We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Instant messaging speeds up data theft danger

Zeus malware transmits stolen data via IM

One of the more sophisticated pieces of malware in circulation has been given an upgrade that lets cybercriminals act even faster after they've stolen data from a PC.

According to security company RSA, the Zeus Trojan - blamed for enabling countless online bank account heists - now uses an instant messaging component that alerts hackers immediately when they've captured someone's authentication credentials.

That can enable fast use of time-sensitive information, such as one-time passwords now often employed in online banking.

Zeus isn't the first piece of malware to employ instant messaging, notes RSA in its Online Fraud Report for August. Another password-stealing program called Sinowal was found to be using it as well in 2008.

Once on a PC, Zeus sends log-ins and passwords to a remote server, which the hacker must then access and sort through. RSA found that several variants of Zeus have a Jabber instant messaging module. The Jabber project - as well as other services such as Google's Gmail chat feature - employ XMPP (Extensible Messaging and Presence Protocol), an open standard for instant messaging.

The hackers set up two Jabber accounts, one to send information and one to receive. When Zeus obtains log-ins, it sends them to a remote server. The Jabber module then looks for credentials for specific financial institutions and then transmits the information to the hacker by instant message, RSA said.

The number of computers in the US alone infected with Zeus was estimated last month by the security company Damballa at around 3.6 million computers, making it one of the most prevalent malicious software programs and a very large botnet.

Users can be infected if they haven't installed the latest security patches on their computer and visit a website that is designed to automatically hunt for software vulnerabilities and then deliver the malware. Zeus may also be inadvertently installed on a computer if a person is tricked into opening an email attachment containing Zeus.

Zeus, which is believed to be the product of a Russian hacker who goes by the name A-Z, is sold in underground forums to budding cybercriminals, according to another security company, Secureworks. It can be customised according to the needs of the buyers. For example, Zeus can be coded to only log the log-in details for a certain specific list of websites.

"The ease-of-use of the Zeus crimeware toolkit for individuals to create their own tailored Trojan botnets has meant that it has become a favoured toolkit for entry-level criminals to get involved in the underground economy," according to Peter Coogan of Symantec, writing on one of the company's blogs. "The greater availability of this toolkit on underground forums as of late has also led to an increase in its usage."

Zeus has been on the radar of security professionals for a while, and one group runs a website that tracks Zeus infections and the command-and-control servers, which can issue instructions to infected PCs.

The ZeuS Tracker now counts 802 malicious hosts with Zeus. The organisation also publishes a block list that administrators can use to ensure people on their network don't access dangerous Zeus-related domains.


IDG UK Sites

iPad mini 3 vs iPad mini 2 comparison: New iPad mini 3 isn't worth £80 more

IDG UK Sites

Why you shouldn't buy the iPad mini 3: No wonder Apple gave it 10 seconds of stage time

IDG UK Sites

Halloween Photoshop tutorials: 13 masterclasses for horrifying art, designs and type

IDG UK Sites

Should I upgrade from Mavericks to OS X 10.10 Yosemite? What you need to know before updating to...