Researchers warn of flood of ZeusVM banking Trojans

Security research group MalwareMustDie (MMD) is appealing for help in stopping a predicted flood of new botnets based on the ZeusVM banking Trojan, after a toolkit to exploit the malware was leaked over the internet.

Trojan Horse
Trojan Horse

ZeusVM is the latest variant of the notorious Zeus online banking malware, which uses stenography to hide itself in JPEG images and was discovered last year.

MMD founder Hendrik Adrian, formerly CEO of Kaspersky Japan, blogged on Sunday to reveal that the Trojan's builder binary and its panel source code was leaked online late last month - and is already being used in the wild.

The code provides a toolkit for creating botnets based on version 2.0.0.0 of the KINS banking Trojan, which MMD says has effectively merged with ZeusVM.

MMD has so far spotted six new botnets. It has also warned that KINS version 3 has appeared on the black market, priced at $5,000 (£3,240), and is predicting that a new version of ZeusVM/KINS will be launched soon.

MMD has gone public on the leaked ZeusVM archive after being overwhelmed by the spread of download sites offering it, and has called for help from security firms, governments and law enforcement agencies in taking the sites down.

Adrian, who was helped in tracking the malware by France-based white-hat hacker ‘Xylitol', said: “This is very important information for the security community. The archive is wide-spreading now.

“We tried very hard to take down leaked packages shared in download sites one by one, but it is just way out of hand. Please help us to not let this archive spread and be distributed over the internet.”

Adrian's blog provides video details of the leaked code and the stenography techniques used by KINS/ZeusVM version 2. MMD is appealing for the ‘anti-malware industry' to study the toolkit and start developing ways to block it.

MMD said it will prioritise requests for information from anti-virus and threat filtration product suppliers, and then from Government CERTs and law enforcement agencies.

Adrian added: “We will not share to individual or unnamed requests. This is a very dangerous malware-building tool, crimeware - and not a sample of malware or toys to play with.”

Analysing MalwareMustDie's findings, independent cyber-security expert Kevin O'Reilly, a senior consultant at UK-based Context Information Security, agreed that the code leak will probably lead to more attacks.

He told SCMagazineUK.com via email: “It is likely that there will be an upsurge in the use of this malware by opportunistic and unsophisticated cyber-criminals.”

Catalin Cosoi, chief security strategist at Bitdefender, also called on security firms to react to the new danger.

He told SC via email: “The threat is pretty serious because now everyone can build their own malware, with Zeus-like steganography, and start disseminating samples to a broader spectrum of victims. At the same time, it's reasonable to assume that we'll be seeing more KINS-generated malware that exhibits this type of behaviour.”

Cosoi added: “The number of botnets powered by KINS/ZeusVM 2.0.0.0 will likely increase. It's difficult to estimate just how potentially dangerous this new development could be. Because every new piece of malware is essentially more sophisticated than its previous versions, it's automatically more effective. For this reason alone, this new development should be scrutinised thoroughly.”

But O'Reilly at Context said that MMD's revelations also give security researchers a chance to block the malware.

He explained: “MMD makes it quite clear that it is not the source code for the KINS malware leaked, but the ‘builder'. What this actually means is that it's only the configuration and other settings of the malware that can vary from one example produced by this builder to the next.

“These settings contain things such as the URL or IP that the malware uses to connect to the botnet, encryption keys and the like. However, the malware will ultimately be the same each time, with no variability in its actual functionality.

“This means that an understanding of the malware and how to prevent or detect it will be easier to come by for security professionals.”

Cosoi added: “Malware has a tendency to evolve and re-use (or integrate) malicious code that has been successfully used by previous malware. This latest ‘feature' addition will probably not be the last.

“As the researchers from MalwareMustDie have nicely pointed out, there's already a KINS version 3 out there that might have some other ‘add-ons' that could be even more dangerous that what we're seeing now.”

ZeusVM was discovered last February by Jerome Segura of security firm Malwarebytes, and by Xylitol, the owner of cybercrime-tracker.net.