Two UK-based botnets are zeroing in on British bank customers with new variants of the Zeus Trojan, according to a security firm.
The Zeus botnets, which consist of 20,000 to 30,000 compromised computers, are being used to send out regionally-specific infected spam to distribute links to the Trojans, according to Trusteer. Compromised UK websites are also being used in the attack on online banking users, it added.
"It looks like criminal gangs are focused on the UK market and are specialising in UK banks," Trusteer chief executive Mickey Boodaei said on Friday.
Boodaei declined to name the banks, saying only that customers of all of the major institutions had been targeted. Spam runs typically focus on customers from three to nine of the major banks at a time, according to Trusteer.
Zeus, also known as Zbot, steals data by installing a keystroke logger on the victim's machine. People who click on a link in an infected email or compromised website could end up exposing their online banking credentials.
Trusteer said it gained access to the command-and-control servers of the botnets, and this allowed it to pinpoint the location of the zombie computers from their IP addresses. The company then analysed attack commands from the servers to determine the targets of the Zeus variants.
In general, detection rates for the malware have been low, said Boodaei. Between zero and 20 percent of the Trojans is being picked up by antivirus companies, according to Trusteer.
To determine detection rates, the company ran the different Zeus variants through services like VirusTotal, which checks malware samples against different antivirus engines. It also performed forensics at its own labs.
Boodaei said that international antivirus companies may not detect the Trojans due to their localised nature. Antivirus companies normally deploy a network of sensors, including computers designed specifically to capture malware samples, in networks called 'honeynets'. The Trojans may not be hitting these sensors, said Boodaei.
"The malware is too local to see on the radar," he said.
In addition, heuristics designed to stop malware by identifying its behaviour may be circumvented by criminals testing their products in their own labs before unleashing them on the public, said Boodaei.
Trusteer also warned of two other pieces of financial malware, which it calls Silon.var2 and Agent.DBJP, that are tailored to British online banking customers. These use the same distribution methods as the Zeus variants: infected email and compromised websites.