02-21-2014 04:43 PM
A new variant of the bank-account-raiding Zeus malware apparently uses the ancient technique of steganography to update its list of websites to subvert.
Dubbed ZeusVM, the crafty strain is just like its cousins in that it intercepts activity in a victim's web browser, siphons off passwords and other sensitive personal information to crooks, and can meddle with financial transactions to direct cash to crims' pockets.
But French security researcher Xylitol, who spotted the ZeusVM variant, was intrigued to discover a JPEG photo of a sunrise was being downloaded by the software nasty and hidden among the malware's files.
ZeusVM stays dormant much of the time to avoid detection, but when the user visits a website that's on the malware's list of targets – such as a particular online banking website, social network, web mail service, and so on – the code fires up and goes to work. It will then run in the background while the victim authenticates, firing off any logged secrets to its master, or carrying out transactions as required.
Xylitol tipped off security firm Malwarebytes, which analyzed the JPEG image and found it was being used to update the list of URLs that awakens the Trojan: the file included web addresses for Wells Fargo, Barclays and Deutsche Bank sites.
The only clue that the picture file, fetched from a server hosting the malware, is used to distribute updated target lists is that the JPEG has a larger-than-expected file size.
Webroot SecureAnywhere Complete Beta Tester v126.96.36.199, imaged by Macrium Reflect v6.2
02-22-2014 06:33 AM - edited 02-26-2014 06:38 AM
I log in to banking websites via Webroot Password Manager secured by a 25 character complex password using only FireFox or Chrome browsers. Always scan with WebrootSecureAnywherePlus prior to visiting. Have Malwarebytes PRO with realtime enabled. Am I safe from attack from this malware....your opinion ?
02-22-2014 07:14 AM - edited 02-22-2014 07:14 AM
WSA is so strong on protecting your personal information and the Identity Shield is second to none!
Webroot® SecureAnywhere™ Internet Security Complete Beta Tester v188.8.131.52 on my main system Alienware 17R2 with Windows 10 Professional x64 Version 1607 (Build 14393.693) & Motorola Moto Z Android 7.0 Nougat with WSA Mobile Complete v184.108.40.20660 which is full Cloud now as well! I also test new Windows Insider 32bit & 64bit builds on Virtual Machines.
Microsoft® Windows Insider MVP - Windows Security