- May 3, 2011
- 3,893
- No samples have been analyzed yetA post on a Russian underground forum offered a new financial malware named Kronos for a full price of $7,000 / €5,140, with a one-week trial period available for $1,000 / €734.
The price alone suggests that this is aimed to be a premium piece of malware, and the initial list of features seems to confirm it. Kronos malware is touted to include regular infostealing capabilities, such as form grabbing and HTML injection for Google Chrome, Mozilla Firefox and Internet Explorer.
The post announcing the availability of the new malware family has been found by the security researchers at IBM’s Trusteer, who did not get their hands on a sample for deeper analysis.
It is also advertised as being able to bypass antivirus protection, as well as sandbox environments used by security researchers to analyze the samples. The crooks implemented a rootkit component (for both 32-bit and 64-bit systems) that can protect itself from other Trojans.
“The Trojan uses an undetected injection method to work in a secure process and bypass proactive anti-virus protections,” says the Trusteer translation of the forum post. Furthermore, “the Trojan is able to bypass any hook in usermode functions which bypasses rootkits or sandboxes which use these hooks.”
As it was to be expected, the communication between the infected machine and the command and control server is encrypted.
It appears that the forum post already delivered plenty of information, as they said that “the HTML injection mechanism is compatible with Zeus,” and pointed out that this was most likely because most of the cybercriminals it addresses either used or are still using variants of the Zeus malware.
As such, the developers of Kronos made sure that they wouldn’t have a tough time implementing the web inject component.
Although the price asked may seem high, previous premium malware were sold for as much as $15,000 / €11,000 if delivered with all the modules. However, the Kronos malware writers promised to add new modules to the piece in order to expand its functionality, each of them being charged separately.
Just like regular developers, they are willing to provide bug fixes with each update, which will not be charged.
During the one-week trial, testers will have access to a server hosted specifically for them, with full control of the panel and no imposed limitations.
It is too early to say if Kronos will be indeed the father of Zeus, but the good thing is that security experts and law enforcement now have a name to pin to the Kronos sample when they catch it.
Source
