The malware is appropriately called “Gameover” because once it’s on your computer, it can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions. And once the crooks get into your bank account, it’s definitely “game over.”Gameover is a newer variant of the Zeus malware, which was created several years ago and specifically targeted banking information.

via FBI — ‘Gameover’ Malware Targets Bank Accounts.

[..]In the new version of the Trojan, the authors focus on eliminating the weakest link – a centralized system of information distribution.
Previous versions of Zeus were based on one (or few) predefined addresses which were used for botnet management. This allowed for relatively easy tracking and blocking of servers, thus rendering the botnet useless. However, the analysed variant of the Trojan used two new channels of communication to receive orders (figure on right):

1. Communication in a peer-to-peer network
2. Domain names Generation Mechanism

This variant has been analyzed to some extent by other researchers before – there is information on the web on the new variant of Zeus (eg abuse.ch ), however – based on our knowledge – previous research has focused on registering and monitoring traffic to Zeus domains. In our work we focus on understanding the P2P network communication mechanisms, mapping out the network, and monitoring the exchange of information in this particular network. [..]

via CERT Polska » Blog Archive » ZeuS – P2P+DGA variant – mapping out and understanding the threat.

This special variant further uses another obfuscation technique for cases where it fails to find a live update point. In order to make sure the botnet always ‘calls home’ Zeus 2.1.0.10’s operators programmed a randomized, on-the-fly domain name generator, based on a constant algorithm the Trojan’s configuration dictates. The algorithm creates 1,020 domain names URLs per day. Each new and unique domain name is a string of letters. The suffix “/news” or “/forum” follows the domain name when it is used for the Trojan’s update and drop communications.

via Organized Cybercrime: Nefarious Sophistication Featuring Zeus V2.1.0.10 « Speaking of Security – The RSA Blog and Podcast.

A new version of the Zeus malware has appeared, and this does not seem to be a minor upgrade, but a major custom version of the Trojan, which now sports a P2P capability that does away with the use of the domain-generation algorithm used in earlier versions and instead uses a hardcoded list of IP addresses to provide infected PCs with new software and config files. This is a throwback to the way the malware used to behave, but it comes with a twist: There no longer is a master URL that infected machines contact to get updates, making it much more difficult to track the Trojan’s activities.

[..]

The version of Zeus discovered recently by the Swiss Abuse.ch group implements this strategy through the inclusion of a built-in list of IP addresses that each newly infected PC should try to contact in order to receive instructions and updated configuration files. The new bot does this by sending out UDP packets on a high-numbered port, looking for like-mided peers. If one responds, the new bot will get a new list of IPs of other infected PCs in the botnet. The version of Zeus also can remotely check which version of the malware is running on remote PCs and download an updated version, if necessary, the researchers said in a blog post analyzing the Zeus update.

[..]

“At first glance these are bad news. But fortunately the new mechanism also has benefits: There is just one ZeuS C&C active at the same time, so every time the domain name gets suspended/terminated, the criminals have to push out a new config file.”

via P2P Version of Zeus Botnet Appears | threatpost.

[..] Dmitry Tarakanov, a researcher at Kaspersky Lab who has studied the two families said that there was a code transfer from Zeus to SpyEye in the immediate aftermath of the source code being transferred to the SpyEye author. For example, the SpyEye author grabbed a Zeus feature that allowed the malware to force Web browsers on infected systems to load malicious HTML served by the botnet, even in cases where the host had a recent version of the page in question (say, an electronic banking site) stored locally in its browser cache. “SpyEye could not intercept the cached html-code,” Tarakanov wrote in an e-mail. “So the author of Spyeye had seen that part of the code where Zeus replaces the cache as well and added that part of code into his own source code of SpyEye. [..] “

via SpyEye and Zeus Malware: Married Or Living Separately? | threatpost.

[..]

This new version, which Trend Micro detects as TSPY_ZBOT.SMQH, spread around late September through spam that claimed to be from the Australian Taxation Office (ATO). The spammed messages contained a malicious link that when clicked directed users to a malicious website that served the BlackHole Exploit Kit. The exploit kit, in turn, downloads a variant of the new ZeuS version.

[..]

As we can see, unlike ZeuS 2.3.2.0, which uses Advanced Encryption Standard (AES), the decryption algorithm did not change much compared with the modified ZeuS 2, which uses RC4.

As I mentioned earlier, like LICAT and ZeuS 2.3.2.0, this new variant also seems to be crafted by a private professional gang, probably the same ones who created LICAT or who may be affiliated with them at the very least. In fact, the configuration file for TSPY_ZBOT.SMQH has the same format as that of the configuration file of LICAT.

via Another Modified ZeuS 2 Variant Seen in the Wild.

The first version of ZeuS-in-the-Mobile (ZitMo), malware which targets mTANs, was discovered in the end of September 2010. In that case it was targeting Symbian smartphones. Later on, ZitMo versions for Windows Mobile and Blackberry were found. It comes as no surprise that cybercriminals have created new and sophisticated pieces of mobile malware for Symbian and Windows Mobile; more surprising is that Blackberry devices were also targeted; and even more surprising is that until July 2011 there was no evidence of ZitMo for Android’s existence. And now please ‘welcome’ ZeuS-in-the-Mobile for Android. [..]

[..]  now we have ZitMo targeting 4 platforms: Symbian, Windows Mobile, Blackberry and Android

via ZeuS-in-the-Mobile for Android – Securelist.

Security researchers have identified a Zbot component designed for Android which steals mobile transaction authentication numbers send by banks via SMS.ZeuS, aka Zbot, is one of the most popular banking trojans. Even though the original author of the malware has retired, the source code is available online for anyone to modify and fit it to their needs.Zbot originally targeted desktop systems and stole financial information and online banking credentials which fraudsters exploited.

via Zbot Targets Android Users – Softpedia.

In the latest of a series of arrests to be made in relation to online bank fraud, the Met’s e-crime unit has struck again, taking 19 alleged cyber-criminals into custody.

The gang is suspected of having stolen some £6 million over the last three months, according to the BBC News (just enough money for them to be able to construct their own bionic man).

via Police nab 19 over Zeus botnet bank fraud.

In this post, we are going to talk about a better alternative planned by a ZeuS gang: infect the mobile device and sniff all the SMS messages that are being delivered. The scenario is now easier:

1. The attacker steals both the online username and password using a malware (ZeuS 2.x)

2. The attacker infects the user’s mobile device by forcing him to install a malicious application (he sends a SMS with a link to the malicious mobile application)

3. The attacker logs in with the stolen credentials using the user’s computer as a socks/proxy and performs a specific operation that needs SMS authentication

4. An SMS is sent to the user’s mobile device with the authentication code. The malicious software running in the device forwards the SMS to other terminal controlled by the attacker

5. The attacker fills in the authentication code and completes the operation.

via S21sec Security Blog: ZeuS Mitmo: Man-in-the-mobile (I).