Zeus’ reach expands with new webinjects

Zeus’ Reach Expands With New Webinjects
by Michael Mimoso
 
The Zeus financial malware may be old, but it’s hardly slowing down. The peer-to-peer version of the prolific Trojan was especially busy in the first quarter with infections reported by banks in 10 countries that previously had eluded Zeus’ reach.
CSIS Security of Denmark said the gang behind Zeus, also known as Gameover, had used new Webinjects against 1,515 unique targets during the first three months of the year; that’s a noteworthy spike from fewer than 1,100 in January 2014.
Peter Kruse, partner and security specialist at CSIS, said most of the new targets were banks and financial institutions in Africa, the Middle East, Asia and Europe. “Most of which were never hit before by malware like this,” Kruse said. “Thus are likely to take significant losses”. Kruse said the gangs maintaining and selling Zeus are improving the Webinjects used by the malware to update infected computers on the fly. Zeus primarily steals online banking credentials from its victims, injecting phony log-in pages into victims’ browsers tailored to their particular bank.
The malware also harvests payment card data and is spread via spam or drive-by attacks. “Most of the recent spam campaigns abuse legitimate brands which are known globally and thus trusted in most countries which incites user to click and activate the malicious code”, Kruse said. Zeus’ peer-to-peer version arrived shortly on the scene after source code for the Trojan was leaked online in 2011. It’s sold primarily as a service in underground forums and is hosted in a bulletproof hosting infrastructure. A dropper known as Upatre is usually the vehicle for Zeus infections via spam. In February, a researcher at the University of Alabama published information about how Upatre uses encryption to disguise Zeus’ presence and avoid detection by signature-based defenses. The dropper changes the .exe files it downloads to .enc. Once a user opens the malicious .zip attachment in a spam or phishing message, the .enc files are grabbed from the Internet, new file names are given and then executed. 

 
Full Article