Latest Zeus Variant is Unique in Approach to Circulate Itself

According to the latest data gathered by the security firm Websense, Zeus botnet goes on to circulate graciously.

Dan Hubbard, CTO of Websense, said that the recently-spotted variant of the Zeus bot makes use of a malicious PDF file which implants the attack code into the document, as per the statement published by computerworld.com on April 15, 2010.

Users are asked to save a file "Royal_Mail_Delivery_Notice.pdf" when they open the fake PDF. However, that file is a Windows executable which hijacks the PC when it runs.

Acrobat and Reader notify the user at the launch of an executable within a PDF file. However, Hubbard said that the warning is not enough to prevent users from launching the fake document.

PDFs are not blanket-blocked at the gateway, he said. PDFs do not possess much business value, and they are quite pervasive. They are highly trusted buy the users, much more than popular document formats like Microsoft Word.

Several Zeus attacks that use the embedded malware and Launch function have been tracked by Websense, and according to Hubbard, these attacks continue to occur.

The latest Zeus variant acquires a great deal of data from the infected system and forwards it to a server located in China.

Mickey Boodaei, CEO of anti-malware firm Trusteer, said that this attack well accomplished the prediction that he made recently. He predicted that a vulnerability identified in PDF file format of Adobe would be used to install malware, as reported by info security on April 15, 2010.

The vulnerability that was detected by the researcher Didier Stevens, allowed the attackers to utilize the Launch function inside the PDF specification to abuse a completely patched Adobe Reader copy. Stevens demonstrated how modifications to the Adobe Reader's dialog boxes could be exploited in combination with a social engineering attack to encourage users to allow a PDF file to launch an executable program.

Although the technique of launching attack may be new, the gang that creates it and behind-the-scenes malware is standard Zeus fare. The bot is well-known for embedding identity theft code onto the victims' computer to steal online banking logon passwords and usernames. He said that the motives are always the same.

Related article: Latest Scam - Emails Threatening Death to Recipients

» SPAMfighter News - 4/27/2010