One of the more sophisticated pieces of malware in circulation has been given an upgrade that lets cybercriminals act even faster after they’ve stolen data from a PC.
According to security company RSA, the Zeus Trojan — blamed for enabling countless online bank account heists — now uses an instant messaging component that alerts hackers immediately when they’ve captured someone’s authentication credentials. That can enable fast use of time-sensitive information, such as one-time passwords now often employed in online banking.
Zeus isn’t the first piece of malware to employ instant messaging, notes RSA in its Online Fraud Report for August. Another password-stealing program called Sinowal was found to be using it as well in 2008.
Once on a PC, Zeus sends log-ins and passwords to a remote server, which the hacker must then access and sort through. RSA found that several variants of Zeus have a Jabber instant messaging module. The Jabber project — as well as other services such as Google’s G-mail chat feature — employ XMPP (Extensible Messaging and Presence Protocol), an open standard for instant messaging.
The hackers set up two Jabber accounts, one to send information and one to receive. When Zeus obtains log-ins, it sends them to a remote server. The Jabber module then looks for credentials for specific financial institutions and then transmits the information to the hacker by instant message, RSA said.
The number of computers in the U.S. alone infected with Zeus was estimated last month by the security company Damballa at around 3.6 million computers, making it one of the most prevalent malicious software programs and a very large botnet.
Users can be infected if they haven’t installed the latest security patches on their computer and visit a Web site that is designed to automatically hunt for software vulnerabilities and then deliver the malware. Zeus may also be inadvertently installed on a computer if a person is tricked into opening an e-mail attachment containing Zeus.
Zeus, which is believed to be the product of a Russian hacker who goes by the name A-Z, is sold in underground forums to budding cybercriminals, according to another security company, Secureworks. It can be customized according to the needs of the buyers. For example, Zeus can be coded to only log the log-in details for a certain specific list of Web sites.
“The ease-of-use of the Zeus crimeware toolkit for individuals to create their own tailored Trojan botnets has meant that it has become a favored toolkit for entry-level criminals to get involved in the underground economy,” according to Peter Coogan of Symantec, writing on one of the company’s blogs. “The greater availability of this toolkit on underground forums as of late has also led to an increase in its usage.”
Zeus has been on the radar of security professionals for a while, and one group runs a Web site that tracks Zeus infections and the command-and-control servers, which can issue instructions to infected PCs.
The ZeuS Tracker now counts 802 malicious hosts with Zeus. The organization also publishes a block list that administrators can use to ensure people on their network don’t access dangerous Zeus-related domains.