Warning after Zeus bank Trojan fused with Ramnit worm

Hybrid is a spreading menace

Researchers have uncovered evidence that the infamous Zeus login-stealing Trojan has been blended with the Ramnit worm to create hybrid malware that can attack online bank accounts while spreading across networks.

Security company Trusteer said it recently discovered a mutant version of Ramnit that appeared to be using a man-in-the-browser (MitB) web injection module to trick bank customers into handing over their logins details, a technique straight out of the Zeus (aka 'SpyEye') design book.

The company has not yet established that the malware's source code was definitely from Zeus, but is confident that there was now enough circumstantial evidence to suggest that it was.

The Zeus source code is believed to have become widely available in criminal circles in May after a leak of unconfirmed origin so security watchers have been on the lookout for new malware incorporating some of its most powerful and often very specific features. Trusteer is convinced that the Ramnit variant is the first recorded example of that.

Ramnit itself is an unremarkable worm so why criminals might want to combine it with Zeus is open to speculation.

"Zeus does not have its own propagation mechanism," said Trusteer's CTO, Amit Klein. "The author might be going after networks," he explained, noting that the hybrid malware had the ability to spread the Zeus data stealing across network shares, a potentially powerful new ability.

If the malware turns out to have incorporated Zeus, it suggested that more malware using it would appear in the coming months, he added.

"We are seeing it [Ramnit] across multiple regions, especially in the UK and the US. It is going well," said Klein, confirming that an unknown but significant number of infected PCs in these countries had been infected, presumably a conclusion culled from an analysis of logs on its German-hosted command and control servers.

The behaviour of the new Ramnit is certainly consistent with Zeus, which typically attacks a range of banks, particularly those in countries where Internet banking is well established such as the UK and the US.

"Unlike the past, when financial institutions had to defend against a limited number of malware platforms, attacks can now come from virtually any malicious software program - old or new. The malware distribution channel for fraudsters has increased in scale significantly."

A fuller analysis of the new malware and its connections with Zeus can be found on Trusteer's website. The new version is detected - and not detected - by the same spread of of antivirus products that detected older versions of Zeus, which is to say only by some.

Join the PC World newsletter!

Error: Please check your email address.

Tags TrusteerPersonal Techsecurity

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John E Dunn

Techworld

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?