Zeus is Back in Action, and Plaguing Email Accounts Everywhere

Everyone’s favorite trojan is back, and badder than ever. According to internet researchers from Websense Security Labs, a new variant of the Zeus malware/trojan combo has started to make waves in small, concentrated email campaigns designed to infect users’ computers and lift out valuable financial details by way of malicious attachments.

The new variant, affectionately dubbed “Zberp” by the engineers tasked to the project, conjured up the name from a combination of the different behaviors it exhibited while digging its way into the inboxes of over 450 financial institutions from all around the world.

Built off the Zeus backbone with extra flavors of the Carberp Trojan family tossed in for good measure, the new malware-mashup contains all the trappings of info tracking and data logging tools that hackers rely on in order to obtain sensitive financial details to abuse once the user has logged off and left their bank accounts up for grabs.

Computer names, IP addresses, HTTP forms, and FTP/POP accounts all represent ripe fruit ready for the picking with Zberp, which utilizes many of the same channels seen originally in Zeus to transport the valuable data back to randomized C&C servers that evade detection in much the same way its predecessor did.

“Since the source code of the Carberp Trojan was leaked to the public, we had a theory that it won’t take cyber criminals too long to combine the Carberp source code with the Zeus code and create an evil monster,” explained Korman and Darsan. “It was only a theory, but a few weeks ago we found samples of the ‘Andromeda’ botnet that were downloading the hybrid beast.”

Because Zberp relies so heavily on much of the same tactics and techniques that the security community have been prepped and ready to battle for years, it shouldn’t be long before the program inevitably hits a wall and is forced to change course onto the less-traveled path in order to maintain the same level of mayhem it’s currently dishing out at the rate of thousands of infections per day.

Unlike other email attachment schemes, it seems the hackers behind Zberp actually took their time to carefully construct the messages sent out to trick unsuspecting users into downloading the program on their machine.

Able to evade most spam detectors and fool even the most fastidious of spyware spotters, the emails contain content that would commonly be received by employees of their respective companies, including package tracking delivery links, eFax transmissions, and payment confirmation requests.

Also, because Zberp attacks its victims through URL links to .ZIP files as opposed to email attachments, the infection can spread much more efficiently without being hassled by security checkpoints like those commonly implemented by Gmail and Yahoo, which are meticulously designed to scan the content of internal files before letting the email pass through to a user’s inbox.

Zberp represents just one of hundreds of malware attacks that are morphing the DNA of older, more established pieces of software in new ways to constantly avoid the detection and prevention efforts of members of the security community, and as long as there’s valuable information out there to be stolen, it’s unlikely the latest twist on an old favorite will be the last we see for a long time to come.