Jump to content

Merged ZeuS and SpyEye now in circulation


Recommended Posts

The rumored combination of two pieces of advanced online banking malware appears to be fully underway after several months of speculation.

What appears to be a beta version of a piece of malware that has bits of both Zeus and SpyEye is now in circulation, albeit among just a few people, said Aviv Raff, CTO and cofounder of Seculert.

Seculert has published screen shots of the new malware, which has two versions of a control panel used for managing infected computers. One of those control panels resembles one in Zeus, and the other resembles that in SpyEye. Both of the control panels are connected to the same back-end command-and-control server, he said.

Raff said the reason for the dual control panels is "because many of the criminals are used to the look-and-feel of the Zeus administration panel and will find it easier to migrate to the new version."

For some time vendors including Trend Micro and McAfee as well as security writer Brian Krebs have written about rumors that the Russian hacker who wrote Zeus was getting out of the business.

The source code for Zeus was rumored to have been transferred to the creator of SpyEye, and it was anticipated that the two pieces of malware would be combined. That evidence has just emerged now, Raff said.

It doesn't bode well for banks. Zeus, which is tailored to evade security software, grab online banking credentials and execute transactions on the fly, has been more than an annoyance.

Zeus has been used by several highly organized criminal rings to transfer money out of victims' accounts. Last year, dozens of people were arrested in the U.S. and U.K. and accused of being money mules for the gangs.

The new malware also has at least a couple of new features. One of those is designed to defeat Rapport, a browser add-on from the security vendor Trusteer that intends to protect connections between a client and a bank server and resist man-in-the-middle attacks. Previously, the anti-Rapport feature was a separate module for Zeus, but now it has been baked in, Raff said.

The malware writers have also added a way to remotely connect to a victim's computer using the Remote Desktop Protocol, a Microsoft protocol that allows a remote user to access a computer using the normal Windows graphical interface rather than a command line.

So far, Raff said it appears that only a few cybercriminals are using the new version. He declined to say how Seculert obtained the malware or how much it might be selling for on the malware market.

"It seems to be still under development, with bug fixes released almost daily," Raff said.

view.gif View: Original Article

Link to comment
Share on other sites

  • Replies 1
  • Views 812
  • Created
  • Last Reply
  • Administrator

Online banking danger increases with new Zeus/SpyEye release

After ZeuS and SpyEye were rumored to have merged, many security professionals were concerned that advanced online banking malware would hit the scene sometime soon. According to Yahoo News, it appears that time may be now.

Both ZeuS and SpyEye are malware programs created to evade security software, intercept communications between your PC and bank, and then report the details back to a central command post. Many people have had their bank accounts drained by these tools, and the newly combined software looks to up the ante in the arms race between security software and malware.

While it sounds like the base functionality of the new tool is similar, there are a couple of new features that have been added. First, the tool is now able to bypass the browser add-on Rapport. Secondly, the malware allows the attacker to remotely connect to an infected PC using RDP, although it is unclear if this will work if the port is blocked at the firewall. The tool appears to still be in beta, and fixes are being released on a daily basis.

To make matter worse, detecting the malware with anti-virus software has proven to be extremely difficult for security vendors. Due to this, it's estimated that the botnet contains 3.6 million infected machines in the US alone.

Currently the usage of the new tool appears low, but it is only a matter of time before more criminals purchase the package. While not a complete cure for the issue at hand, banks need to start considering using more than simple passwords for users. Technology such as one-time passwords on fobs or sent to cell phones via SMS messages could go a long way to reducing the threat, although responsible browsing is the #1 layer of security.

view.gif View: Original Article

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...