We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,131 News Articles

Instant messaging speeds up data theft danger

Zeus malware transmits stolen data via IM

One of the more sophisticated pieces of malware in circulation has been given an upgrade that lets cybercriminals act even faster after they've stolen data from a PC.

According to security company RSA, the Zeus Trojan - blamed for enabling countless online bank account heists - now uses an instant messaging component that alerts hackers immediately when they've captured someone's authentication credentials.

That can enable fast use of time-sensitive information, such as one-time passwords now often employed in online banking.

Zeus isn't the first piece of malware to employ instant messaging, notes RSA in its Online Fraud Report for August. Another password-stealing program called Sinowal was found to be using it as well in 2008.

Once on a PC, Zeus sends log-ins and passwords to a remote server, which the hacker must then access and sort through. RSA found that several variants of Zeus have a Jabber instant messaging module. The Jabber project - as well as other services such as Google's Gmail chat feature - employ XMPP (Extensible Messaging and Presence Protocol), an open standard for instant messaging.

The hackers set up two Jabber accounts, one to send information and one to receive. When Zeus obtains log-ins, it sends them to a remote server. The Jabber module then looks for credentials for specific financial institutions and then transmits the information to the hacker by instant message, RSA said.

The number of computers in the US alone infected with Zeus was estimated last month by the security company Damballa at around 3.6 million computers, making it one of the most prevalent malicious software programs and a very large botnet.

Users can be infected if they haven't installed the latest security patches on their computer and visit a website that is designed to automatically hunt for software vulnerabilities and then deliver the malware. Zeus may also be inadvertently installed on a computer if a person is tricked into opening an email attachment containing Zeus.

Zeus, which is believed to be the product of a Russian hacker who goes by the name A-Z, is sold in underground forums to budding cybercriminals, according to another security company, Secureworks. It can be customised according to the needs of the buyers. For example, Zeus can be coded to only log the log-in details for a certain specific list of websites.

"The ease-of-use of the Zeus crimeware toolkit for individuals to create their own tailored Trojan botnets has meant that it has become a favoured toolkit for entry-level criminals to get involved in the underground economy," according to Peter Coogan of Symantec, writing on one of the company's blogs. "The greater availability of this toolkit on underground forums as of late has also led to an increase in its usage."

Zeus has been on the radar of security professionals for a while, and one group runs a website that tracks Zeus infections and the command-and-control servers, which can issue instructions to infected PCs.

The ZeuS Tracker now counts 802 malicious hosts with Zeus. The organisation also publishes a block list that administrators can use to ensure people on their network don't access dangerous Zeus-related domains.


IDG UK Sites

OnePlus Two release date rumours: Something's happening on 22 July

IDG UK Sites

13in MacBook Air review, Apple's MacBook Air 2014 reviewed

IDG UK Sites

5 reasons to buy an electric car and 5 reasons not to

IDG UK Sites

Evernote Skitch: the best way for creatives to doodle feedback