Follow AppRiver

AppRiver Posts In Your Inbox

Your email:

Browse by Tag

Current Articles | RSS Feed RSS Feed

ZeuS 2.0

 

Today we began seeing a new payload peppered in with the many ZeuS and SpyEye offerings. It appears to be a new version of the already infamous toolkit known for stealing financial data. In addition to performing the same behind the scenes malicious activities such as stealing browser cookies, ftp credentials, banking login credentials, and general keylogging, this version adds a new flavor to the mix. This one includes what appears to be a new brand of Fake AV or Ransomware on top of what it is already offering. Let's start at the beginning:

These arrive as emails pretending to be from PayPal. The emails claim that the recipient has made a payment to some random person whose name changes from email to email. The amount sent is usually a pretty large number in the hundreds of dollars range. Once this grabs the victim's attention they will likely be persuaded into clicking one of the several links included to supposedly contact PayPal to see what's going on.

Once clicked the malware goes right to work contacting an abundance of various domains which begin downloading and installing various components of the malware. This particular variant contacts an initial 16 different domains to gather its wares:

thor.dailyrx[dot]com
kc.mv.bidsystem[dot]com
padurifumanoza[dot]net
crl.microsoft[dot]com
climideia[dot]com
seculointimo.com[dot]br
secondfatman[dot]com
nazarian[dot]pl
promos.fling[dot]com
11s4gf7.cdn35.theuploadbusiness[dot]com
erilo[dot]k
transfer3.polyband[dot]de
osenoluglobalservices[dot]com
saldivia-buses.com[dot]ar
ftp.coden.com[dot]br
mhasn[dot]com

Among the actions we now consider normal for ZeuS such as making copies of itself and injecting itself into running processes, ZeuS also disables error messages, firewalls and existing Antivirus solutions just before it presents the newly infected with what it calls Smart Fortress 2012. The new Fake Anti Virus software starts and appears as if it is scanning the new system and begins displaying a long list of "infections". Though it is true that this machine is indeed infected, it's not by anything that the fake software is displaying. Now, not only is ZeuS stealing money beneath the surface but it is also trying to get its victims to willingly turn some over in order to regain control of their computers. Little do they know that attempting to appease the Fake AV by paying for "malware removal" will only result in losing more money and keeping all of the same infections. The best thing to do for users who see this Smart Fortress pop-up is to disconnect all network connections and hope that their backup is up to date.

In addition to the PayPal ruse, ZeuS has been pretending to be emails from both Verizon and American Express this morning. The new addition to ZeuS hasn't been seen in these at the time of writing this, but it's highly likely that we will see them soon considering certain individual domains serving up ZeuS today are actually sending out both versions.

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics