Expert: New Zeus Trojan puts Asia at greater risk

Countries such as Indonesia and the Philippines, which have seen increased adoption of Firefox, are at risk as Zeus 1.4 also targets Mozilla's Web browser, according to Trend Micro.
Written by Vivian Yeo, Contributor

Asian users may be at greater risk now that a new variant of the banking Trojan Zeus or Zbot is able to target the Firefox browser, a security expert has cautioned.

Danny Siew, Trend Micro's senior director for technical support in the Asia-Pacific region, explained in an e-mail interview that this is due to rising adoption levels for the Web browser in some countries within the region.

Citing the Mozilla Metrics Report for the first quarter of 2010, he said countries such as Indonesia, the Philippines and India have shown "a strong increase" in Firefox usage during the reporting period between mid-December 2009 and mid-March 2010.

Over in Indonesia, the market share for Firefox "continues to grow north of 60 percent", the organization said in the report. Mozilla's report also indicated that Firefox's worldwide market share as at Q1 is hovering near 30 percent. While the browser's biggest supporters are based in Europe, its market share in Asia is 26.6 percent.

Siew added that the company has detected samples of the new Zeus variant, such as TSPY_ZBOT.CRM and TSPY_ZBOT.CQJ.

The new strain was highlighted last week in a press release by Trusteer, a security vendor specializing in protection against financial malware attacks and fraudulent Web sites.

Trusteer said Zeus 1.4 is a completely new version and uses polymorphic techniques to evade detection. Previous versions were not capable of exploiting Firefox, pointed out the company which is headquartered in the United States and Israel. However, the new Zeus now supports HTML injection and transactional tampering to bypass strong authentication and transaction signing technology.

As of April 21, Zeus 1.4 had already infected one in every 3,000 computers monitored by Trusteer in North America and the United Kingdom, according to the company release. Trusteer CEO Mickey Boodaei told ZDNet Asia in an e-mail that the company does not have data on Zeus 1.4 infection in Asia.

However, Ronnie Ng, Symantec's senior manager for systems engineering in Singapore, shared in an e-mail that previous versions of Zeus have been a prominent threat in the region.

Referring to Symantec's latest Internet Security Threat Report, he said the security vendor observed nearly 90,000 unique variants of the basic Zeus toolkit in 2009. In addition, the Zbot Trojan was the second most common new malicious code family in Asia-Pacific including Japan.

"Zbot is designed to steal sensitive information relating to online banking, social networking sites, Web-based e-mail, and saved passwords," said Ng. "It also downloads further threats based on a configuration file that allows malicious software authors to easily modify its behavior.

"Once a system is compromised by Zeus, it can allow an attacker to take full control of the system and use it for whatever nefarious purposes they want."

In February, security firm NetWitness revealed a botnet involving 74,000 PCs infected with the Zeus Trojan. The botnet was designed to steal login credentials to banking sites, social networks and e-mail systems.

Trend Micro's Siew said users should be wary of opening e-mail messages and clicking on URLs purporting to be legitimate Web sites. One of the easiest ways to fall prey to Zbot attacks is to click on links in e-mail messages that come from unknown senders, he added.

Editorial standards