People using the popular instant messaging platform receive an email message announcing an update and are then prompted to click through to download what appears to be a legitimate file, aimupdate_18.104.22.1685.exe. However, the so-called update is, in fact, the Zeus installer, which can then transfer itself onto the victim's machine, whether or not the AIM user clicks on the link to download the executable file.
Zeus, also known as Zbot, is both a remote access trojan that permits the person running it to control a local machine as a bot, and it also steals passwords cached on local machines, Andrew Brandt, lead threat research analyst at Webroot, told SCMagazineUS.com on Friday
"It opens an IFRAME to a site that attempts to use vulnerable versions of Adobe Reader to push the Zeus keylogger down to the victim's computer, then executes it within a few moments of the page loading," Brandt wrote on the Webroot blog.
The IFRAME page has been traced to an IP address that appears to belong to a Russian phishing gang, according to Weboot. "We don't have proof that it's a Russian gang, but a lot of people have said the source is Russia," Brandt said. Similar attacks targeting Outlook Web Access have been identified as coming from the same network recently.
The fake web page to which victims are brought appears to be an AOL site, but a close look reveals inconsistencies to an authentic web page. Notably, a true AIM installer has a digital signature from parent company AOL attached. This one does not contain that signature. Further, the URL used for the download begins with a legitimate-seeming address, “update.aol.com,” but that is followed by a six- to seven random-character word followed by .com.pl. This suffix makes it appear as though the domain was registered in Poland, but it does not mean that the site is actually hosted there.
"There's nothing all that dramatically different about this attack, except the social engineering trick," Brandt said.
The attack uses a familiar technique to infect users, one used before in other socially engineered spam campaigns, such as one claiming to come from the Internal Revenue Service (IRS). Other social engineering ploys claimed to come from MySpace, the U.S. Social Security Administration, the U.S. Centers for Disease Control and Prevention, and Microsoft Outlook/Outlook Express.
Brandt says he began seeing IFRAME exploits two to three months ago, but they are beginning to be used more frequently now. "They are constantly updating it," he said.
Zeus has been circulating since at least 2006. Although arrests were made in November of a pair charged in the U.K. with disseminating the data-stealing trojan, experts say it is a challenge to stop the spread because of its numerous variants.
Brandt also said that he recommends web surfers use the Firefox browser with the NoScript plug-in extension. "This can head off attacks," he said.