Zeus Variant Targetting LinkedIn Users

Jay Decenella, IT audit expert
June 02, 2011 /

Computer security firm Trusteer has spotted a fraudulent email containing a variant of Zeus Trojan that targets LinkedIn users and downloads malware onto the device.

Mickey Boodaei, Trusteer CEO, said the malicious link is identical with the genuine link on LinkedIn “so it’s hard to notice that the first is fraudulent while the second is genuine.”

“If you click the “Confirm that you know” link on the genuine email, it takes you to LinkedIn’s website. However if the same button is clicked on the fraudulent email, it takes you to a malicious website that downloads malware onto your computer,” Boodaei wrote in a blog post.

According to Boodaei, the domain of the malicious site was registered a few days ago with an IP address that points to Russia.

The malicious server downloads malware to the victim’s computer using the BlackHole exploit kit, which has been made available for free after it sold for $1,500 in the black market.

This PHP-based malware has already infected thousands of Web sites, exploiting vulnerabilities on visitors’ computers in order to place malware on them, Boodaei said.

BlackHole is used by the malicious Web site to download the notorious Zeus 2 malware, a notorious and highly sophisticated piece of malware, on the victim’s computer.

Zeus, whose source code was recently reported to have been distributed for free in dark market forums, is often mistakenly associated with financial fraud only. But the Trusteer CEO claimed his company has “recently seen evidence of Zeus targeting enterprise networks in order to steal proprietary information and to gain unauthorized access to sensitive systems.”

“Enterprise users who click this link can get infected with Zeus which will then allow cyber criminals to access their workstation and from there to access sensitive corporate information and data.

“The attack becomes even more dangerous when users get infected on workstations and laptops that are outside the enterprise network but are used to access the enterprise through VPNs,” Boodaei said.

The malware is unfortunately hardly detectable by the leading anti-malware programs. Trusteer reported that only two anti-malware solutions out of 42 detect this variant at the moment.

“This demonstrates how easy it is for malware authors to create variants that completely fly under the radar of anti-malware solutions,” Boodaei said.

“The critical time for this attack was the last couple of days and during these last couple of days, there was close to zero protection from anti-malware solutions.”

The Zeus variant sends the stolen information to a server in China, Trusteer claimed.

Based on a survey conducted by Trusteer few months ago, 68% of enterprise users who receive a fake LinkedIn message are likely to click on malicious links and get infected with malware.

Boodaei described LinkedIn’s and other social networks’ strategies to increase Web site usage as “dangerous”, including updates sent to the users’ accounts calling for action on a daily basis, as users click on these links without verifying their authenticity.

“The above example is even more dangerous as LinkedIn integrates the action link into a button which makes it even harder to retrieve the actual link and verify it,” Boodaei warned.

Trusteer claimed that cyber criminals often target the endpoints of enterprises.

“Unmanaged employee devices are the biggest security threat but endpoint devices within the network are also a concern.”

“The fact that businesses have a leading anti-malware solution installed on their endpoints does not mean they are immune to these attacks,” Trusteer added.

According to the computer security firm, cyber criminals often use zero-day vulnerabilities and zero day malware variants to bypass anti-malware solution.

 

Share your opinion