Zeus Malware Back With A Vengeance To Cause Carnage In May

The Zeus malware family continues to plague the Internet, reemerging with a vengeance over the past few months, security researchers have warned.

Zeus is one of the best known malware in the security community and is designed to steal victims’ bank details. It can do all kinds of nasty things, including web injects to trick users into entering details into portions of websites they think are genuine.

Also known as ZBOT, Zeus surged into activity in February, having been relatively quiet in the month before, as seen in the chart from Trend Micro below:

How Zeus works

The malware connects to a remote site to download its encrypted configuration file, which tells Zeus what websites to monitor and the site where it will send the pilfered data.

“These configuration files contain banks and other financial institutions that ZBOTs monitor in browsers,” Trend wrote in its blog post.

“Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system.”

Trend said the most common variants of Zeus today are Citadel and GameOver .

“What we can learn from ZeuS/ZBOT’s spike in recent months is simple: old threats like ZBOT can always make a comeback because cybercriminals profit from these,” the firm added.

Old threats in new clothing

Indeed, a number of old threats have re-emerged in recent months, armed with new code to avoid detection.

The Pushdo malware, an old threat which delivers malicious emails with links to websites that chuck banking trojans at machines, has been particularly active in recent months, with new strains containing clever code to mask the crooks’ command and control activity.

It now queries several legitimate websites to make its C&C traffic blend in with regular traffic, according to research from Dell Secureworks and Dambala, which noted other dissimulation techniques.

“This latest version has a fall-back C&C mechanism that is based upon a domain name generation algorithm (DGA). So if the malware cannot successfully resolve any of the domains that are hard coded into it, it will start using the DGA in an effort to connect to the currently active DGA C&C,” Secureworks explained in a recent report.

They also used a fake JPEG image, encoding it with Base64 and embedded in an HTML comment tag to deliver the encrypted payloads – typically the Cutwail malware. The payloads are encrypted with a 1024-bit RSA key too.

Researchers found more than one million unique IPs were connected to the Pushdo operation.

What do you know about Internet security? Find out with our quiz!