New Zeus Variant Attacks AOL Instant Messenger Users
Security researchers at Webroot, an antivirus company, have discovered that the infamous password-stealing Trojan 'Zeus' is attacking those people who use AIM (AOL Instant Messenger).
An e-mail is sent to users of the widely-accepted IM program. The e-mail tells the recipient that his AIM account has been deactivated and it will be deleted in the next 72-hours. However, if the recipient wants to continue using his account, then he has to download and install the most recent and critical update of the AIM system, the e-mail states.
For installing the update, the e-mail prompts the user to follow a link to download an apparently genuine file named aimupdate_220.127.116.115.exe. But the file actually installs a fresh Zeus variant.
Moreover, the captions in the fake e-mail vary from "Your AOL Instant Messenger account is flagged as inactive" to "Your AOL Instant Messenger account will be deleted" and "AOL Instant Messenger critical update."
Andrew Brandt, Lead Threat Research Analyst at Webroot, states that Zeus, or Zbot, has two functions. First - it helps controller to remotely take over a host computer and turn it into a bot. Second - it grabs passwords stored on the host computer, as reported by SCMagazine on January 25, 2010.
Brandt further states that the Trojan activates an iFrame injected into a website, which tries to exploit flawed editions of Adobe Reader so that the Zbot keylogger can be installed on the host computer. Once the web-page is accessed, the malware runs immediately, he adds. Webroot researchers also said that the iFrame ridden web-page apparently linked to an Internet Protocol address, which belonged to a phishing group in Russia.
Kelly Dowell, Executive Director of CUISPA (Austin, Texas), stated that Zeus, the banking Trojan, was dangerous because it was difficult to spot. Moreover, it led the user to the phishing site once he logged in, he said, as reported by Credit Union Times on January 12, 2010.
Meanwhile, the new Zeus attack uses the same infection technique as that of recent spam campaigns that spoofed the US Social Security Administration, MySpace, and Microsoft Outlook Express/ Outlook.
Related article: New Zealand Releases Code To Reduce Spam
» SPAMfighter News - 30-01-2010