Zeus Trojan Purveyors Change Tactics

By Brian Prince  |  Posted 2009-08-31 Print this article Print

This Zeus doesn't call Mount Olympus home, but has found a resting place on millions of PCs.

The Zeus Trojan, otherwise known as ZBot, is widely available for purchase in the cyber-underground. Zeus was linked to a campaign that stole thousands of FTP credentials in an effort to compromise a number of high-profile Websites -- including sites belonging to Symantec, Bank of America and Amazon.com.

Now, the Trojan's purveyors are adopting a new tactic to help their data-stealing efforts. Over at RSA's FraudAction Research Lab, researchers say cyber-crooks are now using the Jabber IM open protocol as a way to quickly transmit stolen user credentials.

"The Jabber IM modules that have been built into these particular Trojans were configured to extract stolen user credentials from the Zeus Trojan's 'drop' server database -- and then immediately send those credentials to the online criminal, wherever he may be," the RSA researcher wrote in the RSA Online Fraud Report released Aug. 27.

Stolen data is not necessarily available to the cyber-crook in real time -- the attacker may reside in another part of the world or may not be connected to the server 24 hours a day, the report continued. For that reason, criminals are using the Jabber IM module to automatically forward and receive stolen credentials as soon as they are harvested.

"Each of the Jabber IM modules detected by the RSA FraudAction Research Lab was configured to perform a different set of actions and was essentially 'customized' according to the criminals' preferences," the RSA report said. "A typical Zeus Trojan drop server holds stolen information belonging to users with computers infected by the Trojan, and these users consist of customers of numerous financial institutions as well as other targeted organizations."

The idea of using Jabber IM modules is not new. The infamous Sinowal gang used a Jabber module as early as 2008 to receive real-time notification of newly collected credentials and log-in attempts by infected users.

"Real-time notifications enabled Sinowal's operators to leverage online banking credentials, which the gang then leveraged to complete transactions during a live session," the report said.

Still, the move is new for Zeus, which according to security company Fortinet experienced a surge of activity on July 24. That particular day, the Zeus Trojan posted record detection levels for a single-day run, surpassing those of not only the Sober worm in January 2006, but also the infamous Storm worm in January 2007.

"The variant flooded on this day ... was HTML/Agent.E: in fact a ZBot variant attached in a MIME [Multipurpose Internet Mail Extension] sample (e-mail)," the report said. "This e-mail seeding campaign once again -- as we reported in June this year -- used a simple e-card social engineering hook."

The campaign helped catapult Zeus to No. 2 on Fortinet's list of Top 10 malware during July 21 to Aug. 20 -- a slightly less distinguished Mount Olympus, but one nonetheless.

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel