Bank account-draining Zeus gets lots of action in 2013

Jun 05, 2013 by Nancy Owano weblog

(Phys.org) —A Trojan program designed to steal money from people's bank accounts has not only been around for years but is now on the rise. A New York Times Bits blog report said it is enjoying a good life on Facebook. If you click on the wrong link on Facebook, the virus gets access to your bank account and can steal your money, according to the report. Called Zeus, the malicious program dates back to around 2007, but security experts say it rose steadily this year. According to Cupertino, California-based Trend Micro, incidents of Zeus gained momentum, and the firm's Zeus watchers pointed to a steady rise in the first five months of 2013. Actually, what has been seen are what Trend Micro refers to as Zeus/ZBOT variants, the same old type of threat resurfacing but now with refinements and new features.

According to Trend Micro, "ZBOT variants surged in the beginning of February and continued to be active up to this month. It even peaked during the middle of May 2013. These are designed to steal online credentials from users, which can be banking credentials/information or other personally identifiable information."

The nasty part about Zeus is that it does not make itself immediately known. No crashes or signs of chaos leave no cause for suspicion that anything has gone wrong and the user takes no immediate action. Zeus lurks silently but if a user logs into a bank site the program does its work, stealing log-in information and passwords and draining accounts, as well as further exercising its resources to peddle stolen personal information. (The compromised websites may not look strange; the user may easily assume at first glance that the page looks "legitimate," but there may be additional blanks in the signup invites, beckoning to be filled in that ask for the kind of information the thieves need.)

According to Trend Micro, " malware of this generation are found to be mostly either Citadel or GameOver variants. Unlike earlier version, the mutex name is randomly generated."

Though both variants send DNS queries to randomized domain names, the GameOver variant does something extra; it also opens a random UDP port and sends encrypted packets before sending DNS queries to randomized domain names, according to Trend Micro.

One year ago a warning appeared about Zeus using Facebook login pages posing as friendly looking invites to click on compromised log in pages. Also last year, Boston-based Trusteer said it had spotted attacks from a P2P variant of the Zeus platform targeting users of , Google Mail, Hotmail and Yahoo, in which the thieves pretended to offer rebates and new security measures.

The question is often raised, why has Zeus been around for so long when it causes so much damage? One reason given is that Zeus is difficult to detect with antivirus software.

Explore further: Music site SoundCloud to start paying artists

More information: blog.trendmicro.com/trendlabs-… e-shapes-up-in-2013/
bits.blogs.nytimes.com/2013/06… hriving-on-facebook/

Related Stories

Computer forensics links internet postcards to virus

Jul 25, 2009

Fake Internet postcards circulating through e-mail inboxes worldwide are carrying links to the virus known as Zeus Bot, said Gary Warner, director of computer forensics at the University of Alabama at Birmingham (UAB). Zeus ...

Hacker thieves targeted Anonymous allies: Symantec

Mar 05, 2012

Anonymous on Monday gave mixed reactions to a US computer security firm's report that backers of the notorious hacker group were suckered into downloading software that steals online banking information.

Corporations, agencies infiltrated by 'botnet'

Feb 18, 2010

(AP) -- Security experts have found a network of 74,000 virus-infected computers that stole information from inside corporations and government agencies. The unusual thing about the incident is not that it happened but that ...

Cyber crooks out for LinkedIn members' bank accounts

Sep 27, 2010

Cisco on Monday warned that crooks have inundated LinkedIn with emails crafted to trick members of the career-oriented social networking service into downloading software that loots bank accounts.

Ramnit's heist bags 45,000 Facebook passwords

Jan 06, 2012

(PhysOrg.com) -- Ramnit, the bank-thieving worm, is at it again, this time scoffing up Facebook accounts. The latest oh-look-another-threat is one that security watchers say could get ugly. Ramnit has grown ...

Recommended for you

Google to help boost Greece's tourism industry

10 hours ago

Internet giant Google will offer management courses to 3,000 tourism businesses on the island of Crete as part of an initiative to promote the sector in Greece, industry union Sete said on Thursday.

Music site SoundCloud to start paying artists

17 hours ago

SoundCloud said Thursday that it will start paying artists and record companies whose music is played on the popular streaming site, a move that will bring it in line with competitors such as YouTube and Spotify.

Facebook awards 'Internet Defense Prize'

Aug 21, 2014

Facebook awarded a $50,000 Internet Defense Prize to a pair of German researchers with a seemingly viable approach to detecting vulnerabilities in Web applications.

Twitter tries to block images of Foley killing

Aug 20, 2014

Twitter and some other social media outlets are trying to block the spread of gruesome images of the beheading of journalist James Foley by Islamic State militants, while a movement to deny his killers publicity ...

User comments : 0