RSA Europe: Say hello to Zeus 2+, a B2B version of the long-lived trojan

A new customized version of Zeus, known as Zeus 2+, has been observed in the wild
A new customized version of Zeus, known as Zeus 2+, has been observed in the wild

Speaking with analysts and the press at the RSA Europe event last week, Rivner – who has been tracking SpyEye and Zeus for some time – explained that, after Slavik, the darkware author behind Zeus, effectively merged his malware 'customer base' with the SpyEye group, most experts thought that Zeus was effectively dead.

“In October 2010 the fraud forums were shocked when Slavik announced a sudden collaboration between Zeus and SpyEye. Many people thought that Zeus would disappear from the landscape”, he said.

In fact, he explained, while the current crop of SpyEye infections have Zeus-killing code on board – removing Zeus from any machine the malware infects – a new customized version of Zeus, known as Zeus 2+, has been observed in the wild.

“Our research shows that demand for Zeus was growing up until September 2010 and then it tailed off dramatically. The question is: Did the author lose interest in the malware s/he developed? This seems unlikely”, Rivner told his audience, adding that RSA's research labs have now spotted a privately owned version of Zeus, apparently operated by a single cybercriminal gang.

Zeus 2+ infections are running at around the 200,000 computer mark, compared to two million with the original pre-SpyEye version of Zeus.

This new custom version of Zeus, said the RSA researcher, is subtly different from the original in that there is no man-in-the-browser (MITB) facility, but the drop computation of the malware has been significantly enhanced.

Zeus, he added, is not dead. It has, he explained, evolved into a more specialist state.

“Our research suggests that Slavik is still involved in the development of Zeus 2+, which has moved away from the B2C market it infected and over to the B2B side of things”, he said, adding that corporates are clearly a more lucrative target for the malware.

Infosecurity asked Rivner why he thought that Slavik had handed over the reins of the original Zeus malware to the SpyEye team and then developed Zeus 2+ for a specific cybercriminal gang.

“Probably because someone made him an offer he couldn't refuse.”

What’s Hot on Infosecurity Magazine?