New version of Zeus targeting AIM users

Share this article:
A new iteration of Zeus, a notorious password-stealing trojan, is victimizing users of AOL Instant Messenger (AIM), according to researchers at anti-virus vendor Webroot.

People using the popular instant messaging platform receive an email message announcing an update and are then prompted to click through to download what appears to be a legitimate file, aimupdate_7.1.6.475.exe. However, the so-called update is, in fact, the Zeus installer, which can then transfer itself onto the victim's machine, whether or not the AIM user clicks on the link to download the executable file.

Zeus, also known as Zbot, is both a remote access trojan that permits the person running it to control a local machine as a bot, and it also steals passwords cached on local machines, Andrew Brandt, lead threat research analyst at Webroot, told SCMagazineUS.com on Friday

"It opens an IFRAME to a site that attempts to use vulnerable versions of Adobe Reader to push the Zeus keylogger down to the victim's computer, then executes it within a few moments of the page loading," Brandt wrote on the Webroot blog.

The IFRAME page has been traced to an IP address that appears to belong to a Russian phishing gang, according to Weboot. "We don't have proof that it's a Russian gang, but a lot of people have said the source is Russia," Brandt said. Similar attacks targeting Outlook Web Access have been identified as coming from the same network recently.

The fake web page to which victims are brought appears to be an AOL site, but a close look reveals inconsistencies to an authentic web page. Notably, a true AIM installer has a digital signature from parent company AOL attached. This one does not contain that signature. Further, the URL used for the download begins with a legitimate-seeming address, “update.aol.com,” but that is followed by a six- to seven random-character word followed by .com.pl. This suffix makes it appear as though the domain was registered in Poland, but it does not mean that the site is actually hosted there.

"There's nothing all that dramatically different about this attack, except the social engineering trick," Brandt said.

The attack uses a familiar technique to infect users, one used before in other socially engineered spam campaigns, such as one claiming to come from the Internal Revenue Service (IRS). Other social engineering ploys claimed to come from MySpace, the U.S. Social Security Administration, the U.S. Centers for Disease Control and Prevention, and Microsoft Outlook/Outlook Express.

"The exploit opens, in an IFRAME, a page hosted on the IP address in the Vishclub network, which in turn loads a fairly large (15,628 byte) blob of obfuscated JavaScript," according to the Webroot blog post. "The script invokes the browser to load Adobe Reader, then pushes a file called 'pdf.pdf' down to the Reader. That file is built to attack the Collab overflow exploit, the util.printf overflow exploit, and the getIcon exploit in order to force the operating system to download and execute files."

Brandt says he began seeing IFRAME exploits two to three months ago, but they are beginning to be used more frequently now. "They are constantly updating it," he said.

Zeus has been circulating since at least 2006. Although arrests were made in November of a pair charged in the U.K. with disseminating the data-stealing trojan, experts say it is a challenge to stop the spread because of its numerous variants.

Webroot advises that to avoid this particular exploit focused on AIM, users turn off Adobe Reader's embedded JavaScript. "There's almost no circumstance where JavaScript is required," Brandt said. Turning it off will give web users an extra prompt should they encounter a site that calls for Java, at which point they can make a choice.

Brandt also said that he recommends web surfers use the Firefox browser with the NoScript plug-in extension. "This can head off attacks," he said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Ground system for weather satellites contains thousands of 'high-risk' bugs

Ground system for weather satellites contains thousands of ...

An audit of the Joint Polar Satellite System ground system revealed thousands of vulnerabilities, most of which will be addressed in two years when the next version of the system ...

Threat report on Swedish firms shows 93 percent were breached

The study by KPMG and FireEye also found that 49 percent of detected malware was unknown.

Former acting HHS cyber director convicted on child porn charges

Former acting HHS cyber director convicted on child ...

Timothy DeFoggi, who was nabbed by the FBI last year in its Operation Torpedo investigation was convicted by federal jury in Nebraska.