The Tech Herald

Zeus botnet plundering the masses and snatching certificates

by Steve Ragan - Aug 5 2010, 17:05

The Zeus Trojan has been busy this year. Just this week alone there have been three incidents and studies related to Zeus that have made headlines, and each one only proves the power this Malware has, and the chaos it can cause.

Zeus hits 100,000 in the UK

Version 2 of the popular Zeus Trojan is responsible for 100,000 infections in the U.K. according to Trusteer. The Malware is being used to control the U.K.-based botnet, and has been harvesting all sorts of data from its victims, including banking credentials.

In addition to the banking details, which include not just usernames and passwords, but credit card data and financial statements, Zeus is harvesting E-Mail account access, browser cookies, client-side certificates, social networking access details, and FTP credentials.

“This is just one out of many Zeus 2 botnets operating all over the world,” says Amit Klein, Trusteer's chief technology officer. “What is especially worrying is that this botnet doesn't just stop at user IDs and passwords. By harvesting client side certificates and cookies, the cybercriminals can extract a lot of extra information on the user that can be used to augment their illegal access to those users' online accounts.”

"Coupled with the ability to remotely control users' machines, download data and run any file on them, this means that the fraudsters can insert partial or complete Internet pages into a live Web session, enabling to inject transactions at will or extract even more data from the hapless victims," he added.

Trusteer said that their discovery is another example of regional Malware that uses focused and segmented attacks on users.

More than 35,000 snagged in Zeus attack

Another example of the harvesting prowess of Zeus comes from AVG. A new Zeus variant, dubbed Mumba, created a botnet in April that snagged 35,000 victims. AVG said that that the Mumba botnet has stolen more than 60GB of data from its victims including credentials from social networking, banking, credit card, and E-Mail accounts.

The United States had the highest share of PCs infected by the Mumba botnet (33-percent), AVG said, followed by Germany, Spain, the U.K., Mexico, and Canada.

According to the report, AVG said that Mumba is being controlled by the Avalanche Group, who is known for Phishing as well as Malware delivery on Fast-Flux networks. Fast-Flux networks make things harder for those catching criminals, and for their part, it offers the criminals themselves the ability to keep one step ahead in most cases.

“According to a recent report by the Anti-Phishing Working Group (APWG), up until today, the Avalanche fast-flux network was mainly used for Phishing attacks and hosting Malware infections,” AVG said in their report.

“The Mumba botnet is probably one of the first to use the Avalanche operation in order to host its stolen goods as well as the Malware infection. This seems to be yet another step in the never ending arms race between the security industry and cyber criminals.”

Zeus snatches certificates from Kaspersky

Finally, a report from Trend Micro offers a unique view into some of the more uncommon aspects of Zeus. One of the modules for the Malware system allows a criminal to snatch digital signatures.

While performing diagnosis on some new samples of Zeus itself, Trend Micro discovered several files with a strange digital signature. Worse, the signature belonged to Kaspersky, another well-known security vendor.

“This signature immediately caught our attention, as it seemed to be signed by legitimate antivirus company Kaspersky,” Trend explained in a blog post.

“While checking the certificate, we noticed that the hash value applied to the suspect file was invalid. This is because hash values are specific to the original file to which they are applied whereas this particular signature has been stolen. Also, the signature had already expired.”

The stolen certificate itself came from Kaspersky’s ZBot cleaning tool that targets Zeus installations.

“Certificates, unfortunately, can be copied by any cybercriminal with intent from any company—the antivirus company mentioned in this instance could not have prevented this incident from taking place—and it is likely that we will continue to see more such incidents in the future,” Trend added.

Recently, the Stuxnet family of Malware was seen using stolen digital signatures from Realtek Semiconductors Corp. and JMicron Technology.

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Monaco Grand Prix Circuit Map

Infiniti Red-Bull have released a Monaco Grand Prix circuit map showing a string of G-Force and speedo readings recorded in their cars on a normal lap. The team also described the most complicated turns on the track: Turn 1, Sainte Devote, sees drivers hit the barrier if they come into corner just 1km/h too fast [...]

The post Monaco Grand Prix Circuit Map appeared first on Autosaur.

Daniel Day-Lewis and Yasmin Le Bon at Mille Miglia rally in Italy

Jaguar have released a cool little film about their experience at this year’s Mille Miglia car rally in Italy — featuring stars including triple Oscar-winner Daniel Day-Lewis and model Yasmin Le Bon. The video has short interviews with several of the famous participants about taking part in the 1,000-mile event, which celebrates the original Mille [...]

The post Daniel Day-Lewis and Yasmin Le Bon at Mille Miglia rally in Italy appeared first on Autosaur.

Man wins Batman version of Nissan Juke

A BATMAN fan has won a special version of the Nissan Juke inspired by the films — and which has a string of features more normally seen on the Batmobile. Adam Williams was presented with the matt black vehicle after a real Batmobile (well, as real as they get) was driven through the streets of the [...]

The post Man wins Batman version of Nissan Juke appeared first on Autosaur.