British police on Wednesday announced the arrest of two people in the city of Manchester on suspicion of using the so-called ZeuS Trojan horse to commit banking fraud. The couple, who were detained Nov. 3, are out on bail pending trial.
ZeuS, also known as “Zbot,” is a notorious bit of malware used to steal users’ banking and other personal information from their computers.
It has been around for several years in several flavors because there are online toolkits that make it easy to create new variants.
ZeuS Is the Cybercrooks’ Friend
Hundreds, if not thousands, of versions of ZeuS exist because there are kits online which help hackers create new and different versions of the Trojan. That’s why it’s so deadly, Graham Cluley, senior technology at Sophos, told TechNewsWorld. “The kits make it easy to pump out a new version which might evade some users’ security software,” he explained.
Toolkits that let users create malware have been around for years. One of the best known is an open source toolkit known as “Gh0st.” Such kits let would-be hackers with little or no knowledge of coding — sometimes know as “script kiddies” — create screen scrapers, keystroke loggers and remote access Trojans easily.
“The different variants of ZeuS have different functionalities,” Dave Marcus director of security research and communications at McAfee, told TechNewsWorld. “Some steal passwords, others send your personal information to cybercriminals.”
Some ZeuS variants also hijack victims’ computers and press them into the services of botnets, which in turn are used for sending spam emails, distributing more malware and doing other malicious things, Cluley said. In the antimalware world, a botnet is a collection of computers linked over the Internet that distributes malicious software. Botnets are operated by cybercriminals who hijack victims’ computers to create their networks.
Security research firm Symantec claims it detected more than 154,000 computers infected with ZeuS last year. It also counted more than 70,000 unique variants of ZeuS. That’s not all the bad news, though; the true figure of ZeuS infections, which would include those not counted by Symantec, could be even higher.
ZeuS has been around since at least 2007, Cluley said. The couple arrested in Manchester probably represent the tip of the iceberg, he contended. “I would be very surprised if there were only two people behind Zbot,” he said.
How ZeuS Works
ZeuS, or Zbot, Trojans primarily steal online banking information, according to F-Secure. During installation, the Trojan checks running programs on the victim’s computer for firewall-related processes.
If firewall-related processes such as outpost.exe or zlclient.exe are running, ZeuS copies itself to the system32 folder and then exits. If it’s safe to proceed, the Trojan will amend the registry keys to let it execute at startup. That lets it inject itself into other processes.
ZeuS creates a folder in which it places two files: video.dll and audio.dll. It uses these to store information stolen from victims’ computers, and to also store an encrypted configuration file downloaded from a predefined location. The encrypted configuration file contains the address to which the Trojan will upload stolen information, an address from which it can download a new version of itself, and the address of another configuration file that defines what Web sites it will target for information theft.
ZeuS Moves in Mysterious Ways
One of the latest ZeuS-related attacks, Cluley noted, consists of an email claiming to come from Vodafone or Verizon Wireless notifying the recipient that his or her credit balance is over the limit. It has a so-called “Balance Checker Tool” attached. Victims who click on that tool launch a version of ZeuS that infects their computers.
Sophos detects the Vodafone version of the attached file as “Mal/EncPk-LE” and the Verizon version as “Mal/Zbot-P.”
Another ZeuS-related attack, detected by security vendor M86 this month, uses the Pushdo botnet. It poses as a notification from the National Automated Clearing House Association (NACHA), according to the security company.
This attack uses a copy of the NACHA template. Clicking on the link takes a victim to a fake NACHA landing page with a link to a “transaction report” file sporting an “.exe” extension, meaning it’s an executable file. “The .exe file, of course, is Zbot,” according to Phil Hays at M86. Other ZeuS attacks consisted of faked messages from the IRS, Facebook, MySpace, and Microsoft.
M86’s spam botnet statistics for the week ending Nov. 15 show that Pushdo is the second biggest botnet after Rustock. They accounted for 27.2 percent and 29.9 percent of spam on the Web, respectively, during that week.
Of Botnets and CyberCrime
Dealing with malware is difficult because there is no uniform naming system for malware; each antivirus vendor has its own naming system. Also, vendors have different ways of counting malware.
For example, according to a blog post by McAfee’s Marcus, 6,000 unique pieces of malware were created each day in 2008.
McAfee counts each threat for which the company has to create a driver for detection as one threat and a unique piece of malware. If there are 10 variants of the threat, they are all counted as one.
Other researchers, such as Germany’s AV-Test count each binary as one piece of malware. So 10 different variants of one Trojan will count as 10 unique pieces of malware.
The counting method is a minor detail in the overall picture, which is that the amount of malware out there is increasing. “The amount of malware will grow by year’s end and beyond,” McAfee’s Marcus said.