We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
 
75,294 News Articles

Warning after Zeus bank Trojan fused with Ramnit worm

Hybrid is a spreading menace

Researchers have uncovered evidence that the infamous Zeus login-stealing Trojan has been blended with the Ramnit worm to create hybrid malware that can attack online bank accounts while spreading across networks.

Security company Trusteer said it recently discovered a mutant version of Ramnit that appeared to be using a man-in-the-browser (MitB) web injection module to trick bank customers into handing over their logins details, a technique straight out of the Zeus (aka 'SpyEye') design book.

The company has not yet established that the malware's source code was definitely from Zeus, but is confident that there was now enough circumstantial evidence to suggest that it was.

The Zeus source code is believed to have become widely available in criminal circles in May after a leak of unconfirmed origin so security watchers have been on the lookout for new malware incorporating some of its most powerful and often very specific features. Trusteer is convinced that the Ramnit variant is the first recorded example of that.

Ramnit itself is an unremarkable worm so why criminals might want to combine it with Zeus is open to speculation.

"Zeus does not have its own propagation mechanism," said Trusteer's CTO, Amit Klein. "The author might be going after networks," he explained, noting that the hybrid malware had the ability to spread the Zeus data stealing across network shares, a potentially powerful new ability.

If the malware turns out to have incorporated Zeus, it suggested that more malware using it would appear in the coming months, he added.

"We are seeing it [Ramnit] across multiple regions, especially in the UK and the US. It is going well," said Klein, confirming that an unknown but significant number of infected PCs in these countries had been infected, presumably a conclusion culled from an analysis of logs on its German-hosted command and control servers.

The behaviour of the new Ramnit is certainly consistent with Zeus, which typically attacks a range of banks, particularly those in countries where Internet banking is well established such as the UK and the US.

"Unlike the past, when financial institutions had to defend against a limited number of malware platforms, attacks can now come from virtually any malicious software program - old or new. The malware distribution channel for fraudsters has increased in scale significantly."

A fuller analysis of the new malware and its connections with Zeus can be found on Trusteer's website. The new version is detected - and not detected - by the same spread of of antivirus products that detected older versions of Zeus, which is to say only by some.

Dell XP Migration SMB
Dell XP Migration SMB
IDG UK Sites

Lytro Illum release date, price and specs: Light field camera goes 3D

IDG UK Sites

Tim Cook says Apple aims to be best, not first, hinting that iWatch is coming

IDG UK Sites

Twitter - not news

IDG UK Sites

Fun film festival trailer plays with classic movie scenes