Zeus’ Reach Expands With New Webinjects

The peer-to-peer version of Zeus was especially busy in the first quarter with infections reported by banks in 10 countries that previously had eluded Zeus’ reach.

The Zeus financial malware may be old, but it’s hardly slowing down.

The peer-to-peer version of the prolific Trojan was especially busy in the first quarter with infections reported by banks in 10 countries that previously had eluded Zeus’ reach.

CSIS Security of Denmark said the gang behind Zeus, also known as Gameover, had used new Webinjects against 1,515 unique targets during the first three months of the year; that’s a noteworthy spike from fewer than 1,100 in January 2014.

Peter Kruse, partner and security specialist at CSIS, said most of the new targets were banks and financial institutions in Africa, the Middle East, Asia and Europe.

“Most of which were never hit before by malware like this,” Kruse said. “Thus are likely to take significant losses.”

Kruse said the gangs maintaining and selling Zeus are improving the Webinjects used by the malware to update infected computers on the fly. Zeus primarily steals online banking credentials from its victims, injecting phony log-in pages into victims’ browsers tailored to their particular bank. The malware also harvests payment card data and is spread via spam or drive-by attacks.

“Most of the recent spam campaigns abuse legitimate brands which are known globally and thus trusted in most countries which incites user to click and activate the malicious code,” Kruse said.

Zeus’ peer-to-peer version arrived shortly on the scene after source code for the Trojan was leaked online in 2011. It’s sold primarily as a service in underground forums and is hosted in a bulletproof hosting infrastructure.

A dropper known as Upatre is usually the vehicle for Zeus infections via spam. In February, a researcher at the University of Alabama published information about how Upatre uses encryption to disguise Zeus’ presence and avoid detection by signature-based defenses. The dropper changes the .exe files it downloads to .enc. Once a user opens the malicious .zip attachment in a spam or phishing message, the .enc files are grabbed from the Internet, new file names are given and then executed.

This activity followed a massive spike in Upatre infections reported by Microsoft last November; Microsoft said Upatre was also being delivered in exploit kits targeting Java and PDF vulnerabilities.

Last month, researchers at Comodo reported discovering 200 samples of a Zeus variant signed with an authentic digital certificate from Swiss software company Isonet AG. Disguised as an Internet Explorer document, the Zeus variant targets banking credentials similarly to its predecessors, but also downloads rootkit components that are installed in the compromised system’s Boot Bus Extender, hiding malicious files from detection.

“The masterminds behind [Zeus] have clearly obtained technical knowledge and experience in takedowns and have made this botnet much more robust and stabile as compared to other threats we are monitoring,” Kruse said. “ZeuS P2P supports both UDP and TCP for communication tasks including peer list exchange, Command & Control (C&C) server registration and malware updates.”

Suggested articles