1. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
ISSUE NO. 68
JULY 19, 2010
New ZeuS/ZBOT Variant Targets Russian Banks
Good businesses are constantly evolving. Every change, no matter how small, is geared toward improvement. In the threat landscape,
cybercriminal businesses undergo continuous development as well. The ZeuS botnet business is no exception. Considered as one of the most
thriving cybercriminal enterprises today, it is an ever-evolving threat that continues to pose danger to users on the one hand, as it reaps profits
for cybercriminals on the other.
The Threat Defined
ZeuS: Making Cybercrime Easier
ZeuS/ZBOT is best known for its information theft capabilities. Primarily created as a crimeware kit that steals online
banking credentials, ZeuS has evolved to become one of the most widely used crimeware tools that enable both
professional and amateur cybercriminals to make easy money.
While ZeuS malware variants may be complex and encrypted, the ZeuS toolkit is readily accessible that even
someone with minimal technical knowledge can learn to configure and use it. As mentioned in the paper “ZeuS: A
Persistent Cybercrime Enterprise,” ZeuS Builder and ZeuS Server, the basic ZeuS components, have become the
de facto standard for cybercrime. In fact, cybercriminals can set up a fully functional and highly professional botnet
in less than five minutes. Given these factors, it is easy to see why ZeuS remains a cybercriminal favorite in
proliferating moneymaking schemes.
ZeuS Variant Targets Russian Banks
Many of the changes that have been made to the ZeuS botnet were more subtle than drastic. Notable
improvements made to the botnet include the use of more complex encryption methods and more up-to-date social
engineering tactics and the expansion of its list of targets. Despite the addition of more popular social networking
sites like Facebook to the list of sites the botnet monitors, however, its consistent targets remain online banking
websites.
Nonetheless, these subtle changes
are what threat experts look out
for. While they may initially seem
insignificant, they may turn out to
be clear indicators of major shifts
in the threat landscape in the long
run. In fact, Trend Micro senior
advanced threats researcher
Loucif Kharouni recently reported
the sudden inclusion of Russian
banks in the list of ZeuS-monitored
sites. Figure 1. TSPY_ZBOT.ZCZ infection diagram
Detected as TSPY_ZBOT.ZCZ, the said ZeuS variant uses a very old toolkit version but targets several Russian
banks and the popular Russian search engine Yandex. The same sample also targets banks found in Germany, the
United States, the United Kingdom, Poland, the Netherlands, Italy, Spain, France, Belarus, Bulgaria, Australia,
Ireland, the United Arab Emirates, Turkey, and New Zealand.
Like typical ZeuS variants, TSPY_ZBOT.ZCZ connects to a URL to download its configuration file, which contains
information where it can download an updated copy of itself and where to send the data it steals. This configuration
file also contains the list of target websites from which it should steal information, including Russian banks like one
of the country’s largest private banks, MDM Bank.
1 of 2 – WEB THREAT SPOTLIGHT

2. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
The Price of Online Banking
As Kharouni notes, this is the first time that a ZeuS variant targeted a Russian bank. He adds that while he has
seen a few samples targeting Yandex services, he cannot recall any previous variant that included MDM Bank or
any other online Russian banking system as target.
Considering the fact that online banking is not necessarily popular in Russia, it could be surmised that more ZeuS
variants targeting this region may be found in the wild once the platform gains popularity. It is also interesting to
note that while the principal perpetrators of ZeuS are in Eastern Europe, particularly in the Ukraine and Russia, only
this recent variant has been found targeting Russian banks thus far.
The inclusion of Russian banks in the list of target sites may be a small step that could prove to be an insignificant
change in the long run. The more pressing concern is the continued evolution of the ZeuS botnet. Its persistent
existence in the wild, combined with the increasing use of online banking sites around the world, make for a
dangerous combination. In several cases, the convenience that comes with conducting transactions over the Web
becomes a high price to pay whenever ZeuS is involved. ZeuS’ victims may save time and money when they bank
online but may, unfortunately, also lose far more than what they bargained for.
User Risks and Exposure
As banks and other financial institutions take to the Web to improve their services and to increase their market
reach, the potential for online identity theft also increases. The increased awareness of cybercriminals’ various
stealth tactics may be comforting but then again, there is also a great need to make this consciousness more
widespread.
Knowing how to create an online account and to conduct transactions is not enough. Users also need to be
educated about the various security threats that loom over online banking. Security measures should not be
disregarded in exchange for convenience. As such, it is vital that users learn about the many ways by which they
can protect their information and, consequently, their hard-earned money.
An important first step is to invest in a smart security solution. Abiding by safe computing practices such as deleting
messages from unknown senders and avoiding unverified websites could possibly decrease the probability of
system infection. The use of multiple secure passwords would also be immensely useful. More importantly, use a
unique password for each online banking account. In the event that an information theft attack occurs, the likelihood
that the same password can be used to access other online accounts can be avoided.
Trend Micro Solutions and Recommendations
Trend Micro™ Smart Protection Network™ infrastructure delivers security that is smarter than conventional
approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network is a cloud-client
content security infrastructure that automatically blocks threats before they reach you. A global network of threat
intelligence sensors correlates with email, Web, and file reputation technologies 24 x 7 to provide comprehensive
protection against threats. As the sophistication of threats, volume of attacks, and number of endpoints rapidly grow,
the need for lightweight, comprehensive, and immediate threat intelligence in the cloud is critical to overall
protection against data breaches, damage to business reputation, and loss of productivity.
In this attack, Smart Protection Network’s file reputation service detects and prevents the download of malicious
files detected as TSPY_ZBOT.ZCZ. Its Web reputation service likewise prevents access to related malicious
websites.
The following post at the TrendLabs Malware Blog discusses this threat:
http://blog.trendmicro.com/zeuszbot-targets-russian-banks/
The virus report is found here:
http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.ZCZ
Other related posts are found here:
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/62_security_threats_loom_over_online_banking__june_28__20
10_.pdf
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/zeusapersistentcriminalenterprise.pdf
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/58_kneber_takes_the_zbotzeus_stage__
march_1__2010_.pdf
2 of 2 – WEB THREAT SPOTLIGHT