New Apache Malware Reveals ESET

This module as reported by the security firm is feeding the web pages with malicious content that includes a well known variant Zeus, as accords the revelation.

According to the version of the blog issued by ESET, an iframe has not only got the capability to install a version of Zeus, Win32/Zbot, but also it can exploit the kit landing page of Lithuanian Sweet Orange.

However, the final Zeus payload intends frequent users visiting European and Russian banking foundations and tries to deceive unwary victims into providing all their account information, including their PIN code and CVV (Card Verification Value) code information.

Nevertheless, the module is by and large to some extent interesting as it avoids itself being discovered. Initially, it checks the visiting browser and ignores the ones that seem to be harmless to the exploit kit. The module also overlooks SSH (Secure Shell) connections and at the same time, it drops its own cookie onto the browser so that any attempt to re-infect the repeated visitors could be controlled to some extent. Thus all these features are designed to prevent administrators spot the malware and restrict the researchers from tracing the source of discovered infections with the purpose of keeping the malware conduit alive.

However, until Chapro remains undiscovered, the exploit site is least important. Chapro is enabled to communicate with its C&C server after every 10 minutes and receives information about the iFrame to be injected. The C&C is able to deliver a new iFrame that redirects visitors to an unusual exploit site.

As observed by ESET, the iframes already attempted to exploit a minimum of four previously patched security bugs in Microsoft Internet Explorer, Adobe Reader, and Oracle's Java software framework. The plugin also has the competence to inject harmful JavaScript into the Web content and giving it a powerful blow altogether.

According to the Bureau, the attack as detected in this present analysis, demonstrates the increased complexity of malware attacks, as published by securityweek.com on December 19, 2012.

As reported in darkreading.com on December 19, 2012 by the Bureau, it is still not clear so far if the crime is undertaken by the same group or multiple groups are involved in his traffic. It is also unclear as of now if the gang operating a botnet based on Win32/Zbot is driving traffic to the exploit pack and sell the contaminated computers to another gang that is operating the botnet or not.

Related article: New Spam Mail Charges For IPod

» SPAMfighter News - 12/29/2012