The first global cyber worm aimed at banks and Internet banking customers appears to have infected at least 14 banks worldwide, including five U.S. and seven European banks, but was probably squashed before it could wiggle through the e-mail servers of most of the targeted 1,300 financial institutions.
Since Bugbear.B surfaced on June 5, MessageLabs's Skeptic technology traced infections to three UK banks and one bank in Germany, Spain, Cyprus and France; it also struck one bank in Thailand and one in Australia, according to Mark Sunner, CTO of MessageLabs, a New York City provider of managed e-mail security services, who did the analysis at BTN's request. Sunner declined to identify the infected banks, to estimate how many other banks worldwide might be infected, nor to comment on the severity of potential damage. Of the 500,000 infected messages sent to MessageLabs clients, all intercepted by the firm, 14 were from financial institutions, indicating that the virus had begun proliferating through bank's e-mail servers. Officials at the Federal Bureau of Investigation's cyberterrorism unit confirmed that the outbreak is being investigated, but declined to elaborate.
"If only 14 of 1,300 financial institutions were affected, that points to the fact that a larger percentage-almost all-had virus protection software in place," points out Doug Johnson, senior policy analyst for economic policy and research at the American Bankers Association. "That's an important modifying point to make. ... And that's good news."
Reports of U.S. attacks surprised Susanne Gorman, chairman of FS-ISAC, the Financial Services Information Sharing Analysis Center, which tracks cyber-security threats among financial services firms. "The Bugbear.B certainly raised hair on a lot of people's neck, and that was disturbing," she admits. "I've been interviewed so many times for this story and there's nothing to tell." Gorman's day job is managing director of corporate information security at Securities Industry Automation Corp., which runs the networks that power the New York Stock Exchange and the American Stock Exchange.
According to F-Secure Corp., Bugbear.B spreads through e-mail and network shares and is aimed at banks in the affected countries identified above, as well as Italy, Greece, Denmark, New Zealand, Brazil, Romania, Poland, Argentina, Switzerland, Finland, Taiwan, Turkey, Iceland, Slovakia, Korea, South Africa, Baltic Republics, Austria, Hungary, Norway and the Czech Republic, according to Internet security firm F-Secure Corp. Law-enforcement sources close to the investigation confirmed that a handful of banks around the world were infected with the virus., but they declined to elaborate on the damage.
The worm allows remote users to connect and manipulate affected systems, terminates certain antivirus programs, and uses its own engine to send e-mail to addresses gathered from infected machines, according to Trend Micro, a maker of antivirus and Internet security software. Bugbear.B was cited as "high risk" for most of June and July on many virus-tracking sites and is at No. 4-the second-highest level of warning-on the antivirus firm Symantec Web site, proving that it is still a major threat in the wild. Andy Cianciott of Symantec Security Response says reports of Bugbear.B were four times more frequent than any other virus at the end of July.
Bugbear.B is a polymorphic file-infecting variant of Bugbear.A-also known as Tanatos-discovered when it infected tens of thousands of computers around the world last October, which became the most common and widespread virus of 2002 very month, between 500 and 800 new viruses of all types are reported.
"If you download it and open the attachment and double click, it will install itself on the computer and try to spread to other shared drives that you're connected to," notes David Kennedy, director of research services at TruSecure, an a cyber-security firm in Herndon, VA. But it's what the virus does next that is so frightening to banks. "Once it spreads, it will also install a keylogger to capture your keystrokes-about 25,000 bytes or two hour-and mail them out to about 25 or 30 other e-mail addresses," he says. The keystrokes could include passwords, bank account data and credit card numbers. At the end of June, TruSecure raised the international alert to Level 1 at its virus-tracking Web site, saying the virus was spreading rapidly.
"Bugbear.B. continues to be one of the most widespread viruses in the world and is among the top 10," says Mikko Hypponen, manager of anti-virus research at the Helsinki office of F-Secure, a provider of mobile-device security products. "Obviously banks are getting infected just like other companies are, and we've gotten an awful lot of calls from banks, but we haven't been able to confirm a single case. ... And the banks themselves aren't telling."
After being detected by a number of virus finders on June 5, the Bugbear.B alert flashed to CIOs and CTOs across the globe at 9:10 EST that Thursday. "There were a huge wave of problems when it first came out," says Kennedy. "But more people updated their antivirus software and more companies started filtering their e-mail (with reported subject lines and extensions) and deleting attachments, and it became less of a problem over time." Citibank was one of the biggest global banks targeted, says Kennedy, but officials declined to talk on the record about the problem.
"You have more and more organizations that have multi-tiered mechanisms in place to block (these viruses), so you'll have something at the Web server, outside, that will strip attachments off, and that will save people a lot of problems," says Gorman. "And the anti-virus updates come out pretty frequently."
According to Deloitte & Touche research, 39 percent of financial institutions reported at least one security breach in the past year and two-thirds of those were from outside the organization. "Banks probably spend a lot more on their protection mechanisms than other organizations," says Gorman. "If you're going to use adequate protection, you're going to use adequate protection. All in all, people are more aware of the virus situation out there. The whole world is a little smarter than before. Viruses are still going to be bad, but the ramifications will not be not as bad as we have seen in the past."
Individual banks have been targeted by e-viruses before, however. The Slammer worm smacked Bank of America on January 25, paralyzing many of its ATMs across the nation; they were up and running by the end of the day, with no customer bank accounts compromised, according to a BofA spokeswoman. Loveletter.BD, which targeted Swiss conglomerate USB in August 2000, was quickly intercepted, says Hypponen.
"The reason that most banks in the U.S. don't have a big problem with viruses is that they filter their e-mail when it comes in," says Kennedy. "Eternal vigilance is the key." His firm's labs are continually testing software to see if it will halt new viruses. "When you get a sample of a virus, it's similar to an autopsy on a dead person. You examine the computer code and run it and see what happens to the computer and the network." The most vulnerable banks, says Hypponen, are in Southeast Asia and the Far East, where antivirus software is less sophisticated than in the West.
According to Trend Micro, an antivirus software provider in Cupertino, CA, only 70,000 computer users were infected, in reference to Web-site traffic. "It was a very obvious virus," says Joe Hartmann, director of North American Antivirus Research. "It had only three extensions. Any corporations, especially banks, would have noticed them. Banks are among the most secure customers because they spend a lot of money on security." About 33 of the firm's financial services users sought data on the virus, but none admitting to being infected.
Like other security firms, Trend Micro sends an e-mail warning to clients within 15 minutes of detecting a virus; a more comprehensive signature update is issued between 45 minutes and two hours from inception.
While the virus may not have hit the banking community hard, Johnson says it prompted "a good dialogue between the management of the companies and their (technology) folks." Though the publicity sent a wave of terror through bank customers that received the e-mail directly, Johnson says it was also "another opportunity for banks to educate their customer base. The only way to get the Internet to grow as a delivery system is to make sure everybody is protected." He suggests banks hold seminars for customers to underscore the need for antivirus software on home computers. "We think it was good news for that reason," he says.
