Malware, Vulnerability Management

New version of Zeus targeting AIM users

A new iteration of Zeus, a notorious password-stealing trojan, is victimizing users of AOL Instant Messenger (AIM), according to researchers at anti-virus vendor Webroot.

People using the popular instant messaging platform receive an email message announcing an update and are then prompted to click through to download what appears to be a legitimate file, aimupdate_7.1.6.475.exe. However, the so-called update is, in fact, the Zeus installer, which can then transfer itself onto the victim's machine, whether or not the AIM user clicks on the link to download the executable file.

Zeus, also known as Zbot, is both a remote access trojan that permits the person running it to control a local machine as a bot, and it also steals passwords cached on local machines, Andrew Brandt, lead threat research analyst at Webroot, told SCMagazineUS.com on Friday

"It opens an IFRAME to a site that attempts to use vulnerable versions of Adobe Reader to push the Zeus keylogger down to the victim's computer, then executes it within a few moments of the page loading," Brandt wrote on the Webroot blog.

The IFRAME page has been traced to an IP address that appears to belong to a Russian phishing gang, according to Weboot. "We don't have proof that it's a Russian gang, but a lot of people have said the source is Russia," Brandt said. Similar attacks targeting Outlook Web Access have been identified as coming from the same network recently.

The fake web page to which victims are brought appears to be an AOL site, but a close look reveals inconsistencies to an authentic web page. Notably, a true AIM installer has a digital signature from parent company AOL attached. This one does not contain that signature. Further, the URL used for the download begins with a legitimate-seeming address, “update.aol.com,” but that is followed by a six- to seven random-character word followed by .com.pl. This suffix makes it appear as though the domain was registered in Poland, but it does not mean that the site is actually hosted there.

"There's nothing all that dramatically different about this attack, except the social engineering trick," Brandt said.

The attack uses a familiar technique to infect users, one used before in other socially engineered spam campaigns, such as one claiming to come from the Internal Revenue Service (IRS). Other social engineering ploys claimed to come from MySpace, the U.S. Social Security Administration, the U.S. Centers for Disease Control and Prevention, and Microsoft Outlook/Outlook Express.

"The exploit opens, in an IFRAME, a page hosted on the IP address in the Vishclub network, which in turn loads a fairly large (15,628 byte) blob of obfuscated JavaScript," according to the Webroot blog post. "The script invokes the browser to load Adobe Reader, then pushes a file called 'pdf.pdf' down to the Reader. That file is built to attack the Collab overflow exploit, the util.printf overflow exploit, and the getIcon exploit in order to force the operating system to download and execute files."

Brandt says he began seeing IFRAME exploits two to three months ago, but they are beginning to be used more frequently now. "They are constantly updating it," he said.

Zeus has been circulating since at least 2006. Although arrests were made in November of a pair charged in the U.K. with disseminating the data-stealing trojan, experts say it is a challenge to stop the spread because of its numerous variants.

Webroot advises that to avoid this particular exploit focused on AIM, users turn off Adobe Reader's embedded JavaScript. "There's almost no circumstance where JavaScript is required," Brandt said. Turning it off will give web users an extra prompt should they encounter a site that calls for Java, at which point they can make a choice.

Brandt also said that he recommends web surfers use the Firefox browser with the NoScript plug-in extension. "This can head off attacks," he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.