Cyber-criminals are launching Zeus-like scams with the Blackhole kit by using mass email messages to infect users. Zeus isn't standing still as it adds new features of its own.
is increasingly mimicking some of the attack techniques
initially popularized by Zeus, AppRiver researchers said.
Traditionally used to infect
legitimate Websites to launch drive-by-download attacks, Blackhole is beginning
to employ mass email and other attack methods used by Zeus and SpyEye crimeware
kits, Fred Touchette, senior security analyst for AppRiver, wrote on the
People using the Blackhole
kit previously relied on techniques such as SEO poisoning to direct victims to
their sites, but they are now beginning to use mass email, according to
Touchette. Mass email messages claiming to be from the IRS or delivery
notification messages have usually been part of the Zeus repertoire, he said.
AppRiver researchers first
noticed the change earlier this month after the death
of Apple founder Steve Jobs
. Malicious emails were sent to users with
subject lines such as "Steve Jobs Alive!" containing a link that sent
users to a Blackhole-enabled Website, according to Touchette.
Another recent phishing scam
masqueraded as email notifications sent from an HP OfficeJet printer has sent
out nearly 8 million messages and used more than 2,000 domains to serve up
malware, AppRiver researchers found. The campaign worked like Zeus in that the
malicious site checked the user's Web browser and operating system to serve up
customized payload exploiting unpatched Java and Adobe vulnerabilities in the
browser, according to Touchette.
Blackhole used to be a
high-end crimeware kit, costing about $1,500 for a one-year license on
underground forums. The high price kept "the rookies away" and
allowed operators to launch their scams "relatively under the radar,"
according to Touchette. Similar to what happened with Zeus and SpyEye earlier this
year, a version of the toolkit was released for free in several forums in May,
opening up the kit to less sophisticated criminals.
"We have been seeing a
steady increase in the number of infections for which this kit is
responsible," Touchette wrote.
While recent botnet
have significantly dropped spam volumes over the past
three years, the volume of malicious emails remains high as botnet operators
try to rebuild their network, AppRiver researchers wrote in their monthly "Threat
report, released Oct. 17. In September, the malware
surge maintained an average of more than 6 million pieces per day with spikes
of 18 million pieces a day earlier in the month, AppRiver found.
Crimeware toolkits are
regularly updated as malware developers add new attack techniques and defensive
mechanisms to stay ahead of security vendors and researchers. Researchers had
speculated that the developer behind Zeus would no longer work on the banking
crimeware kit as its code had been merged with SpyEye. However, in recent
months, Zeus has been updated with new features that have not yet been added to
SpyEye, leading researchers to believe that both teams are still active and
going down different paths.
For example, researchers recently
noticed a major upgrade to the banking Trojan featuring peer-to-peer (P2P) capabilities.
Zeus previously featured a domain-generation algorithm that generated new URLs
to push out malware and updates to infected machines. The P2P version uses a
list of hard-coded IP addresses to communicate with the zombies. With all the
updates distributed across several machines instead of being centralized on a
master URL, it will become much more difficult to track the Trojan's activities
or disrupt the botnet.
disabled Kelihos botnet
had some P2P capabilities.
Past attempts to take down
the botnet have centered on
shutting down the command-and-control servers
that send out instructions to
the bots and disable the domain names used by the C&C servers. If the
botmaster can use infected machines to update other machines, this kind of
takedown becomes much more problematic.