Researchers have uncovered evidence that the infamous Zeus login-stealing Trojan has been blended with the Ramnit worm to create hybrid malware that can attack online bank accounts while spreading across networks.
Security company Trusteer said it recently discovered a mutant version of Ramnit that appeared to be using a man-in-the-browser (MitB) web injection module to trick bank customers into handing over their logins details, a technique straight out of the Zeus (aka 'SpyEye') design book.
The company has not yet established that the malware’s source code was definitely from Zeus, but is confident that there was now enough circumstantial evidence to suggest that it was.
The Zeus source code is believed to have become widely available in criminal circles in May after a leak of unconfirmed origin so security watchers have been on the lookout for new malware incorporating some of its most powerful and often very specific features. Trusteer is convinced that the Ramnit variant is the first recorded example of that.
Ramnit itself is an unremarkable worm so why criminals might want to combine it with Zeus is open to speculation.
“Zeus does not have its own propagation mechanism,” said Trusteer’s CTO, Amit Klein. “The author might be going after networks,” he explained, noting that the hybrid malware had the ability to spread the Zeus data stealing across network shares, a potentially powerful new ability.
If the malware turns out to have incorporated Zeus, it suggested that more malware using it would appear in the coming months, he added.
“We are seeing it [Ramnit] across multiple regions, especially in the UK and the US. It is going well,” said Klein, confirming that an unknown but significant number of infected PCs in these countries had been infected, presumably a conclusion culled from an analysis of logs on its German-hosted command and control servers.
The behaviour of the new Ramnit is certainly consistent with Zeus, which typically attacks a range of banks, particularly those in countries where Internet banking is well established such as the UK and the US.
“Unlike the past, when financial institutions had to defend against a limited number of malware platforms, attacks can now come from virtually any malicious software program - old or new. The malware distribution channel for fraudsters has increased in scale significantly.”
A fuller analysis of the new malware and its connections with Zeus can be found on Trusteer’s website. The new version is detected - and not detected - by the same spread of of antivirus products that detected older versions of Zeus, which is to say only by some.