Zeus Botnet still going strong… targetting NACHA members

JavaScript code related to Zbot attackChances are, you or someone you know has received an email purporting to be from NACHA saying your ACH membership has expired. Unless you’re in the Financial Payments industry however, you might not know what this is.

NACHA is a “not-for-profit association, led by … financial institutions and payments associations, that is responsible for the administration, development, and governance of the ACH Network.”

In other words, they’re responsible for overseeing and running the North American electronic payments system. This includes online payments, but also includes cheque cashing, money transfers and international wires.

It encompasses banks, healthcare providers, online boutiques, and the local corner store. We’re talking large sums of money and large volumes of transactions.

So why is everyone under the sun receiving these messages ? Because everyone includes ACH Network subscribers. As mentioned in a recent Sophos Threat Spotlight, these emails are being used to socially engineer the recipients into installing a Zeus botnet node on their computer.

NACHA malicious spam

This is significant because the Zeus botnet (or Zbot) software is designed such that it can do much more than perform DDoS attacks and send out emails saying your ACH membership has expired — it also silently collects financial information residing on, or passing through your computer — including ACH transactions.

Zbot has been so successful at this that it continues to use almost the exact same method of distribution and information collection it used back in 2009. This is due in part to the continuing weaknesses in internet and business infrastructure that it targets.

Verizon has compiled a list of the top fifteen Threat Action Types based on data breaches in the past year. Zbot makes use of the following breach types from Verizon’s top 15 Threat Action Types:

Page 26, Table 8: Top 15 Threat Action Types by number of breaches and number of records:

Verizon Threat Action Types

The botnet only fails to take advantage of three of the top fifteen, all of which involve manual (personally attended) attack mechanisms. Most of these threats are bundled into the malware’s functionality by default, and the others are able to be leveraged through remote control of the system.

So from this, you can probably see that if someone is involved in electronic funds transfer activities, they should be running the latest anti-virus and anti-spam software, have web protection and a solid firewall policy.

They should also have a defined data retention and encryption policy and some form of DLP (Data Loss Prevention) technology. Agreed? It’s your money they’re leaking, after all.

If you are not a member of NACHA, Zbot also is happy to send you malicious eCards and online banking notifications, and will be quite pleased to add your computer to the botnet and gather your personal banking information.

This might sound like a classic case of Fear, Uncertainty and Doubt (FUD) about not using security products, but it isn’t. It’s about education and awareness.

Your money _is_ being stolen as you read this. If it’s not coming directly out of your bank account, it is being taken from you in the form of increased product pricing when the merchants have to absorb the thefts. Botnets like Zeus impact everyone.

If you can’t afford a dedicated information security team, then assemble what you can, with the resources you have.

ISSA logoFor those with no resources readily available, there are user groups you can join in your community that have members who would be happy to help you set up a secure computing system for free or for a low fee.

In the end, it all boils down to us, the people. Don’t click on links you aren’t expecting. Don’t run software you don’t trust, even if it promises you the stars, or threatens you with doom if you don’t.

Don’t store personal information you don’t need to store (on your PC, or on Facebook). If you’re feeling suspicious that something might be awry, calling someone on the telephone and feeling a bit silly about it is much better than keeping silent.