According to a white paper issued by M86 (.pdf) that describes the attack in detail, the malware was spread by a variety of means, including infected advertisements on legitimate websites. Once installed on the victim's PC, the Zeus Trojan waits for the user to visit the banking site in question, at which point it steals the login details. It then checks to see if the user has more than £800 in his or her current account, and makes a money transfer of between £1,000 and £3,000.
M86 said the criminals use a combination of the new Zeus v3 Trojan and exploit toolkits to avoid antifraud systems while robbing bank accounts.
"This indicates a new level of technical sophistication," the whitepaper reads, because the Trojan not only acts as data-stealing malware but also performs illegal online banking transactions.
Bradley Anstis, vice president of technical strategy at California-based M86, said: "Just because you have security software running on your machine, don't put your head in the sand and assume you're safe." He said that analysis of the code showed that it would not be detected by most antimalware programs.
Anstis also said it was hard to tell if the victims of the fraud had actually downloaded the free security software that the bank had made available to them. The crime is in line with a growing trend of customised malware that is targeted at specific countries and even particular banks' customers, making it less likely to be detected by major antimalware programs, which focus on global threats. Recent examples include the Silon Trojan, which has been tailored to hit certain UK banks' customers.
Anstis said that although most of the victims appeared to be home PC users, the list of email addresses on the command-and-control servers, located in Eastern Europe, included "some fairly well-known company names."
"Just because you are behind the corporate firewall, you're not necessarily being protected," Anstis said. "And big businesses may take longer to spot that £3000 has been transferred than an individual banking customer."
Christian Brindley, a security specialist with Mountain View, Calif.-based VeriSign Inc., warned that banks are facing a serious threat to their online operations from sophisticated malware variants.
As this latest case shows, the new threats can often evade detection and inflict considerable damage before they are discovered. For example, the Mumba botnet, also built on a variant of the Zeus Trojan, was recently discovered by security company AVG Technologies UK Ltd., and contained over 60GB of stolen data from an estimated 55,000 PCs.
Brindley said banks need to adopt a more layered approach to security in order to stop the criminals. "For instance, keylogging is rendered useless by supplying a secure one-time password," he said. "It is an easy way of adding strong authentication, and it can be supplied via a separate channel, such as an SMS message to the user's mobile phone."
One-time passwords will not prevent man-in-the-browser attacks, of course, but Brindley said that further layers of security, such as fraud detection systems, can be effective in trapping unusual banking transactions, such as large money transfers.
Some UK banks, he said, are working hard to bolster their customers' security through a combination of user education and the provision of free security software. But he added that the banks have to balance increased security with ease of use. "The banks are nervous about upsetting users," Brindley said.
Ram Herkanaidu, a security researcher at Kaspersky Lab UK, said his team has detected more than 40,000 variants of the Zeus Trojan. He said it is popular with criminals because it can be configured, modified and encrypted to avoid detection and use the latest exploits. For example, he said that in April 2010, within a week of a flaw being detected in Adobe PDF files, a new variant of Zeus was being spread using the flaw.
The number of cybercriminal groups and botnets using Zeus, Herkanaidu said, is "likely to be in the hundreds."