A hapless fraudster got more than he bargained for recently when he managed to infect the Zeus variant he was working on with another piece of malware, researchers at RSA Security have revealed.
RSA Research was investigating a customized version of the Zeus Robot Admin panel known as Zeus Panther when it discovered an “unusual ‘add-on’ to the application,” RSA FirstWatch security researcher Lior Ben-Porat explained in a blog post.
He claimed that the installation page of the Admin panel contained a VB script (VBS) that dropped a file named svchost.exe into the system.
On further inspection, the team discovered that the file in question was a version of the Ramnit worm dating back to mid-2013 – one of the main features of which is to add VBS code to any HTML files it finds.
“Upon execution, the svchost.exe file infects the rest of the files in the system, and also activates a USB-spreading mechanism that makes a copy of itself in a hidden folder on any USB device that is connected to the system,” he added.
“This functionality of the infection was discovered by creating a virtual USB flash drive connected to the Virtual Machine (VM) used in analyzing this malware.”
Ramnit is a pretty rare sight these days, comprising less than 1% of all malware variants reported, claimed Ben-Porat.
The RSA team initially suspected that the Ramnit infection was a deliberate move intended to protect the Admin panel from any other fraudsters who might be trying to sneak in and update or reconfigure the botnet control panel.
However, they decided that it was more likely to be the fraudster’s own fault.
“Our researchers came to the conclusion that this particular copy of Zeus Panther was saved onto a fraudster’s personal computer that had been infected by a Ramnit variant, and by uploading the Zeus Panther Admin panel from his infected machine, he unknowingly spread the Ramnit worm on his panel’s installation page.”
“This case demonstrates that although fraudsters are supposed to be familiar with malware and its capabilities, as they spend most of their ‘working’ hours installing/configuring/controlling botnets, evidently they can be just as susceptible as the general public to malware infections, and may not be as diligent as they should be in keeping their PC’s clean.”
A report by Sophos earlier this month also found some surprising gaps in the knowledge of some malware writers.
It claimed that, despite their reputation, APT groups actually lack the deep exploitation skills and release process QA of their counterparts which author common malware.