"ZeuS is nothing new – we've seen it at work for years. But what's alarming is the recent rise in attacks," said Raimund Genes, CTO of Trend Micro. "In the last 6 months, we've blocked about 9 million ZeuS attacks and we're not stopping."
For the greater part of last year, Trend Micro discovered that ZeuS variants were also distributed via the Avalanche botnet – a fast-flux botnet -- which sent spammed messages en masse. The spam runs imitated several popular social networking sites. The cybercriminals behind the operations even tried to copy email messages and Web sites of U.S. government institutions like the Federal Deposit Insurance Corporation (FDIC), the Centers for Disease Control and Prevention (CDC), the Social Security Administration (SSA), and the Internal Revenue Service (IRS).
Another significant feature that was recently added to the current ZeuS versions is the "Jabber" functionality. Jabber is an open source instant messaging protocol and JabberZeuS is a ZeuS variant where the credentials stolen during a banking session are relayed in real-time to the ZeuS botmaster via instant messages so she can immediately log in to the same account undetected using the same credentials as the victim.
According to Trend Micro research, BREDOLAB and ZeuS are individual tools that are freely available in the cybercriminal underground. Their uses complement each other, which is why they're often seen together. While ZeuS specializes in stealing information from infected systems, BREDOLAB enables cybercriminal organizations to deliver any kind of software to its victims. Once a user's machine is infected by BREDOLAB, it will receive regular malware updates the same way it receives software updates from the user's security vendor.
Poor economy fueling ZeuS
The success of ZeuS is partly attributed to cybercriminals' ability to recruit money mules that move their stolen money around through bogus work-from-home scams. Given the current economic situation in the United States—with millions of people out of work—cybercriminals know they have a high success rate in recruiting accomplices.
Work-from-home recruits are instructed to provide bank account information, which the cybercriminals use to access compromised online bank accounts and to wire money amounting to less than US$10,000 to money mules, indicating that they are fully aware of banking alert limits. The money mules then wire the money back to Eastern Europe.
To read the report, go here.