Cyber-Criminals Adding Zeus-Like Behavior to Blackhole Exploit Kit

Cyber-criminals are launching Zeus-like scams with the Blackhole kit by using mass email messages to infect users. Zeus isn't standing still as it adds new features of its own.

The Blackhole exploit kit is increasingly mimicking some of the attack techniques initially popularized by Zeus, AppRiver researchers said.

Traditionally used to infect legitimate Websites to launch drive-by-download attacks, Blackhole is beginning to employ mass email and other attack methods used by Zeus and SpyEye crimeware kits, Fred Touchette, senior security analyst for AppRiver, wrote on the company blog.

People using the Blackhole kit previously relied on techniques such as SEO poisoning to direct victims to their sites, but they are now beginning to use mass email, according to Touchette. Mass email messages claiming to be from the IRS or delivery notification messages have usually been part of the Zeus repertoire, he said.

AppRiver researchers first noticed the change earlier this month after the death of Apple founder Steve Jobs. Malicious emails were sent to users with subject lines such as "Steve Jobs Alive!" containing a link that sent users to a Blackhole-enabled Website, according to Touchette.

Another recent phishing scam masqueraded as email notifications sent from an HP OfficeJet printer has sent out nearly 8 million messages and used more than 2,000 domains to serve up malware, AppRiver researchers found. The campaign worked like Zeus in that the malicious site checked the user's Web browser and operating system to serve up customized payload exploiting unpatched Java and Adobe vulnerabilities in the browser, according to Touchette.

Blackhole used to be a high-end crimeware kit, costing about $1,500 for a one-year license on underground forums. The high price kept "the rookies away" and allowed operators to launch their scams "relatively under the radar," according to Touchette. Similar to what happened with Zeus and SpyEye earlier this year, a version of the toolkit was released for free in several forums in May, opening up the kit to less sophisticated criminals.

"We have been seeing a steady increase in the number of infections for which this kit is responsible," Touchette wrote.

While recent botnet takedown activities have significantly dropped spam volumes over the past three years, the volume of malicious emails remains high as botnet operators try to rebuild their network, AppRiver researchers wrote in their monthly "Threat and Spamscape" report, released Oct. 17. In September, the malware surge maintained an average of more than 6 million pieces per day with spikes of 18 million pieces a day earlier in the month, AppRiver found.

Crimeware toolkits are regularly updated as malware developers add new attack techniques and defensive mechanisms to stay ahead of security vendors and researchers. Researchers had speculated that the developer behind Zeus would no longer work on the banking crimeware kit as its code had been merged with SpyEye. However, in recent months, Zeus has been updated with new features that have not yet been added to SpyEye, leading researchers to believe that both teams are still active and going down different paths.

For example, researchers recently noticed a major upgrade to the banking Trojan featuring peer-to-peer (P2P) capabilities. Zeus previously featured a domain-generation algorithm that generated new URLs to push out malware and updates to infected machines. The P2P version uses a list of hard-coded IP addresses to communicate with the zombies. With all the updates distributed across several machines instead of being centralized on a master URL, it will become much more difficult to track the Trojan's activities or disrupt the botnet.

The recently disabled Kelihos botnet had some P2P capabilities.

Past attempts to take down the botnet have centered on shutting down the command-and-control servers that send out instructions to the bots and disable the domain names used by the C&C servers. If the botmaster can use infected machines to update other machines, this kind of takedown becomes much more problematic.