9 million ZeuS attacks blocked in the last 6 months
Posted on 10.03.2010
Trend Micro has seen a recent rise in average of around 300 unique ZeuS samples per day, according to a recent threat report that examines the Eastern European criminal enterprise behind one of the world's most prolific crimeware kits designed for wholesale monetary theft. Trend Micro witnessed more than 13,000 unique ZeuS samples within January 2010 alone.

"ZeuS is nothing new – we've seen it at work for years. But what's alarming is the recent rise in attacks," said Raimund Genes, CTO of Trend Micro. "In the last 6 months, we've blocked about 9 million ZeuS attacks and we're not stopping."

Latest developments

For the greater part of last year, Trend Micro discovered that ZeuS variants were also distributed via the Avalanche botnet – a fast-flux botnet -- which sent spammed messages en masse. The spam runs imitated several popular social networking sites. The cybercriminals behind the operations even tried to copy email messages and Web sites of U.S. government institutions like the Federal Deposit Insurance Corporation (FDIC), the Centers for Disease Control and Prevention (CDC), the Social Security Administration (SSA), and the Internal Revenue Service (IRS).

Another significant feature that was recently added to the current ZeuS versions is the "Jabber" functionality. Jabber is an open source instant messaging protocol and JabberZeuS is a ZeuS variant where the credentials stolen during a banking session are relayed in real-time to the ZeuS botmaster via instant messages so she can immediately log in to the same account undetected using the same credentials as the victim.

ZeuS-BREDOLAB connections

According to Trend Micro research, BREDOLAB and ZeuS are individual tools that are freely available in the cybercriminal underground. Their uses complement each other, which is why they're often seen together. While ZeuS specializes in stealing information from infected systems, BREDOLAB enables cybercriminal organizations to deliver any kind of software to its victims. Once a user's machine is infected by BREDOLAB, it will receive regular malware updates the same way it receives software updates from the user's security vendor.

Poor economy fueling ZeuS

The success of ZeuS is partly attributed to cybercriminals' ability to recruit money mules that move their stolen money around through bogus work-from-home scams. Given the current economic situation in the United States—with millions of people out of work—cybercriminals know they have a high success rate in recruiting accomplices.

Work-from-home recruits are instructed to provide bank account information, which the cybercriminals use to access compromised online bank accounts and to wire money amounting to less than US$10,000 to money mules, indicating that they are fully aware of banking alert limits. The money mules then wire the money back to Eastern Europe.

To read the report, go here.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th