KINS Banking Trojan
Due to recent events, which saw the fall of Citadel and other major banking Trojans, a new virus is eagerly awaited by the criminals. According to the information available on the underground forums, such project would surely be financed.
Investigators from RSA’s FraudAction Research Lab reported that the criminals will finance the development of new virus if it meets specific criteria. First of all, the virus should be available for purchase. Secondly, it should be easy to use. Finally, if some problems concerning the virus do happen, criminals should be provided with technical support from the developers. The investigators discovered a new virus called KINS which according to them is very attractive to the criminals.
KINS has become available for purchase just recently. The virus is very similar to its predecessors such as SpyEye, Zeus and especially Citadel. Due to the similarities to the latter virus, the hunt for the KINS developers followed, but it was a short-lasting campaign. Nevertheless, the developers always claimed that this is not a modification of previous viruses, but a completely new project.
Limor Kessem, an expert from FraudAction, claims that recent buzz in the underground forums indicated that the interest in the new banking virus is huge. He stated that criminals were waiting for a good product for a while now, and are willing to finance the development of the KINS virus.
Kessem also noted that it seems like KINS is not a new name in the criminal world. It is possible that this virus was circulating in the undergrounds for a while, before its discovery by the security companies. The researcher also stated that the attitude of the virus developer is very attractive to the criminals because the creator quickly responds to all questions associated with the product. He also commented that due to lack of rivals and excellent tech support this virus could be widely spread very soon. This might happen once the customers will start giving reviews about it, thus encouraging other potential buyers.
Relying on the information provided by the ad, KINS consists of a dropper and DLLs. The price of the standard virus is $5000, but for additional $2000 criminals will get a plug-in which makes the program undetectable for some security software. Furthermore, the advertisement claims that the KINS has Remote Desktop Protocol module. This feature will allow the botmasters to gain access to infected devices remotely. The virus attacks an infected device’s volume boot record, giving it machine-level access to victims.
Finally, the advertisement states that the usage of the program is very simple and completely secure. The developer claim that no special skills are needed in order to install and operate this virus. He also added that the program is compatible with Windows 8. Kassem claims that the structure of the virus is almost the same as the one in SpyEye and Zeus. Furthermore, the features implicated in the KINS, such as compatibility with Zeus Web injections, were used before in the SpyEye. The researcher stated that the KINS developer simply took the best features of its predecessors and used them for the new project.
Current situation is very beneficial for the developer of KINS because a lot of other malware creators are keeping their profiles low due to recent arrests. As a result, KINS banking virus has no real rivals and is attracting all the funds. If the developer is not caught soon, security experts will have to deal with a completely new virus in the nearest future.