Protect Yourself Against Banking Crimeware
Crimeware Gets Smarter - How To Defeat Zeus, Fragus, and Others
Oct 5, 2009
Malware continues to evolve. Increasingly, it is motivated by greed as opposed to the "good old days" when computer viruses were developed as practical jokes, for fame and glory, or at worst, for anarchistic destruction. To top it off, today's cyber-criminal doesn't even have to be particularly smart or technical.
With the prevalence of crimeware kits and managed crimeware as a service, the crooks have access to a wide range of attacks, from specialized trojans to botnet control frameworks to customizable exploits.
Crimeware Costs to Victims
In one recent example, a construction company in California with an infected PC lost $447 thousand dollars in approximately 30 minutes. In a separate incident, a New York based solid waste management company lost $150 thousand. Computer based crimes cost businesses world-wide an estimated $26 billion last year.
Antivirus Software Isn't Enough
According to investigations conducted by Trusteer, the majority of PCs infected with the Zeus trojan are running up-to-date antivirus software. Zeus is currently the number one crimeware kit in the world, but it is just one of many. Clearly, anti-malware software alone is insufficient protection against modern criminal attacks.
What About Two-Factor Authentication?
Two-factor authentication is an approach designed to make it impossible for crooks to impersonate legitimate users. It's usually implemented with a small, keychain-sized device which displays a 6 digit code.
Every minute, the code changes to a new, random number. Users logging in to a secure system must not only enter their ID and password, but the current code from the display. That way, even if a hacker gets the password, he still can't log on without the current code.
Why Two-Factor Authentication Isn't Enough
Two-factor authentication can indeed prevent a hacker from impersonating a legitimate user from another computer. Unfortunately, modern banking trojans like the ones offered by the Zeus crimeware kit allow the hacker into the secure system by "piggy-backing" on a connection with a real user.
This was the case with the construction company breach mentioned above. While the user was making legitimate transactions, the hacker, by going through the same connection, was transferring money to co-conspirators.
Surefire Way to Prevent Infection
So if antivirus software and two-factor authentication are not enough to ensure safe on-line transactions, what is? The safest method appears to be to boot with a "Live CD," one created with an operating system, a web browser, and whatever software is needed to conduct on-line business. By using a non-rewritable CD and closing it immediately after creation so that no further writes are possible, it is virtually immune to infection.
That is not to say that this setup is impervious to attack. There are still "Man in the Middle" attacks, Domain Spoofing, DNS Cache poisoning, and other vectors outside the user's own environment. To help mitigate these threats, all financial transactions must use an encrypted, authenticated connection, ie; the "HTTPS:" protocol. If the browser warns of a mis-named, expired, or otherwise un-trusted certificate, the connection should be aborted.
Additionally, some web sites host malicious code capable of "drive-by" infections - inserting malware into a user's browser. Even though the infection cannot be stored back to disk, the browser could be affected for the duration of the session. For this reason, sessions initiated from this special Live CD should only be used for conducting banking and similar business, and not for general web-surfing.
Which Live CD for On-line Banking?
The installation CD for Ubuntu Linux for the desktop is by default a fully functional Live CD. It will auto-detect network connections, and includes the Firefox browser. This alone would suffice for the majority of on-line banking, provided the user didn't mind typing the bank's address into the browser each time (since "favorites" can't be saved).
Ubuntu also supports the ability to re-mix the Live CD to remove unused packages, install others, and set preferences before burning a new CD. This feature can be used to overcome deficiencies in the installation CD, for example, if certificates or keys need to be installed in order to access a particular system.
Live CD for Windows
An unfortunate truth is the fact that some banking institutions require the user to connect with Internet Explorer, which means, from a Windows installation. While Microsoft doesn't support any Live CD distributions for general use, there is at least one 3rd party project that does - BartPE.
"Bart's Pre-installed Environment" requires an original Windows installation CD, but with it the user can create a fully functional CD-based Windows distribution, complete with Internet Explorer.
Other Uses for Live CDs
Aside from maintaining a secure installation from which to initiate financial transactions, Live CDs provide a number of other useful capabilities:
- Testing or demonstrating different operating systems
- Recovering damaged or infected hard drives
- Portability - the entire installation can be run from any PC with a bootable CD-ROM drive
A Live CD is Part of Fight Against Malware
Adopting a Live CD for on-line banking is a major weapon in the battle against crimeware, but it isn't a replacement for good security practices.
Firewalls and virus-scanners still need to be kept up to date. Security-conscious users need to stay informed about the continuing evolution of malicious software, as well as the the techniques to keep their systems, data, and finances safe.
 |
