14 DAY TRIAL // Security researchers from computer software giant CA warn that a new major version of the ZeuS crimeware toolkit is already being used in the wild. The new release protects its configuration better and focuses on banks in United States, United Kingdom, Spain and Germany.
ZeuS is a professional crimeware toolkit that can be used to generate customized computer trojans that are remotely controllable via a command and control server. Named Zbot (ZeuS bot), this type of trojan comes with information stealing capabilities and is one of the primary tools employed by identity thieves.
Variants of the new ZeuS “version 3” observed in the wild are targeting either banks in US and UK, or Spain and Germany, suggesting that they are used in more targeted attacks. This is understandable given that these four countries were the most profitable for past variants of the trojan.
Statistics compiled by CA show that during the first half of 2010, 26% of all detected Zbot samples targeted Spain, 22% UK, 19% US and 9% Germany. Countries like Italy, Russia, Canada or Colombia have also been targeted, but not as intensively.
The new ZeuS version also allows hackers to better hide the trojan's configuration from security researchers and the competition. “It employs layers of protection by applying the principle of least privilege. It means that the bot must only access remote command, information and resources that are necessary to a specific function and purpose,” Zarestel Ferrer, a senior research engineer with CA's Internet Security Business Unit (CA ISBU), explains.
ZeuS is so popular in the cyber criminal world that many malware writers have developed third-party addons for the toolkit, that add new features to the trojan. And while the toolkit can be bought for around $4,000, some of these custom-coded extensions can cost as much as $10,000. This price is low considering that the malware can help steal millions of dollars from the bank accounts of people, businesses and even governments.
You can follow the editor on Twitter @lconstantin