The Inquirer-Home

Zeus banking Trojan is back with another variant, ZeusVM

Uses images as a decoy to steal personal information
Wed Feb 19 2014, 12:22

NOTORIOUS BANKING TROJAN Zeus is back in another variant, security firm Malwarebytes has warned.

Dubbed ZeusVM, the modded version of the infamous Trojan is being distributed in many different ways, but typically through phishing emails or web-based attacks, including "malvertising", whereby people are infected by visiting websites containing malicious ads.

"The Zeus/Zbot Trojan is one the most notorious banking Trojans ever created; it's so popular it gave birth to many offshoots and copycats," Malwarebytes said in a blog post.

"The particularity of Zeus is that it acts as a 'man in the browser', allowing cyber-crooks to collect personal information from its victims as well as to surreptitiously perform online transactions.

"A new variant of this Trojan, dubbed ZeusVM, is using images as a decoy to retrieve its configuration file, a vital piece for its proper operation."

Malwarebytes senior security researcher Jerome Segura explained that there are various parts to this piece of malware. While the main executable - the bot - will bury itself into your computer and ensure it is reactivated every time you reboot, at regular intervals it also checks with its command and control server for new instructions while monitoring user activity.

"The JPG contains the malware configuration file which is essentially a list of scripts and financial institutions - but doesn't need to be opened by the victim themselves," Segura said.

"In fact, the JPEG itself has very little visibility to the user and is largely a cloaking technique to ensure it is undetected from a security software standpoint."

This enables a "man in the browser' attack where everything the victim does while browsing can be intercepted and modified at will.

"Visiting certain URLs, such as a bank website, will trigger an alert and the Trojan will start interacting in real-time. For example, it will alter the login page and ask for additional personal details, which it does using a technique known as 'webinjects', where code is injected directly into the browser, changing the webpage in real time," he added.

It can also perform wire transfers while the victim is logged in, Segura said, and even alter the appearance of the current account balance to ensure that it remains unnoticed.

Malwarebytes told The INQUIRER that although most anti-malware products should detect banking Trojans, traditional anti-virus software products might not.

"It only matters if the detection is timely. There's little use if you have been infected for two days and your account has already been depleted," the firm said, advising that observing basic security tips like "not opening email attachments unless you are absolutely sure it is safe" will help.

However, while Malwarebytes recorded a new variant of the popular Zeus trojan, security firm Fireeye has said that hackers are dropping standard malware like Zeus in favour of more advanced but harder to use remote access Trojans (RATs) such as Xtreme RAT.

Senior security researcher at Fireeye, Narottama Villeneuve, reported uncovering the trend in a blog post, saying that the firm found that the majority of Xtreme RAT activity is associated with spam campaigns that typically distribute Zeus variants and other banking focused malware.

"This seems odd, considering [that] RATs require manual labour as opposed to automated banking Trojans," he said.

Xtreme RAT is a notorious RAT that has been freely available on a number of cyber black markets since June 2010. The RAT is dangerous as it can be used for a variety of purposes, including interacting with the victim machine via a remote shell, uploading and downloading files, interacting with the registry and manipulating running processes and services. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Existing User
Please fill in the field below to receive your profile link.
Sign-up for the INQBot weekly newsletter
Click here
INQ Poll

Microsoft Windows 10 poll

Which feature of Windows 10 are you most excited about?