A new botnet has been discovered which is not only targeting users of UK banks, but doing so in a new and worrying manner. Said to comprise of in excess of 100,000 infected machines, the Zeus 2 botnet is operated and controlled from Eastern Europe according to secure browsing security provider Trusteer which went public with its discovery today.
Zeus botnets are sadly neither new or rare , however Amit Klein, Trusteer's Chief Technology Officer, reveals that this one is especially worrying as it doesn't just stop at harvesting user IDs and passwords but instead also looks for client side certificates and cookies. By doing this, Klein says "the cybercriminals can extract a lot of extra information on the user that can be used to augment their illegal access to those users' online accounts. Coupled with the ability to remotely control users' machines, download data and run any file on them, this means that the fraudsters can insert partial or complete Internet pages into a live Web session, enabling to inject transactions at will or extract even more data from the hapless victims".
Indeed, according to the Trusteer investigation it would seem that this particualr Zeus 2 botnet is harvesting anything and everything it can get its hands on, including: online account IDs, bank login information, credit and debit card numbers, account types and balances, bank statements, browser cookies, client side certificates, login information for email accounts and social networks, oh and not forgetting FTP passwords.
Trusteer was able to gain access to the botnet's drop servers and command and control center containing the stolen information which included hundreds of thousands of stolen credentials which effectively give the bad guys direct yet hidden access to the online financial activities of the compromised users.
Trusteer researchers also gained access to the management interface, allowing them to get a unique view into the methods used by the bad guys to control a Zeus botnet operation. The management interface itself can be thought of as enabling three main areas of functionality: the ability to monitor the growth and footprint of the botnet complete with detailed statistics and graphs, a search function on all traffic generated by the bots compiled by capturing all HTTP and HTTPS traffic from infected computers which is then stored in a central MySQL database, and finally a push update feature to send updated executables to specific bots.
Mickey Boodaei, Trusteer's CEO, says that the revelations surrounding the Zeus 2 botnet are the result of hundreds of man hours of effort behind the scenes by his security team, who constantly monitor for this type of activity. "Zeus has become one of the most prevalent botnet trojans in the history of online fraud" Boodaei said.