Researchers warn browser users over new SpyEye/ZeuS trojan

SpyEye/ZeuS trojan that targets online banking users turns into a hydra of new variants

Security researchers have been nervously awaiting for new versions of SpyEye, a browser Trojan that targets online banking. Now one says it has found a new variant affecting Europe, but fully capable of infiltrating U.S. online banking users as well.

SpyEye was a "competitor" to another insidious banking Trojan called ZeuS. Late last year, scuttlebutt was that the creators of SpyEye and ZeuS joined forces, and code bases, and would create an single, more evil version of their malware.

NASTY COUSIN: Zeus Trojan is back and targeting Windows Mobile phones

Yesterday, Norway-based security research firm, Norman, issued a warning that a new SpyEye/ZeuS variant had been detected in the wild. It offered a free malware cleaner tool for Windows that the company says will repair SpyEye infected software. (Norman also sells anti-malware software).

SpyEye burrows into browsers to steal a user's online banking information and other sensitive info (like social security numbers) and is triggered when the user visits a bank site. Many banks are attempting to combat it by requiring two-factor authentication and other advanced security techniques to validate the browser hasn't been compromised.

Meanwhile, ZeuS as a stand-alone Trojan hasn't died. ZeuS-infected malware recently showed up in software for Windows Mobile and BlackBerry. And last week, researchers found a new ZeuS version that counteract the ways banks have been using to block it. The new version includes "double decryption routines not seen before, as well as an extra anti-analysis check," reported Dmitry Tarakanov, from security firm Kaspersky Labs. This new version of ZeuS also included some SpyEye code, he said.

So it seems instead of one massive scary trojan, we have a hydra on our hands. That sucks eggs for people who bank online (and that's just about everyone under the age of 60 these days, isn't it?)

"This particular variant of SpyEye targets only the initial login field on a bank's legitimate web page, capturing login and password information and rapidly and illegally transferring money until the application times out in about 20 seconds, " said Einar Oftedal, director of Malware Detection for Norman in a press release. They've seen the Trojan target banks in Norway, other European countries and Asia. But, "it could easily be modified to work against any bank in any country. Online banking users in Europe and North America should be very vigilant to guard against this online risk," Oftedal said.

Most anti-malware claims to protect against the SpyEye/ZeuS trojans. But the Trojan's masters are actively working on getting victims. In February, one e-mail out of ever 290 was malicious with infections of ZeuS, SpyEye or another older malware family, Bredolab, according to Symantec.

According to the SpyEye Tracker site, here are some stats about this Trojan:

  • SpyEye C&C servers tracked: 230
  • SpyEye C&C servers online: 66
  • SpyEye C&C server with files online: 14
  • Average SpyEye binary Antivirus detection: 30.93%

In comparison, here are some quick statistics about the ZeuS crimeware from the ZeuS Tracker site:

  • ZeuS C&C servers tracked: 515
  • ZeuS C&C servers online: 170
  • ZeuS C&C servers with files online: 40
  • ZeuS FakeURLs tracked: 74
  • ZeuS FakeURLs online: 28
  • Average ZeuS binary Antivirus detection rate: 37.31%

Like this? Here's more:

Absolutely brilliant: Windows upgrades through the years

Windows Live Mesh goes live without support for Linux

Microsoft pooh-poohs Google Cloud Connect

Which of Microsoft's top rivals will be most dangerous in 2011?

Desire for Windows Phone 7 remains low despite Microsoft sales claims

8 new gadgets to make you say "Wow"

Follow me on Twitter @Julie188

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022