Security Experts:

Large Global Banks Still Plagued by Conficker, Zeus Malware: Report

Black Hat 2012

Some of the world's largest banks are operating while infected with serious malware, according to a recent report.

An analysis of 24 of the world's largest banks showed that 18 banks contained malicious infections, including Conficker, DNSChanger, and Gameover Zeus, BlackHole Exploit Kit, and Fake AV, Lookingglass Cyber Solutions said in a report released July 25. Researchers also were able to track “tens of thousands” of machines infected by Flashback in March, Derek Gabbard, CEO of Lookingglass Cyber Solutions, told SecurityWeek.

Lookingglass tracked over 104 malicious IP addresses from around the world since Janaury to compile this analysis. In March alone, researchers tracked 42 million infected IP addresses and found 40 percent had multiple infections. Interestingly, Lookingglass was able to determine that a significant majority of these infected machines were not public-facing systems, such as a Web server or transaction systems, Gabbard said.

Even after three years, there was a “very substantial Conficker infection,” Gabbard said.

The Conficker Working Group has been working for the past three years to help organizations and users mitigate and remediate their machines infected with the Conficker worm. Even so, the worm remains entrenched in the financial services industry, with 10 of the 24 banks analyzed still having infected machines, Lookingglass found.

According to Microsoft's Security Intelligence Report released in April 2012, Microsoft said the Conficker worm was detected approximately 220 million times worldwide in the past two and a half years.

“Nothing surprises me anymore,” Gabbard said, adding that he was “never surprised to see things we thought were old and dead crop back up.”

While Conficker was the most common, Lookingglass also found a lot of DNSChanger infections among these banks, despite various outreach programs this spring to educate users about the malware. However, Gabbard admitted that he had expected to see more DNSChanger infections than what was observed, so the cleanup efforts were effective to some part.

There were also machines infected with malware to become part of the Cutwail botnet, Gabbard said.

Lookingglass wasn't picking on the financial services industry in the report. Of the 17 industries Lookingglass monitored, 14 were infected with “high level threats,” the company said. Compared to other sectors, financial services companies are substantially faster than others when it comes to remediation, Gabbard said.

Gabbard also said he would be surprised if there was any sector who could claim to not still be battling Conficker infections.

Lookingglass researchers determined that many of the organizations had detected and cleaned up the infections initially, but had been re-infected by partners and suppliers who were similar infected. Malware from “unclean” networks re-infect previously cleaned networks, “creating a cycle of re-infection among partner and supply chain networks, the company said. This is a problem when the industry shares a common infrastructure, as is the case within the financial services sector.

Organizations are not monitoring these re-infections. “With cyber attacks becoming more intricate and sophisticated, not only do organizations put themselves at risk if they don’t take these threats seriously, they also become a liability to their customers and partners,” said Gabbard.

The company collected information from various sources, including blacklist blockers, spam lists, feeds from threat intelligence providers, and open source lists, Gabbard said. Lookingglass has been collecting and analyzing this kind of data for a long time and sharing relevant insights with customers, but this is the first time the company has released the data to the public, Gabbard said.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.