A new version of the Zeus banking Trojan that targets Firefox browsers is spreading at an unprecedented rate, according
to online security vendor Trusteer Inc.
Trusteer said its Rapport browser security plug-in detected version 1.4 of Zeus on one in every 3,000 computers that it monitors. The new version of the malware supports HTML injects and transaction tampering for Firefox in order to bypass strong authentication and transaction signing, the company said. It also uses advanced polymorphic techniques to avoid detection by antivirus software.
The Zeus Trojan, also called Zbot, has been used extensively by criminals to siphon money from online business banking accounts, mostly those belonging to small and midsize businesses. New York-based Trusteer said the Flashlight computer forensic capabilities built into Rapport linked Zeus 1.4 with online fraud against banking customers, both commercial and consumer, in North America and the U.K.
The "infection rate for this piece of malware is growing faster than we have ever seen before," Amit Klein, CTO of Trusteer, said in a prepared statement.
Researchers at Atlanta-based security services firm SecureWorks have been tracking each new version of Zeus. Kevin Stevens, security researcher at SecureWork's Counter Threat Unit, said in an interview last month that a beta version of Zeus 1.4 could inject fields into Firefox and featured polymorphic encryption, which allows it to re-encrypt itself each time it infects a computer, making each infection unique and harder for antivirus systems to catch.
In addition to continually adding new capabilities to Zeus, criminals keep finding new ways to distribute the malware. In the past, they've used specially crafted PDF files that exploit vulnerabilities in Adobe Reader and Acrobat, according to researchers at Cupertino, Calif.-based Trend Micro Inc. However, Trend Micro recently spotted a PDF file that dropped a Zeus variant without exploiting a vulnerability. Instead, the file exploits a legitimate feature in Adobe Reader -- the "/launch" feature, which allows authors to attach executable files.
The file arrives as an attachment to a spam message that pretends be a delivery notice from "Royal Mail," Trend Micro researchers said.