Trojan stashes config files in photos in mythology mash-up
By Iain Thomson, 20th February 2014 A new variant of the bank-account-raiding Zeus malware apparently uses the ancient technique of steganography to update its list of websites to subvert.Dubbed ZeusVM, the crafty strain is just like its cousins in that it intercepts activity in a victim's web browser, siphons off passwords and other sensitive personal information to crooks, and can meddle with financial transactions to direct cash to crims' pockets.
But French security researcher Xylitol, who spotted the ZeusVM variant, was intrigued to discover a.jpg photo of a sunrise was being downloaded by the software nasty and hidden among the malware's files.
ZeusVM stays dormant much of the time to avoid detection, but when the user visits a website that's on the malware's list of targets – such as a particular online banking website, social network, web mail service, and so on – the code fires up and goes to work. It will then run in the background while the victim authenticates, firing off any logged secrets to its master, or carrying out transactions as required.
Xylitol tipped off security firm Malwarebytes, which analyzed the.jpg image and found it was being used to update the list of URLs that awakens the Trojan: the file included web addresses for Wells Fargo, Barclays and Deutsche Bank sites.
The only clue that the picture file, fetched from a server hosting the malware, is used to distribute updated target lists is that the.jpg has a larger-than-expected file size.
Full Article
Best answer by RetiredTripleHelix
View original