NOTORIOUS BANKING TROJAN Zeus is back in another variant, security firm Malwarebytes has warned.
Dubbed ZeusVM, the modded version of the infamous Trojan is being distributed in many different ways, but typically through phishing
emails or web-based attacks, including "malvertising", whereby people
are infected by visiting websites containing malicious ads.
"The Zeus/Zbot Trojan is one the most notorious banking Trojans ever
created; it's so popular it gave birth to many offshoots and copycats,"
"The particularity of Zeus is that it acts as a 'man in the browser',
allowing cyber-crooks to collect personal information from its victims
as well as to surreptitiously perform online transactions.
"A new variant of this Trojan, dubbed ZeusVM, is using images as a
decoy to retrieve its configuration file, a vital piece for its proper
operation."
Malwarebytes senior security researcher Jerome Segura explained that
there are various parts to this piece of malware. While the main
executable - the bot - will bury itself into your computer and ensure it
is reactivated every time you reboot, at regular intervals it also
checks with its command and control server for new instructions while
monitoring user activity.
"The JPG contains the malware configuration file which is essentially
a list of scripts and financial institutions - but doesn't need to be
opened by the victim themselves," Segura said.
"In fact, the JPEG itself has very little visibility to the user and
is largely a cloaking technique to ensure it is undetected from a security software standpoint."
This enables a "man in the browser' attack where everything the
victim does while browsing can be intercepted and modified at will.
"Visiting certain URLs, such as a bank website, will trigger an alert
and the Trojan will start interacting in real-time. For example, it
will alter the login page and ask for additional personal details, which
it does using a technique known as 'webinjects', where code is injected
directly into the browser, changing the webpage in real time," he
added.
It can also perform wire transfers while the victim is logged in,
Segura said, and even alter the appearance of the current account
balance to ensure that it remains unnoticed.
although most anti-malware products should detect banking Trojans, traditional anti-virus software products might not.
"It only matters if the detection is timely. There's little use if
you have been infected for two days and your account has already been
depleted," the firm said, advising that observing basic security tips
like "not opening email attachments unless you are absolutely sure it is
safe" will help.
However, while Malwarebytes recorded a new variant of the popular
Zeus trojan, security firm Fireeye has said that hackers are dropping
standard malware like Zeus in favour of more advanced but harder to use
remote access Trojans (RATs) such as Xtreme RAT.
Xtreme RAT is a notorious RAT that has been freely available on a number
of cyber black markets since June 2010. The RAT is dangerous as it can
be used for a variety of purposes, including interacting with the victim
machine via a remote shell, uploading and downloading files,
interacting with the registry and manipulating running processes and
services
No comments:
Post a Comment