The notorious ZeuS Banking Trojan seems to be immortal, like its Greek God namesake. In December it was reported that a new 64bit version of this banking focused credential stealer might soon be seen in the wild. This month, there are two reports of ZeuS variants on the loose, each with unique features for deceiving internet security.
Earlier this month, analysts at the security research firm Malcovery spotted the Gameover variant of ZeuS on the loose, disguised as an encrypted executable file. The encrypted file is able to slip past internet security because it does not appear to be an executable.
As in the past, the approach relies on spam email for delivery, infecting a victim using a malware downloader program called Upartre. A .zip file attached to the email contains Upartre, which first downloads the encrypted file from the Internet and then DECRYPTS the file. The file is then placed it in a new location with a new filename and is scheduled to execute in the future.
ZeuS is in the news again this week, with word of a new delivery method, according to researchers at the firm Malwarebytes.
A variant called ZeusVM downloads a configuration file hidden in a JPEG image that contains the domains of the banks that the malware will target. This is a technique known as Steganography and is intended trick security systems into thinking the file is a harmless image.
There is at least the possibility of justice with these banking trojans, which cause financial harm to many. In January, the creator of a notorious imitation version of ZeuS called SpyEye plead guilty in US courts to wire and banking fraud charges related to his malware. Aleksandr Andreevich Panin, known online as “Gribodemon”, was arrested the Russian national by agents of Interpol in the Dominican Republic and had him deported to the US. The United States and Russia do not have an extredition treaty to deal with situations such as this. Russia has protested mistreatment claimed by Panin, including denial of medical care.
Panin’s case has focused attention on the threat that ZeuS like software pose. Panin sold his version for under $1,000 to hackers and reports indicated that it resulted in many millions of dollars in financial theft in a short time period. One Panin customer may have reaped as much as $3.2 million in just 6 months using SpyEye. With that kind of money at stake, it will take extremely long prison sentences to provide any deterrent value.
Despite the best efforts of banks and other institutions, ZeuS and its clones continue to threaten security with its ability to steal digital certificates, log keystrokes and steal banking credentials. Stolen credentials can result in drained bank accounts and money transferred to the attackers account. ZeuS’s main purpose is to keep stealing banking credentials. SSL certificates protect websites as well as their users from falling prey to such attacks, so these trojans use backdoors or other infected hosts to steal data at the server level
ZeuS communicates with its command and control servers over peer to peer networks, most prominently the Tor anonymous network. Tor is completely legal and there isn’t a way to bring it down, frustrating the surveillance industry.
What Can I Do to Protect Against the ZeuS Banking Trojan?
Your computer is safe from ZeuS if you use the Comodo Internet Security. At worst, it will be isolated in the sandbox area where it will do no harm. If needed, free ZeuS removal software is available, such as the following from download.com: http://download.cnet.com/Zeus-Trojan-Remover/3000-8022_4-75183944.html