Zeus Trojan Merger with SpyEye, Other Banking Malware Worry Researchers

The developers behind the Zeus and SpyEye Trojans have joined forces to create one major botnet, with sophisticated capabilities to attack user bank accounts, according to security researchers. 

Malware authors aren't sitting still as law enforcement officials arrest cyber-gangs stealing millions of dollars from compromised bank accounts. There is a lot of financial incentive to target bank accounts, said Randy Abrams, director of technical education at ESET, more so than gaming Trojans, which are actually the most common type of malware that researchers see. 

"The heat is getting strong on Zeus," said Abrams, referring to the recent streak of arrests shutting down Zeus botnets worldwide. "Zeus and SpyEye have definitely merged," he said. 

However, the merger "is not the big story," said Abrams, pointing out there are other Zeus variants that are as dangerous, such as Feodo, which has the ability to deliver a payload that attacks over a dozen banking institutions. 

Security researchers are alarmed about URLZone, which can transfer money out of an account and manipulates the browser to keep showing the user the original balance. A Trojan called Ares is also making the rounds, with the developer claiming "it has the same banking capabilities as Zeus and SpyEye," according to German anti-malware company G-Data Software. 

According to novirusthanks.org, SpyEye works in stealth mode, is invisible from the task manager and other user-mode applications, hides the files from the regular explorer searches, and also hides its registry keys. It can grab data entered in a Web form and automates getting money from stolen credit cards. 

There are a lot of "insiders cooperating, and lots of mind power," said Abrams. It is difficult to speculate whether the merger is a joint collaboration or if it was a political move where the Zeus author was forced to merge because Zeus was under attack, he said. 

Banking malware relies on stealth and sophisticated techniques to compromise users. The gaming Trojans, in contrast, steal passwords using simple social engineering methods, he said. 

However, there is nothing remarkably new in the merged variant, as it employs tactics such as social engineering, the man-in-the-middle-attack or combining mobile malware with PC malware, said Abrams. The man-in-the-middle attack refers to malware authors getting around SSL encryption by infecting the user's PC. Despite strong encryption, if it's the user PC that is infected, then whatever the user sees, the criminals can also see, he said. The combined attack can take the form of intercepting SMS messages from banks on the mobile phone. 

The older, original Zeus Trojan is not going away, Abrams said. Botnets running the older Zeus code will continue their attacks alongside the new Zeus/SpyEye variant. While it was possible that the Zeus Trojan would be updated with new capabilities, "like any software company, they will focus on the new version," he said. 

There has to be "more rigorous" security around online banking and a focus on regulations worldwide, not just the United States, said Abrams. But as long as small businesses and users bear the brunt of these attacks, banks are not likely to make the significant security investment required, he said. 

Abrams suggested that users dedicate a separate PC for online banking, one that is never used for e-mail or surfing the Web. The operating system and browser should be regularly patched and kept up to date to foil any remote attacks looking for open vulnerabilities as well as running a firewall, he said.

Many users are planning to upgrade to brand-new computers during the holiday season, so instead of throwing away the old computers, users should think about turning them into dedicated banking PCs, he said. "Older computers, Pentium 2 machines are enough for banking, as long as they can run an operating system and a supported browser," said Abrams. 

A Linux bootable CD would be the most secure, but many banking Websites rely heavily on Active X and won't work properly, he said.