Online banking danger increases with new Zeus/SpyEye release

After ZeuS and SpyEye were rumored to have merged, many security professionals were concerned that advanced online banking malware would hit the scene sometime soon. According to Yahoo News, it appears that time may be now.

Both ZeuS and SpyEye are malware programs created to evade security software, intercept communications between your PC and bank, and then report the details back to a central command post. Many people have had their bank accounts drained by these tools, and the newly combined software looks to up the ante in the arms race between security software and malware.

While it sounds like the base functionality of the new tool is similar, there are a couple of new features that have been added. First, the tool is now able to bypass the browser add-on Rapport. Secondly, the malware allows the attacker to remotely connect to an infected PC using RDP, although it is unclear if this will work if the port is blocked at the firewall. The tool appears to still be in beta, and fixes are being released on a daily basis.

To make matter worse, detecting the malware with anti-virus software has proven to be extremely difficult for security vendors. Due to this, it's estimated that the botnet contains 3.6 million infected machines in the US alone.

Currently the usage of the new tool appears low, but it is only a matter of time before more criminals purchase the package. While not a complete cure for the issue at hand, banks need to start considering using more than simple passwords for users. Technology such as one-time passwords on fobs or sent to cell phones via SMS messages could go a long way to reducing the threat, although responsible browsing is the #1 layer of security.

Report a problem with article
Previous Story

Mexican cartel selling counterfeit Microsoft software

Next Story

Microsoft seeds new developer tools, copy and paste onboard

25 Comments

View more comments

I would be happy to have a one-time number pad given to me with my bank. The only negative is that it would require me to carry it anywhere that I felt like doing online banking. I'm not always home when I choose to do it.

pickypg said,
I would be happy to have a one-time number pad given to me with my bank. The only negative is that it would require me to carry it anywhere that I felt like doing online banking. I'm not always home when I choose to do it.

This is what Customers of Barclays bank already have to do

pickypg said,
I would be happy to have a one-time number pad given to me with my bank. The only negative is that it would require me to carry it anywhere that I felt like doing online banking. I'm not always home when I choose to do it.

Thats what all Finnish banks have required for years now. And you are forced to change the pad every once in a while, usually takes me about 2 months or so. Nice way to make it a lot more secure without being a burden to the customer.

pickypg said,
I would be happy to have a one-time number pad given to me with my bank. The only negative is that it would require me to carry it anywhere that I felt like doing online banking. I'm not always home when I choose to do it.

in holland you either have a satalite powered random number generator, or a SMS text is send to your cell phone with the confirmation code... both are secure as hell, even if they got your online banking details, they cannot change passwords, or do any transactions

why didnt every bank pick up a system like this? would block those pesky rats trying to get your banking details.
They either have to steal your bankpass or cell phone to do any online theft

Shadowzz, it sometimes takes a law to make banks do what they should do. In Turkey, after a lot of fraud cases regarding online banking, the parliament passed a law that mandates use of one-time passwords to access online banking.

By the way, I find the use of keypads or card readers (such as the ones from ABN Amro and Rabobank) very unhandy. You have to carry the card readers with you all the time - which is not practical. Sending the one-time password to a mobile device is the way to go.

AtriusNY said,
Shadowzz, it sometimes takes a law to make banks do what they should do. In Turkey, after a lot of fraud cases regarding online banking, the parliament passed a law that mandates use of one-time passwords to access online banking.

By the way, I find the use of keypads or card readers (such as the ones from ABN Amro and Rabobank) very unhandy. You have to carry the card readers with you all the time - which is not practical. Sending the one-time password to a mobile device is the way to go.

Having to have a lock on your front and back door also is very 'unhandy'. But is the price to pay for security. The one time password system might seem more convenient, although a phone would seem to be more prone to theft than a, by itself useless, keycode generator.

Just a reminder to always be wary, and most importantly, keep an eye on your bank accounts so any potential or attempted fraud can be caught and stopped quickly, because breeches will happen.

the number one excuse for the bank when they decide to not cover you are weak passwords and not changing your password regularly. they deny lots of folks for those reasons. when they require password complexity the remaining excuse is not changing the password often enough.

alphamale said,
the number one excuse for the bank when they decide to not cover you are weak passwords and not changing your password regularly. they deny lots of folks for those reasons. when they require password complexity the remaining excuse is not changing the password often enough.
I believe you, but I hope people in the latter situation (at least) sue.

Microsoft released a study somewhat recently that showed forcing users to change their passwords did not make them more secure. My passwords would be even more secure if my banks did not limit my passwords with stupid requirements. For instance, the maximum password at one is 14 characters long, but you cannot use most special characters, nor can you use spaces.

Chrono951 said,
Can't we have anything good without people trying to ruin it?

oh absolutely not... it's called greed. if the "other side" had nothing to gain we would be fine. but there is often an incentive for them which sucks.

We use RSA SecurID fobs where I work. It's a number that changes every 30 seconds or so that you have to enter when logging into our corporate network from home. Just another added layer of security.

my bank uses netguard cards it's an 7x7 alpha/numeric grid with a random alpha/numeric code and the code asked for each time I log in is different and the cards are renewed every 6 months

With Bank of America you can set it up so that it texts you a pin for certain account actions.

Also RSA now offer soft token apps for most smartphones. So no need to carry around a fob.

Grex said,
With Bank of America you can set it up so that it texts you a pin for certain account actions.

Also RSA now offer soft token apps for most smartphones. So no need to carry around a fob.

really? is this free? i would love to sign up for this service with bank of america.

capr said,

really? is this free? i would love to sign up for this service with bank of america.

Yes. Its called safe pass.

Grex said,

Yes. Its called safe pass.


yep thank you, already signed up for it and made my dad and everyone in the family to signup also.

Commenting is disabled on this article.