Security Experts:

Connect with us

Hi, what are you looking for?


Black Hat

Large Global Banks Still Plagued by Conficker, Zeus Malware: Report

Black Hat 2012

Some of the world’s largest banks are operating while infected with serious malware, according to a recent report.

Black Hat 2012

Some of the world’s largest banks are operating while infected with serious malware, according to a recent report.

An analysis of 24 of the world’s largest banks showed that 18 banks contained malicious infections, including Conficker, DNSChanger, and Gameover Zeus, BlackHole Exploit Kit, and Fake AV, Lookingglass Cyber Solutions said in a report released July 25. Researchers also were able to track “tens of thousands” of machines infected by Flashback in March, Derek Gabbard, CEO of Lookingglass Cyber Solutions, told SecurityWeek.

Lookingglass tracked over 104 malicious IP addresses from around the world since Janaury to compile this analysis. In March alone, researchers tracked 42 million infected IP addresses and found 40 percent had multiple infections. Interestingly, Lookingglass was able to determine that a significant majority of these infected machines were not public-facing systems, such as a Web server or transaction systems, Gabbard said.

Even after three years, there was a “very substantial Conficker infection,” Gabbard said.

The Conficker Working Group has been working for the past three years to help organizations and users mitigate and remediate their machines infected with the Conficker worm. Even so, the worm remains entrenched in the financial services industry, with 10 of the 24 banks analyzed still having infected machines, Lookingglass found.

According to Microsoft’s Security Intelligence Report released in April 2012, Microsoft said the Conficker worm was detected approximately 220 million times worldwide in the past two and a half years.

“Nothing surprises me anymore,” Gabbard said, adding that he was “never surprised to see things we thought were old and dead crop back up.”

While Conficker was the most common, Lookingglass also found a lot of DNSChanger infections among these banks, despite various outreach programs this spring to educate users about the malware. However, Gabbard admitted that he had expected to see more DNSChanger infections than what was observed, so the cleanup efforts were effective to some part.

There were also machines infected with malware to become part of the Cutwail botnet, Gabbard said.

Lookingglass wasn’t picking on the financial services industry in the report. Of the 17 industries Lookingglass monitored, 14 were infected with “high level threats,” the company said. Compared to other sectors, financial services companies are substantially faster than others when it comes to remediation, Gabbard said.

Gabbard also said he would be surprised if there was any sector who could claim to not still be battling Conficker infections.

Lookingglass researchers determined that many of the organizations had detected and cleaned up the infections initially, but had been re-infected by partners and suppliers who were similar infected. Malware from “unclean” networks re-infect previously cleaned networks, “creating a cycle of re-infection among partner and supply chain networks, the company said. This is a problem when the industry shares a common infrastructure, as is the case within the financial services sector.

Organizations are not monitoring these re-infections. “With cyber attacks becoming more intricate and sophisticated, not only do organizations put themselves at risk if they don’t take these threats seriously, they also become a liability to their customers and partners,” said Gabbard.

The company collected information from various sources, including blacklist blockers, spam lists, feeds from threat intelligence providers, and open source lists, Gabbard said. Lookingglass has been collecting and analyzing this kind of data for a long time and sharing relevant insights with customers, but this is the first time the company has released the data to the public, Gabbard said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.