The use of hijacked PCs by criminals to create "botnets" that can harvest online credential has been known for some time, but the scale of these operations was revealed recently - along with the fact that the UK is the main source of infection.

During the summer, a very sobering announcement was made by internet security specialist Trusteer, which provides secure browsing services to banks including HSBC: the company uncovered a botnet being used to conduct financial fraud in the UK which is operated and controlled from Eastern Europe.

Botnets are networks of compromised computers that can be remotely controlled by criminal gangs, largely based in Eastern Europe, and they have been identified and monitored by security specialists for some time. The discovery last year by specialists at RSA, the security division of EMC, of Man-in-the-Browser attacks using the Zeus Trojan virus to infect PCs gave the fight some urgency, as it is a quickly-mutating virus that is hard for standard virus checkers to keep up with.

So Trusteer's discovery of a Zeus 2 botnet wasn't in itself all that surprising, but the scale of it was, and so was the fact that the vast majority were in the UK - the botnet they found appears to be controlling more than 100,000 infected computers, 98% of which are UK internet users.

It has been used to harvest "all manner of potentially lucrative and revenue-producing credentials - including online account IDs plus login information to banks, credit and debit card numbers, account types plus balances, bank statements, browser cookies, client side certificates, login information for email accounts and social networks and even FTP passwords", the company said

Trusteer discovered the extent of the botnet after it gained access to its drop servers and command and control centre which contained the stolen information including hundreds of thousands of stolen credentials. The information has been handed over to UK law enforcement agencies.

"This is just one out of many Zeus 2 botnets operating all over the world," says Amit Klein, Trusteer's chief technology officer. "What is especially worrying is that this botnet doesn't just stop at user IDs and passwords. By harvesting client side certificates and cookies, the cybercriminals can extract a lot of extra information on the user that can be used to augment their illegal access to those users' online accounts. Coupled with the ability to remotely control users' machines, download data and run any file on them, this means that the fraudsters can insert partial or complete internet pages into a live web session, enabling them to inject transactions at will or extract even more data from the hapless victims."

Klein says there is a growing trend towards the use of regional malware where the cybercriminals operate targeted and segmented attacks on users, harvesting revenue from one bank's users one day, and, as that bank's security systems ramp up, move on to another regional bank another day: in this case the UK has been targeted.

In addition to gaining access to the botnet operators' servers Trusteer has also been able to access the interface used by the fraudsters to manage the botnet. This allows a unique view into the way fraudsters operate.

The interface allows three main functionalities. The first is the ability to monitor the growth and footprint of the botnet with very accurate statistics and graphs showing the total number of bots, their distribution, newly added bots, count of active bots, etc. One example is a pie chart showing the operating systems running on the affected PCs, (see facing page).

The second is a search function on all traffic generated by the bots. The botnet captures all HTTP and HTTPS traffic from infected computers and stores it in a central MySQL database. A search tool allows the fraudsters to easily extract any type of information from the database. For example if the fraudsters are looking for credentials for a specific institution they can just type a part of the institution's URL into the search box and will immediately receive all HTTP/S requests that contain this pattern. From there they can extract the relevant login information. The third functionality allows criminals to push updates and other executables to specific bots or to the entire botnet. For example, they can push other pieces of malware or they can push a remote access program that then allows them to remotely access the infected machine and control it.

Mickey Boodaei, Trusteer's chief executive, says that the revelations surrounding the Zeus 2 botnet are the result of hundreds of man hours of effort behind the scenes by his security team, who constantly monitor for this type of activity.

"It's important to realise that, despite its size, this is just one of many Zeus botnets operating all over the world. Its size and controllable actions are a clear demonstration of the increasing sophistication of cybercriminal gangs and how they can harness the power of drive-by downloads, spam and general phishing trawls to create such a large swarm," he said.

"Zeus has become one of the most prevalent botnet Trojans in the history of online fraud. Fighting financial malware requires banks to have accurate intelligence and strong fraud detection and mitigation capabilities, and work with their customers. Internet users need to follow their bank's instructions and when asked download online banking security software which is specifically tuned to detect and resist specific threats that the bank identifies such as Zeus. Banks need to continue implementing multiple layers to detect, resist, and de-activate malware attacks and tightly integrate these layers together."

Other security firms agreed that the revelation highlights the problems banks face in dealing with internet security issues - they can be as secure as possible, but will remain vulnerable to their customers' computers being compromised.

"The recent attacks on online banking show that the criminals have discovered mechanisms for subverting the online banking authentication challenges," said Laura Mather, founder and vice president of product Marketing at Silver Tail Systems."Banks are realising that they need to look both at authentication information and at the behaviour of sessions to detect these types of attacks."

Silver Tail's Forensics product uses behaviour analytics to track every web session on a banking website. Through this session tracking, it can detect where there are two sessions happening simultaneously from a single computer, which could be an indication of attacks by the Zeus malware.

"These types of attacks are occurring more and more frequently now," said Mather. "It is critical for banks and other online organisations to understand the behaviour of their web sessions to detect these sophisticated types of threats."

Pat Carroll, chief executive of online banking and fraud specialist ValidSoft, says that online banking channels have always been vulnerable to advanced fraudulent techniques because of their reliance on strong authentication. "We have been predicting attacks such as the Zeus Trojan since 2006 and expect such attacks to become more frequent and increasingly sophisticated. Customers are actively encouraged to take advantage of online channels but are unaware of how vulnerable they are to attacks like Man-in-the-Middle and Man-in-the-Browser."

ValidSoft promotes the use of strong authentication coupled with transaction verification. "Telephony based Out-of-Band transaction verification is by far the most flexible, user friendly and effective way of combating fraud," says Carroll. "By using mobile or landline telephones the user is able to confirm that transaction details displayed on screen are the same as the information that is actually being processed. Using OOB channels in this manner is the only way web users can be sure that a transaction has not been tampered with and is indeed the transaction originated by the legitimate parties."

The UK will continue to be a fertile field for fraudsters, says Ryan Rubin, head of information security at Protiviti, because of its infrastructure and consumer behaviour. "There are no surprises here. Security researchers and some UK banks have been aware of the Zeus-based bonnets for several months now," he says. "With the wide adoption of consumer broadband services, the UK provides a fertile playing field for botnets to spread and multiply. Targeted regional attacks against consumers will continue to occur as long as the cyber criminals have an incentive to pursue this avenue of attack and software security vulnerabilities exist to give them opportunity to do so. These attacks confirm that targeting the weakest link in the chain of online banking security, which is often the consumer, pays dividends in the end. Banks have been increasingly extending their security protection footprint to include their client base by offering security products and fraud tools to help them reduce the risk of a compromise."

In the end, says Rubin, "our only long term tool for defence is raising security awareness with consumers and increasing the maturity of security controls within the consumer marketplace". And it's going to get worse: "This will continue to be increasingly important as the mains tream convergence of online banking and other e-commerce services with new technologies such as iPhones and other mobile devices take place," he added.