Wontok Lab Tests New Zberp Trojan

Wontok Lab successfully tested SafeCentral against newest banking malware threat, Zberp.

The Zberp Trojan is a new hybrid online banking Trojan program that combines functionality and features from the widely known Zeus (aka Zbot) and Carberp malware programs.  Zberp is reported to have impacted 450 financial institutions around the world in the first month since discovery.

What is Wontok Lab?

Wontok Lab is Wontok’s product test facility which consists of a team of security researchers in a controlled analysis and testing environment.  Wontok Lab conducts rigorous tests specifically designed and tailored for each of Wontok’s security products.

How is Wontok Lab different from Quality Assurance?

Wontok also has a Quality Assurance or QA team.  The QA team performs functionality tests at the release of each product version to ensure quality and usability.  The Lab is responsible to day to day testing against emerging security threats such as new malware variants.

How does Wontok Lab test SafeCentral for Windows in a Financial Setting?

Wontok SafeCentral for Windows has been uniquely developed to work at the deepest kernel layer to protect institutions from modern financial malware. Wontok Lab must test against the most challenging type of malware that hides itself at the deepest level of the OS and is difficult if not impossible for most security products to detect, let alone test for.  As such, it requires very specialized testing, beyond what is performed for day to day anti-virus or average anti-malware products.  To simulate real financial malware threats such as Zeus or SpyeEye, Wontok Lab has a financial malware “zoo” where it keeps the live strains of recent malware variants used for state of the art testing. Because dangerous new malware variants surface continuously, the Lab conducts daily tests against emergent threats and results are summarized weekly.

What is unique about testing financial malware?

Financial malware such as Zeus or SpyEye deploy a Man in the Browser, or MitB, attack.  MitB infects the browser and once inside, its goal is to steal valuable logon data such as user name and/or password sent via that browser, then transmit it to a malicious location undetected. Therefore, a test simulator must go beyond traditional testing for verification of detection.  In this case, it is not that malware is detected, but rather if a breach has occurred and whether sensitive information was captured or transmitted.

What steps does Wontok Lab take in conducting testing on SafeCentral for Windows?

Tests are performed by Wontok Lab with systems that emulate a normal desk top.  All operating systems are tested. Various industry tools such as Wireshark and Process Monitor are used to analyze network traffic and local system access. These tools aid in providing data and logs for the Lab team to compare against.

These tools are launched prior to our tests, then text is entered into the banking site and “log in” takes place.  This step is performed both on a system that is pre-infected with malware and a system where malware is injected after installation of SafeCentral. The Lab analysis compares the various traffic, processes executed, file system access, registry access the malware generates on the normal Windows desktop versus the SafeCentral Desktop.

What criteria are used to show the software “passed” the test?

Wontok Lab first must detail the malware activity on the normal desktop and identify what the malware is capturing and what access to local system files, folders, calls to the operating system, and remote systems. They then switch to the SafeCentral desktop and perform the same tasks and check the system tools and logs if any information is available to the same local system files, folders, and remote systems.

How do you know when it “failed” the test?

Wontok’s analysts are able to determine by logs generated and timestamps if any credentials or information entered while in SafeDesktop is available to the files, processes, or network activity generated by malware. A test fails if any information, even a keystroke is available to the malware.

Is SafeCentral tested by any independent testing services?

Wontok utilizes the world’s largest independent testing services, CSC ITS (formerly Applabs). CSC ITS uses a mix of conventional and next-gen solutions to perform functional testing of SafeCentral prior to deployment. This includes full regression testing, compatibility, leak, remote monitoring testing, and more.

What other tests have been conducted on the efficacy of Wontok SafeCentral?

Wontok SafeCentral’s effectiveness has been documented through testing and endorsements by a number of organizations:

In February 2013, Wontok commissioned independent IT security research organization MRG Effitas to provide an efficacy assessment of browser security and data capture products for financial services including SafeCentral.  Additional reports are scheduled for 2014.

NSS Labs analyst Ken Baylor recognized Wontok SafeCentral as a key part of an anti-fraud and risk management strategy by financial institutions.  Ken Baylor discusses how increase liability for banks and FFIEC rulings is driving a need for customer facing anti-fraud solutions in Online Banking Fraud Viewpoints.

Wontok SafeCentral is cited as one of the tools that reduces the likelihood of successful malware attacks and reduces banks’ risk.

Wontok SafeCentral has received endorsed vendor status from regional bank associations, among them Minnesota Bankers Association and FIPCO, a subsidiary of the Wisconsin Bankers Association.

Posted in Articles, Malware Bulletins and tagged , .