport plugin that featured in SpyEye, designed to foil Trusteer's widely deployed transaction security tool. It's unclear how effective this technology is in practice.

Criminals can manage infected PCs using RDP (the Remote Desktop Protocol), a communications channel previously used by SpyEye.

KINS is specifically designed not to infect systems in Russia and the Ukraine by avoiding computers with Russian language keyboard settings, a feature that was first introduced by Citadel in January 2012.

The feature offers a way for cybercrooks based in Russian to avoid the attentions of local cops.

The unknown KINS developer appears to have learned lessons from his predecessors, according to Kessem. For one thing KINS has been kept well away from Trojan trackers, a problem that plagued SpyEye and ZeuS. Trojan trackers log the command-and-control servers associated with banking Trojan attacks, helping to mitigate the consequences of malware compromises as well as assisting zombie network takedown efforts.

KINS is designed to spread using popular exploit packs such as Neutrino. KINS is capable of easily infecting machines running Windows 8 and other x64 operating systems. It also embeds itself in computer drives' volume boot records so that it's activated almost as soon as the machines are powered on. That makes infections both more stealthy and harder to eradicate because the malicious code is executed before the operating system proper starts up.

"With all other major malware developers choosing to lay low to avoid imminent arrest by law enforcement authorities, KINS’ author is very sure to see an immediate demand for his Trojan, so long as he can avoid capture himself and as soon as high-ranking peers sign off on its crime-grade quality," Kessem concluded. "As that happens, anti-fraud teams around the world may be dealing with a new Trojan in the very near future." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.