Zeus Bank Trojan Infects 100,000 UK PCs

East European criminals have managed to infect up to 100,000 UK-based PCs with the feared Zeus malware used to steal online banking logins, security company Trusteer has discovered.

Artwork: Chip Taylor
The company discovered details of the recently compromised UK IP addresses after penetrating the botnet control servers used by the gang to harvest data from the infected machines.

It is not clear how many individuals might have had bank accounts affected by the attack, but Trusteer has warned that Zeus is able to record everything going into and out of the affected machines, so the potential damage could be considerable.

The botnet also featured a data mining engine sophisticated enough to be used to trawl for banking domains, relating this to other sensitive login data in order to gain access to accounts. Alarmingly, the version of Zeus was capable of taking remote control of an infected user's PC, allowing criminals to attack online bank accounts using the infecetd PC as a cover.

According to Trusteer's chief executive, Mickey Boodaei, up to 1.5 percent of UK PC users could have been infected with a version of Zeus at some point in the recent past.

"This botnet is one big recording device," said Boodaei.

The news comes on the day that the Metropolitan Police announced that it had arrested six people in connection with the theft of sizable sums of money from up to 20,000 online bank accounts and credit cards in the UK. Although not believed to be connected to Zeus directly, the incident underlines that criminals are managing to get through bank defences.

Last month Trusteer itself reported that a separate regional Zeus botnet was targeting 15 US institutions.

"This is just one out of many Zeus 2 botnets operating all over the world," said Trusteer CTO, Amit Klein. "What is especially worrying is that this botnet doesn't just stop at user IDs and passwords. By harvesting client side certificates and cookies, the cybercriminals can extract a lot of extra information on the user that can be used to augment their illegal access to those users' online accounts."

One thing it is safe to say is that no Mac or Linux users are affected by the alert. According to a pie chart released by Trsuteer, all the affected computers run versions of Windows, particularly Windows XP and to a lesser extent Vista.

This doesn't mean that Mac users are invulnerable to banking Trojans, merely that this particular one follows the conventional path of attacking Windows users using drive-by exploits and spam emails.

Is there a protection against Zeus? Banks such as HSBC offer Trusteer's own Rapport Firefox browser plug-in to secure against banking Trojans. Trusteer claims that its software can also stymie Zeus from attacking bank sites even if the malware has managed to evade antivirus software. It does depend on using Firefox, however.

Clearly irked, that led to an unsuccessful attempt by criminals to evade the Firefox Trusteer filter.

Subscribe to the Security Watch Newsletter

Comments