Zeus Trojan Gains Self-Propagating Ability via Ramnit

Friday, August 26, 2011




Security researches last spring noted the release of source code for the infamous Zeus Trojan when files containing the code began to appear in underground discussion forums most often used by criminal hackers.

"We believe this will be used as both inspiration for new and complex banking Trojan variants as well as abused in future attacks. The code can easily be modified and even improved in functionality," researcher Peter Kruse of CSIS conveyed in an email interview with ThreatPost in May.

"With the source code in the wild it's likely we'll see an increase in attacks since lots of potential criminals might have been lacking both financials and trustworthiness to obtain their own license of this kit. Now being available as source code we'll likely see a rebranding and slight modifications distributed from various sources," Kruse continued.

Now researchers at Trusteer believe they have discovered evidence that the Zeus code has been combined with the Ramnit worm to produce a more sophisticated malware tool capable of a web injection using a man-in-the-browser (MitB) type of attack.

The Zeus Trojan is widely hailed as one of the most dangerous pieces of malware to ever surface in the wild, and numerous variants of the malicious code, continue to propagate.

The Zeus Trojan can lay dormant for long periods until the user of the infected machine accesses accounts such as those used for online banking. Zeus harvests passwords and authentication codes and then sends them to the attackers remotely.

The Ramnit worm is not particularly dangerous in and of itself, but it may be lending the Zeus Trojan the ability to propagate over networks, a feature it has thus far lacked.

“Zeus does not have its own propagation mechanism. The author might be going after networks,” said Trusteer’s CTO, Amit Klein.

The news of the blended attack tool follows last week's announcement of the discovery that the source code for the SpyEye Trojan had also been released into the wild.

The SpyEye code, which was previously only available to malicious attackers on the black market for a hefty price in the vicinity of $10,000 or so, was leaked by a French researcher who goes by the handle Xyliton, and is a member of the Reverse Engineers Dream (RED) outfit.

SpyEye is known to be one of the more powerful data-sniffing Trojans ever developed, and the release of the source code means the likelihood that there will be a dramatic increase in its application is a very real scenario.

In an article on the McAfee Labs blog last fall, Senior Threat Researcher Francois Paget warned of the blending of the Zeus and Spyeye tools, and the first toolkit combining the exploits arrived on the black market early this year.

The combination of events leads researchers to believe that the number of threats aimed at online banking systems is on the uptick.

“Unlike the past, when financial institutions had to defend against a limited number of malware platforms, attacks can now come from virtually any malicious software program - old or new. The malware distribution channel for fraudsters has increased in scale significantly,"  Klein said.


Help Support Infosec Island by Tweeting and Stumbling our Articles - Thanks!

Possibly Related Articles:
Viruses & Malware
Passwords Trojans malware Online Banking Zeus Headlines Sniffing SpyEye Ramnit Self-Propagating
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.