Dark Reading
Protect The Business - Enable Access
Download Now
Download Now
Download Now
New Version Of Zeus Leverages Peer-To-Peer Technology
Update could make it more difficult to take down fraud operations, researcher says By Tim WilsonDark Reading
According to news reports, the new version of the Murofet ZeuS variant could make it harder for researchers and law enforcement to disrupt botnets by finding and disrupting their C&C servers.
"As with any set of tools, many different things can be built or modified -- and so it goes with the latest variant of Zeus to make the rounds," says Andy Hayter, anti-malcode program manager at ICSA Labs, which tests security products. "Going from random creation of domain names, this new variant uses hard-coded IP addresses to help spread, update, and infect additional computers."
The new Zeus malware is designed to attack online banking customers with the intent of stealing their data, experts said. With the growing popularity of mobile banking applications, portable devices could be a key target.
"Zeus is the flagship of mobile malware," says Tom Kellermann, CTO at mobile security vendor AirPatrol. "Zeus is ushering in the era of mobile attacks because of the mobile banking phenomenon. This should serve as a cautionary tale to the financial sector. The bank robbers of 2011 have commandeered your armored truck."
Since it now uses P2P, Murofet no longer uses a static URL to download binary updates and configuration files, researchers and news reports say. But it still uses a central domain, so while the new version might be harder to track, it's not unbeatable, they say.
"P2P functionality makes [the new variant] much more resilient to takedown efforts and gives its controllers flexibility in how they run their fraud operations," says Swiss researcher Roman Hussy, in his blog.
Hussy, who has created services that track Zeus and SpyEye, says it's unlikely that the new variant will become a popular item for sale on the black market.
"So are we talking about a new Zeus version, which we will see being sold in the underground soon? I don’t think so," Hussy's blog says. "This seems to be just another custom build. But there is one thing that makes this custom build unique: This build is much more sophisticated than all other Zeus builds I’ve seen before."
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
CA To Acquire Authentication Vendor Arcot Systems Inc. 08/30/2010
China, Taiwan Nab 450 Suspects In Biggest Fraud Raid Ever 08/30/2010
DNS DDOS Threats and Corresponding Mitigation Strategies 03/23/2010
Spoofing Server - to - Server Communication: How You Can Prevent It 03/11/2010
DIGITAL ASSETS
Understanding Web Application Security Challenges
08/24/2010
 |
To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy. |
Subscribe to RSSMalware Mania: Badware And Botnets Explode
How To Detect And Root Out Sophisticated Malware
Are You A Human Confirms Man Or Machine With Games
MORE KEYHOLE
- Analytics on Demand: A Services Approach for Increased Agility
- Reduce Cost and Improve Manageability with IBM Windows Storage Server
- Unlock the Value of Your Business Data: IBM's Integration Solution for .NET Environments
- Techniques for Next-Gen Data Protection using Next-Gen Computing
- Collaborative DevOps: Bridging the gap between development and operations with automation
Published:2010-11-03
Severity:High
Description:Stack-based buffer overflow in SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX control (Aventail.EPInstaller) before 10.5.2 and 10.0.5 hotfix 3 allows remote attackers to execute arbitrary code via long (1) CabURL and (2) Location arguments to the Install3rdPartyComponent method.
Published:2010-11-03
Severity:High
Description:Untrusted search path vulnerability in VIM Development Group GVim before 7.3.034, and possibly other versions before 7.3.46, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse User32.dll or other DLL that is located in the same folder as a .TXT file. NOTE: some of these details are obtained from third party information.
Published:2010-11-03
Severity:Medium
Description:Multiple cross-site scripting (XSS) vulnerabilities in wp-content/plugins/cforms/lib_ajax.php in cforms WordPress plugin 11.5 allow remote attackers to inject arbitrary web script or HTML via the (1) rs and (2) rsargs[] parameters.
Published:2010-11-03
Severity:High
Description:Multiple SQL injection vulnerabilities in search.php in WSN Links 5.0.x before 5.0.81, 5.1.x before 5.1.51, and 6.0.x before 6.0.1 allow remote attackers to execute arbitrary SQL commands via the (1) namecondition or (2) namesearch parameter.
Published:2010-11-03
Severity:Medium
Description:SQL injection vulnerability in misc.php in DeluxeBB 1.3, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the xthedateformat parameter in a register action, a different vector than CVE-2005-2989, CVE-2006-2503, and CVE-2009-1033.
|
