After analyzing the feedback from the company’s Smart Protection Network, Trend Micro researchers have noted an upswing in attempted Zeus / Zbot Trojan infections.
After being practically non-existent in January, the rest of the months up until the beginning of May have witnesses a continuos rise in numbers of attempted Zeus/Zbot Trojan infections, Trend Micro researchers pointed out.
The main goal of the malware is the same as before: stealing any type of online credentials, including those user for online banking, and any kind of personal information that might be of use to criminally-minded individuals.
Still, the newer variants have been changed a bit (not that it ultimately matters much to the victims).
They now create two different folders on the system: one to stash a copy of themselves, and the other to host the stolen and encrypted information and the configuration file they download from a remote server. What was previously put in one folder in Windows’ %System% folder is now in to random-named folders in the %Applications Data% folder.
“Zbot malware of this generation are found to be mostly either Citadel or GameOver variants. Unlike earlier version, the mutex name is randomly generated,” the researchers pointed out. “Both variants send DNS queries to randomized domain names. The difference in GameOver variant is that it opens a random UDP port and sends encrypted packets before sending DNS queries to randomized domain names.”
Configuration files are, as usual, subject to change depending on which information the attackers want to steal, and the malware still tries to prevent browsers from being able to visit security sites.
“What we can learn from ZeuS / Zbot’s spike in recent months is simple: old threats like Zbot can always make a comeback because cybercriminals profit from these,” the researchers warn and advise: “It is important to be careful in opening email messages or clicking links. Bookmark trusted sites and avoid visiting unknown ones. Always keep your system up-to-date with the latest security releases from security vendors and install trusted antimalware protection.”