Zeus Trojan Attacks Government Employees

Websense Security Labs has found that a new attack from the banking Trojan, Zeus, is currently targeting government departments.

The attack particularly targeted employees at military and government departments in the USA and Britain. Furthermore, the attack key targets are those employees who have e-mail addresses with .gov suffix, says the security company.

According to the security researchers, attackers are spreading the Trojan via spoofed e-mails using the name of US National Intelligence Council. These e-mails show subject lines like "Report of the National Intelligence Council." Their main purpose is to entice the recipients into downloading a document of '2020 project,' however, the document in reality drops Trojan Zeus.

Apart from this, the bogus messages divert users to websites that host the Trojan but appear trustworthy. One of the websites is a hijacked site of an organization, while the other uses the services of a well-known hosting company.

The researchers explain that Zeus contains rootkit features. It links up with command-and-control (C&C) servers and reports to its controllers once the infection is successfully carried out. Moreover, it uses the C&C servers to download 'Dynamic Link Library' (DLL) files. Finally, it changes the folders on the host machine to stop the system from downloading antivirus updates.

Commenting on this malware, the researchers stated that it was known for stealing identity and data after infecting target computers. Since it could be used relatively easily, novice hackers immensely preferred the program.

It is believed that the attackers may have employed Zeus for reaching sensitive and confidential data at intelligence and defense organizations. In terms of national security, it is indeed disturbing.

Patrik Runald, Senior Security Manager at Websense Security Labs, states that while Zeus usually steal banking credentials, the company has also observed it has been used for stealing documents in the past, as reported by Infosecurity on February 10, 2010.

Runald further states that Websense is conducting additional research to complete its analysis of the current variant of Zeus. The malware, in all probabilities, steal documents and transmit them to the hackers' server, he added.

Related article: Zeus Trojan Stole Huge Amount of Information

» SPAMfighter News - 2/19/2010