August 24, 2011

Hybrids seem to be all the rage in the automobile industry, so it’s unsurprising that hybrid threats are the new thing in another industry that reliably ships updated product lines: The computer crime world. The public release of the source code for the infamous ZeuS Trojan earlier this year is spawning novel attack tools. And just as hybrid cars hold the promise of greater fuel efficiency, these nascent threats show the potential of the ZeuS source code leak for morphing ordinary, run-of-the-mill malware into far more efficient data-stealing machines.

Researchers at Trusteer have unearthed evidence that portions of the leaked ZeuS source code have been fused with recent versions of Ramnit, a computer worm first spotted in January 2010. Amid thousands of other password-stealing, file-infecting worms  capable of spreading via networked drives, Ramnit is unremarkable except in one respect: It is hugely prolific. According to a report (PDF) from Symantec, Ramnit accounted for 17.3 percent of all malicious software that the company detected in July 2011.

A sample Ramnit injection. Image courtesy Trusteer.

Trusteer says this Ramnit strain includes a component that allows it to modify Web pages as they are being displayed in the victim’s browser. It is this very feature — code injection — that has made ZeuS such a potent weapon in defeating the security mechanisms that many commercial and retail banks use to authenticate their customers.

As this Ramnit variant demonstrates, the real threat from the ZeuS source leak is that it greatly facilitates the addition of this code-injection capability into tons of other ordinary malware. I think we can expect other established malware families to undergo a similar metamorphosis in the months ahead.

It is fitting that the ZeuS leak was the apparent outcome of an earlier hybridization: The merger of ZeuS with SpyEye. One of the more tantalizing conspiracy theories I’ve heard to explain the release of the ZeuS code is that it was done intentionally as part of a marketing ploy to create demand for peripheral code and services. This is not so far-fetched. As I wrote in July, malware writing gangs have taken to posting banner ads to lure talented programmers into the lucrative market for “Web injects” and other innovations designed to make existing malware stealthier and more feature-rich.

Security experts this week cataloged another evolution tied to the ZeuS source spill: On Tuesday, Kaspersky Lab published a blog post on Ice IX, which it claimed was the first crimeware based on the leaked code. Kaspersky said Ice IX, sold in the criminal underground for $1,800, “is the first new generation of web applications developed to manage centralized botnets through the HTTP protocol based on leaked ZeuS source code.”


8 thoughts on “Hybrid Hydras and Green Stealing Machines

  1. JCitizen

    At first I though this article was going to point to criminals cracking the On Star system in so many upscale vehicles, and then taking control of the maintenance management system to somehow damage the victim’s vehicle. But then I couldn’t see a way to make money by doing that. My bad!

    It is a scary thought that the sophisticated computer network in a hybrid vehicle would be especially vulnerable – and since customers can interact with it to pay for services – who knows? If nothing else, the criminal could find out even more about his victim by listening in through the on-board cell system, and On Star communications, to better gather intelligence on his target. Then maybe turn of his motor at a dangerous point in a traffic incident. :O!

    To get back to the point of the article Brian; I have a client who apparently has been a victim of this in the Microsoft partners network, and who I feel may have been a target of just such an attack. The victim lost control of the account and was never able to regain the assets available at the site. Even emails were intercepted and never reached Microsoft support. Oddly enough, the phones were failing at inopportune occasions while try to contact anyone referring to this incident, including me. This may have been poor trunk line service, because Comcast has since done underground repairs. The internet and phone problems surfaced as separate incidents however.

    This condition even redirected the victim to a fake Microsoft update service that continued to make things worse as time progressed, until all communication became impossible. The victim did not know that Windows 7 does not use the IE browser to update the operating system. I am fairly convinced someone had remote control of the PC at one time, and even reconfigured the router, to enforce continued control over the victim. Needless to say – things pretty much blew up after I started nailing down the hatches; but I can’t even trust the hard drive on this machine anymore. Microsoft seems nonplussed about it despite the loss in tens of thousands of software and services assets. I’m beginning to wonder just who is running things at Redmond?!

    1. vhslady

      Omg. Yr post could hv been written about my life the last six months. No security site. Software. Cloud or person seems to be able to help me. So now instead of xbox I wage daily battles with this vicious program. It battles back too! If I. Didn’t hate it so much I would almost be proud of. Its stubborn tenacity.

      1. JCitizen

        You are going to have to re-install the operating system to be sure it is gone – providing a rootkit is not part of the hybrid Brian is talking about. Wiping the drive is not always a panacea for those; but my client did get rid of it by doing a factory restore from the built in partition. That victim was lucky; but keeps re-acquiring the malware by re-visiting same said site, and Facebook.

        Rapport is the only way I know to stop browser injection attacks like these; running CCleaner regularly before rebooting or shutting off the PC may thwart the restarting of the malware in the start-up folder – WinPatrol may help there, or at least it would let you know something new has started up with your computer.

        You might do a trial of Mamutu after recovery, but it is a paid solution; maybe better to use Commodo with only the firewall and Defense + enabled. I’m not sure if Rapport and Defense + will get along, but it is worth trying even if you have to disable that feature. I will warn you that learning the Def+ alerts will be a steep learning curve. Mamutu is a little easier, and will list all protected processes. I’ve never seen anything get past it yet. Even secret digital right management spyware is stopped by this Emisoft product.

        Emisoft – the maker of Mamutu – has one of the best free firewalls going, called Online Armor, and I’m not sure you won’t get the same protection from it – and for free too!

        What ever you do, don’t bother trying any of these until you computer is likely to be cleaned up – a low level format of the hard drive may be necessary. Wait at least two weeks before restoring any backups, so you can scan them with any of the really good anti-malware utilities, because they will be more likely to have the definition on board before your restoration.

        I do not work for any person or vendor, just to be clear here. I am not a software salesman.

  2. andy

    I have already seen the use of zeus/ramnit combo, and it is nasty, quick and wide spread infection and redirection to banking/phishing sites asking for full details (luckily my client was able to notice the scam here) but protection was fully removed by threat and went undetected.

  3. KFritz

    Open Source Malware. Even a wonderful concept like Open Source can be perverted.

  4. lyecdevf

    Every time I read some article about malware I can not help but to be amazed at all these new techniques. For instance this is the first time I read about, “web injects.”

  5. DiamondGeeza

    It looks like the developer of Ice IX has been watching too many hollywood movies … the film “The Recruit” (2003), starring Colin Farrell and Al Pacino, featured a fictional computer virus called “Ice 9” which would propagate itself over unprotected power sources and erase any hard disks it came into contact with. Lets hope the real Ice IX’s M.O. isn’t as advanced as that! 😉

    1. JCitizen

      Good one DiamondGeeza!

      About the only thing I’ve seen on regular PCs is reading the keyboard trough the house current source. It can be accomplished using plain old Radio Shack technology. A power conditioner, or UPS can pretty much defeat this, however.

      I agree that other capabilities can get greatly inflated, especially through the news media.

Comments are closed.