ZeuS Found in Fresh Version Hiding Inside JPG Image Files, State Researchers

Senior Security Investigator Jerome Segura from Malwarebytes in collaboration with Xylitol a French Security Investigator report of ZeusVM one fresh version of ZeuS, widely recognized sinister Banker Trojan, that attacks while hiding inside JPG images, published scmagazine.com dated February 18, 2014.

Described as steganography, wherein pictures or messages are hidden inside other pictures or messages, ZeusVM has been observed doing the same.

On closely examining the file, the security investigators found that a picture had been copied that existed on World Wide Web to create the file; however, an extra code had been attached to it. With the help of steganography, ZeusVM's creators appended the malicious program's settings to the mentioned file while ensuring the latter remained undamaged.

Following decoding of the appended settings, the investigators discovered several financial institutions' names ZeusVM attacked.

Interestingly, since the malware settings file looks like one obscure picture, there are several advantages. First, ZeusVM manages to circumvent security software. Secondly, as the file is hosted on an unsuspecting web-owner's server, he quite likely wouldn't realize that the picture file associated with a cyber-criminal scheme.

Segura noted that Trojan ZeusVM's infection facilitated execution of man-in-the-browser and man-in-the-middle assaults. Additionally, visiting banking online sites would trigger the Trojan's activation and starting of communications within real-time.

That meant that attackers could acquire specific details utilizing web-injects that would modify a page for logging in, alternatively they could change the amount figure of the victim's A/C and carry out wire-transfers whilst it would appear as though funds remained unmoved as before, Segura elaborated.

Meanwhile, malware implanting information onto harmless files is something not unprecedented. Recently in the past, Sucuri the website security firm revealed the manner in which a harmless appearing PNG file carried along undesirable commands.

Concealing malware in the above manner therefore enables bypassing IDS (intrusion detection systems) effectively.

As for the web-master, viewable pictorials would look innocuous, according to Segura that Cso.com.au published dated February 18, 2014.

Hence, users are being reminded that they shouldn't regard any file as secure just because it looks like one genuine image/film/music document, the researcher concluded on blog.malwarebytes.org dated February 17, 2014.

» SPAMfighter News - 3/3/2014