Cyber criminals resurrect credential-stealing Zeus/Zbot malware

Cyber crooks have resurrected and refined old versions of the Zeus malware, also known as Zbot, in order to steal financial information.
Security firm Trend Micro reported uncovering the malware late on Thursday, in the midst of a spike in the number of evolved threats active in the wild.
"The notorious info-stealing Zeus/Zbot variants are re-emerging with a vengeance, with increased activity and a different version of the malware seen this year. We can now include the data-stealing malware Zeus/ZBOT to this roster of old-but-new threats, which have increased these past months, based on Trend Micro Smart Protection Network feedback," wrote Trend Micro's Jay Yaneza.
"Zbot variants surged in the beginning of February and continued to be active up to this month. It even peaked during the middle of May 2013. The malware is designed to steal online credentials from users, which can be banking information or other personally identifiable information (PII)."
The malware is more dangerous as it uses more advanced infection and avoidance techniques. "Zbot malware of this generation are found to be mostly either Citadel or GameOver variants. Unlike earlier versions, the mutex name is randomly generated," explained Yaneza.
"Both variants send DNS queries to randomised domain names. The difference in GameOver variant is that it opens a random UDP port and sends encrypted packets before sending DNS queries to randomised domain names. Zbot malware connects to a remote site to download its encrypted configuration file."
Trend Micro said there are several ways the malware can be detected and stopped. "There are several avenues for detecting Zbot variants. First, as the malware tries to write to the registry ‘Userinit' entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Secondly, detecting the call-back routine to the remote site upon execution, as it acquires its configuration file," wrote Yaneza.
This malware arrives during a wider increase in the number of attacks targeting businesses. Security firm Zscaler also reported detecting a marked increase in the number of websites falling victim to the Darkleech attack on Apache web servers last week.