Cutwail and Zeus Deliver Holiday DoomWritten by Malcolm James on December 10, 2012
As the holiday season looms near, many of you are probably scrambling to get your shopping done. If you’re particularly shrewd and adventurous, then you probably did most of that shopping online. Kudos to you. But when you combine the holidays with the online world, there’s always a danger that there’ll be more than bundled glee under the Christmas tree. Some presents, like socks, were meant to be opened on Christmas day, even if they aren’t that interesting. Some, are best dumped in the trash before they have a chance to rot your mind.
And others should never, ever be opened. That’s the warning we all need to heed this year, as a new spam campaign is being delivered by the notorious and pervasive Cutwail botnet. Several sources reported this week that the folks at Dell SecureWorks Counter Threat Unit have discovered a nasty little package delivered by Cutwail to inboxes everywhere, and it carries with it a nasty little elf better known as the Gameover Zeus banking Trojan.
“The spam message is made to look like it comes from many of the top U.S. banks. It reads: ‘You have received a new encrypted message or a secure message from [XYZ] Bank.’ The spam message encourages recipients to download an attachment and register for a new system designed to protect privacy and personal information. Instead the attachment contains the Pony downloader, which installs the banking malware,” SearchSecurity reports.
Elizabeth W. Clarke, a Dell SecureWorks spokesperson, told SearchSecurity that “the Cutwail botnet only needs to employ approximately 10,000 bots per spam campaign to send out hundreds of millions of malicious spam messages to computer users all over the world.”
Santa Claus it’s not, but it’s more than enough to deliver holiday misery to unsuspecting users across the world this holiday season.
The Gameover Zeus botnet is one of the largest around with more than 678,000 infections. But it’s not your father’s botnet. Rather than utilizing the standard command and control (C&C) server paradigm, Zeus is a peer-to-peer botnet. Dell SecureWorks points out that Gameover is very troubling, because that peer-to-peer design makes taking it down a virtual impossibility. And because it’s privately operated, variants aren’t available on criminal hacking forums. Without the ability to pick up a variant, researchers, security firms, and law enforcement officials can’t get their hands on the Trojan to reverse engineer it.
The pesky little thing, in fact, has been “detected on corporate systems and systems at universities, defense contractors and government agencies,” SearchSecurity reports.
Researchers have apparently detected multiple variants of the email spam, with the common theme of encouraging users to open the attached file, listen to a voicemail message, or register for a new privacy system. Dell SecureWorks has some good, if not obvious, advice, though: train your workers to never, ever open an email attachment or click a link, even if they recognize the sender of the email.
Clark cautions “Always verify that the sender sent the email. Additionally, update your IPS/IDS countermeasures and firewalls to detect the latest threats.”
According to Kaspersky ThreatPost, “a Dell SecureWorks spokesperson stated that as a point a policy Dell does not name victims involved in scams but said they are top U.S. banks.”
SearchSecurity notes that the Zeus Trojan has presented a major headache for banks and other financial firms, “with different variants infecting customer systems attempting to dupe individuals into giving up their account credentials. New variants of Zeus are frequently detected by researchers. The issue has become such a problem that Microsoft took legal action to disrupt some Zeus botnets. But despite a few victories, cybercriminals continue to recover their operations.”
But just in time for Christmas, it gets worse. The criminals behind the Gameover Zeus botnet are considered to be the most devious and aggressive, apparently implementing a system that’s elaborate and smacking of organized crime. They recruit money mules to drain US and European bank accounts and employ a number of nasty tools, like the automated features of the BlackHole Exploit toolkit, and DirtJumper, which is being used to deliver distributed denial of service (DDoS) attacks on financial institutions while bank accounts are being emptied.
As the holidays near, most of us hope for a little quiet time with family, a lot of holiday cheer and good food, and hopefully, a little global peace. What we don’t hope for is total financial ruin and the disasters associated with this lump of coal-inspired atrocity. Keep safe this holiday season and leave some packages unopened.