Zeus Malware Attacks Increase, Steals Account Credentials


The notorious Zeus Trojan, a family of banking malware known for stealing passwords and draining the accounts of its victims, has steadily increased in recent months, according to data collected by Trend Micro.

Researchers at the security firm analyzed data and found a surge in Zeus infections from February through the middle of May. The latest version of Zeus, also known as Zbot, is associated with the Citadel data-stealing malware that was created based on the Zeus source code, according to Jay Yaneza of Trend Micro's technical support team who provided analysis of attack data collected from the company's customer base.

"Old threats like ZBOT can always make a comeback because cybercriminals profit from these," Yaneza wrote. "Peddling stolen banking and other personal information from users is a lucrative business in the underground market."

[Related: Former DuPont Security Chief: Safeguarding Data Is A Daily Struggle]

Zeus was first detected in 2007 and is frequently found in automated attack toolkits. The malware family itself is frequently updated with mechanisms designed to evade detection by antivirus and network security appliances.

The latest variants detected by Trend Micro attempt to contact a remote server to download configuration data that contains the name of banks that the malicious program uses to detect in the victim's browser. Once a victim browses to a financial website on the list, the spyware mechanism is triggered and attempts to steal the login information.

Malware authors and botnet operators are constantly improving their attack techniques in an attempt to evade detection. A recent paper issued by Damballa, Dell-SecureWorks and researchers at the Georgia Institute of Technology, described a major update to one of the oldest spam botnets called Cutwail, which fuels infections of the Pushdo malware. The new domain algorithm identified by the researchers acts like backup command-and-control techniques used by Zeus Trojan, according to the paper.

Trend Micro said it identified more than 112,000 malware victims in the first quarter of this year, mainly due to the availability of cheaper, more widely available automated tools. Botnets also are becoming more affordable, Trend Micro said. Meanwhile, Java continues to be the most targeted software platform.

Trojans such as Zeus are also being detected in record numbers by other security firms. According to more than 6 million malware samples in the first quarter of 2013 analyzed by Spain-based security vendor Panda Security, Trojans ranked first, making up 76 percent of the malicious code, followed by worms, viruses and spyware. The security firm's threat report, issued this week, found Trojans reaching record levels.

"Today most Trojan infections are through compromised websites, often exploiting some kind of vulnerability in Java or Adobe," Panda said. "This means that in just a few minutes there may be thousands of infections with the same Trojan."

PUBLISHED ON MAY 24, 2013