Zeus Banking Malware Active Despite Recent Botnet Takedown


Despite recent law enforcement action severely crippling one of the most active botnets associated with the notorious Zeus banking malware, security researchers say criminals continue to conduct attacks using the Trojan, including a new campaign targeting customers of banks in Canada.

Researchers at San Diego-based security vendor Websense said they are tracking various campaigns and identifying "bursts of low-volume attacks" that suggest attackers are trying to keep a low profile. A new Zeus malware variant was identified in convincing email messages spoofing a variety of Canadian banks, the Canadian postal service as well as a message purporting to be a Federal Trade Commission complaint, said Elad Sharf, a senior security researcher at Websense.

"The actors behind this campaign seem to be savvy and in-the-know regarding what is needed to accommodate durability and to sustain 'longer periods' of undetected covert activity from their main criminal tool, the Zeus bot," Sharf said in his analysis of the latest round of attacks.

[Related: Gameover Zeus Investigators Detail Malware Attack At Plastics Manufacturer]

Law enforcement conducted a global crackdown aimed at disrupting the Zeus Gameover Botnet last month. The FBI and law enforcement from 10 other countries seized key portions of the botnet's command-and-control infrastructure, and police are still tracking down a 30-year-old Russian believed to be the administrator behind the botnet. Zeus Gameover is responsible for stealing more than $100 million and behind the spread of the recent Cryptolocker ransomware campaign.  

Despite a string of botnet takedowns in recent years, disrupting massive spam operations associated with malware, phishing and other scams, the victories are short-lived, say solution providers. Organized cybercriminals use backup infrastructure or easily establish a foothold at another location. 

The financial industry has long been actively pursuing new antifraud measures to combat dangerous malware such as the Zeus Trojan, said Nick Peaster, managing director at  Sussex, U.K.-based security systems integrator Preventia. The attacks successfully earn organized cybercriminals millions and have driven the adoption of multifactor authentication and other measures to further validate a user's identity. Zeus and its close cousin, SpyEye, can steal account credentials, but they are also designed hijack a victim's session, injecting malicious code in the browser to conduct transactions without their knowledge. Account transfers take place after a victim is already authenticated. 

Some larger banks are spearheading big data projects, pulling in structured and unstructured data to build context around user transactions and more quickly spot potentially malicious activity, said Tyson Kopczynski, a security solution principal at Slalom Consulting in San Francisco. Risk analysis engines are becoming more powerful, he said.

"Every transaction can be analyzed to determine whether or not it is valid by studying and finding commonalities and figuring out the reputation associated with certain transactions," Kopczynski said. "There's potential for solving some really interesting problems."

The authors behind the latest Zeus malware variants uncovered by Websense appear to be very active in modifying the code to evade detection, Sharf said. The latest strain he analyzed is also using techniques from the Carberp banking malware family, an attack toolkit that has bilked millions from victims globally and was detected in some regional mobile malware attacks targeting Android device owners. One of the toolkit authors leaked the Carberp source code last year following an apparent dispute.

The attackers also used valid and signed SSL certificates, making their malicious domains appear legitimate and trusted by Web browsers, Sharf said. The domains uncovered by Websense had low detection rates, he said. The attackers also have returned to using an outdated mechanism to execute the malicious code on victim's PCs, coding in the Windows PIF file extension, which acts as an executable and makes it easier to trick users into clicking on file attachments in social engineering attacks.

"New variants have been given different names and we believe the list of variants is going to grow," Sharf said. "Strains that may at first look quite different, often have the familiar Zeus at their core." 

PUBLISHED JULY 9, 2014