A new variant of the bank-account-raiding Zeus malware apparently uses the ancient technique of steganography to update its list of websites to subvert.
Dubbed ZeusVM, the crafty strain is just like its cousins in that it intercepts activity in a victim's web browser, siphons off passwords and other sensitive personal information to crooks, and can meddle with financial transactions to direct cash to crims' pockets.
But French security researcher Xylitol, who spotted the ZeusVM variant, was intrigued to discover a JPEG photo of a sunrise was being downloaded by the software nasty and hidden among the malware's files.
ZeusVM stays dormant much of the time to avoid detection, but when the user visits a website that's on the malware's list of targets – such as a particular online banking website, social network, web mail service, and so on – the code fires up and goes to work. It will then run in the background while the victim authenticates, firing off any logged secrets to its master, or carrying out transactions as required.
Xylitol tipped off security firm Malwarebytes, which analyzed the JPEG image and found it was being used to update the list of URLs that awakens the Trojan: the file included web addresses for Wells Fargo, Barclays and Deutsche Bank sites.
The only clue that the picture file, fetched from a server hosting the malware, is used to distribute updated target lists is that the JPEG has a larger-than-expected file size.
Webroot SecureAnywhere Complete Beta Tester v220.127.116.11, imaged by Macrium Reflect v7.1
I log in to banking websites via Webroot Password Manager secured by a 25 character complex password using only FireFox or Chrome browsers. Always scan with WebrootSecureAnywherePlus prior to visiting. Have Malwarebytes PRO with realtime enabled. Am I safe from attack from this malware....your opinion ?
WSA is so strong on protecting your personal information and the Identity Shield is second to none!
Microsoft® Windows Insider MVP - Windows Security