Shortly after the source code for the Zeus banking Trojan was leaked earlier this year, security researchers predicted malware developers would add Zeus features to existing malware to create complex and sophisticated variants. Researchers identified two such samples this week.
Portions of Zeus code appear to have been added to a computer worm called Ramnit, first identified in January 2010, Ayelet Heyman, senior malware researcher for Trusteer, wrote in a blog post Aug. 23. A password-stealing, file-infecting worm that spreads via networked drives, Ramnit is highly prolific. Symantec found that Ramnit accounted for 17.3 percent of all malicious software the company detected in July.
The other recently identified sample is a crimeware kit based on the leaked Zeus code. Sold in the criminal underground for $1,800, Ice IX is “the first new generation of Web applications developed to manage centralized botnets through the HTTP protocol based on leaked Zeus source code,” Jorge Mieres, a malware analyst with Kaspersky Lab, wrote on the Securelist blog Aug. 23.
Like Zeus, Ice IX is designed to steal banking information. Mieres said this “modified version of Zeus” has been in the wild since the beginning of the year. At least one example of a data-stealing botnet based on this malware has been discovered on Amazon Elastic Compute Cloud (EC2), Mieres said.
The new Ramnit strain took the code injection capability from Zeus to be able to modify Web pages on the fly as they are being displayed on the user’s Web browser. Zeus used the man-in-the-browser Web injection module to modify banking sites and circumvent some of the security measures used by financial institutions, such as two-factor authentication and transaction signing systems, to protect online banking sessions. While Trusteer has identified that Ramnit is using the MitB module, the team is still analyzing what other modules have been added.
A worm is a type of malware that secretly integrates itself into program or data files and infects more files each time the host program is run. The original Ramnit worm could infect Windows executables, HTML files and documents, Heyman said. Trusteer researchers discovered a “few weeks ago” that Ramnit had “morphed” into financial malware and was used to commit financial fraud, according to Heyman.
Researchers found that Ramnit supported “all basic features required for well-bred financial malware,” said Heyman.
Ramnit communicates continuously and securely over SSL with a command-and-control server in Germany to report its status and receive configuration updates. The MitB Web injection module lets the enhanced worm modify Web pages in a covert manner, such as changing the balance amount, inserting additional transactions on the page, or adding new textboxes to phish private details from victims.
Ramnit’s configuration format is similar to the format used by both Zeus and SpyEye, Heyman said.
“It is clear that from now on, more new crimeware will be based on Zeus code,” Kaspersky’s Mieres said. Cyber-criminals will begin to create their own versions of malware with components borrowed from Zeus in hopes of quick profit, Mieres said.
“Unlike the past, when financial institutions had to defend against a limited number of malware platforms, attacks can now come from virtually any malicious software program-old or new,” Amit Klein, CTO of Trusteer said. The malware distribution channel has increased “in scale,” said Klein.
With the copy protection on the SpyEye crimeware kit also cracked and readily available on the underground market, it is likely that there will be more ordinary malware made dangerous by taking on components from both Zeus and SpyEye.