The GameOver Zeus malware had a nice run for itself, making untold millions of dollars for its creators. But it was a run that ended with a multi-continent operation from law enforcement and security researchers to disassemble the infrastructure. Now researchers have identified a new variant of the Cridex malware that has adopted some of the techniques that made GOZ so successful in its day.

GOZ was one of the more successful pieces of financial malware to appear in recent years, and was used by its creators to perpetrate massive wire fraud schemes around the globe. The malware differed from its older cousin, Zeus, in that it employed a P2P architecture for its command and control infrastructure, something that made it more difficult for authorities and researchers to track and defeat. Although a large joint operation between security researchers and law enforcement agencies in the United States and Europe took down the GOZ infrastructure in June, experts say they have seen definitive signs that GOZ is coming back to life.

Experts say they have seen definitive signs that GOZ is coming back to life.

In July researchers identified a potential new version of the GOZ malware, and just this week researchers at Arbor Networks said they have evidence that the GOZ botnet is coming back to life. The company has been operating five separate GOZ sinkholes and has seen more than 12,000 unique GOZ-infected IP addresses connecting to the servers. Now, researchers at IBM’s X-Force research team have seen a new version of Cridex, which is also known as Bugat and Feodo, using some of the same techniques that GOZ used to such good effect. Specifically, the new strain of malware has adopted GOZ’s penchant for using HTML injections, and the researchers say the technique is nearly identical to the way that GOZ handled it.

“There are two possible explanations for this. First, someone from the GOZ group could have moved to the Bugat team. This would not be the first time something like this has happened, which we’ve witnessed in other cases involving Zeus and Citadel; however, it is not very likely in this case since Bugat and GOZ are essentially competitors, while Zeus and Citadel are closely related. The second and more likely explanation is that the Bugat team could have analyzed and perhaps reversed the GOZ malware before copying the HTML injections that made GOZ so highly profitable for its operators,” Etay Maor, a senior fraud prevention strategist at IBM, wrote in an analysis of the new malware.

Like other similar pieces of malware, Cridex/Bugat is designed specifically to steal valuable banking credentials and other financial data. One key element of this kind of attack is the ability of the malware to capture the credentials of an infected user as he visits his bank’s site. Cridex/Bugat has the ability to detect when a user his trying to visit an online banking site and it will then redirect the victim to an identical, but attacker-controlled site, and grab the credentials as he enters them. The malware then connects to the target bank from the user’s IP address and execute wire transfers or other fraudulent transactions.

“In case the bank requests more information from the criminal during the transaction process, the criminal can obtain these data elements by using social engineering and HTML injection. These requests are presented to victims in real time. Such requests can include secret questions and two-factor authentication such as one-time passwords,” Maor said.

It’s quite common for malware gangs to adopt the successful techniques they observe in other attackers’ creations, and collaborations among malware and cybercrime gangs are not unheard of. So it would not be a surprise to see other groups pick up more of the traits that made GOZ such a success.

 

Categories: Malware, Social Engineering, Web Security

Comments (2)

  1. Pigsy
    1

    United States 58.4% spam king.
    China 5.6%.

    The United States is the leading malware-hosting nation. U.S. hosted 44 percent of all malware.

    Even the U.S. government is doing it:
    “After failing to infect targets with malware in spam emails, the U.S. National Security Agency has reportedly turned to Facebook.
    According to a report by The Intercept, the NSA “disguises itself as a fake Facebook server” to perform “man-in-the-middle” and “man-on-the-side” attacks and spreads malware. The Intercept is the first in a series of publications created by Pierre Omidyar‘s First Look Media.”

    The U.S. has overtaken India and Russia to become the biggest producer of viruses, according to Network Box. The U.S. is now responsible for 12.05 per cent of the world’s viruses, up from 4.03 per cent from August.

    GCHQ prefers to put child porn on people’s computers according to the Guardian newspaper.

    Reply
  2. James Boettger
    2

    I have the Zeus Trojan horse , and I need help do you have a patch to repair both my desk top and lap top

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>