Trusteer detects rapid spread of new polymorphic Zeus trojan

The internet authentication, encryption and security specialist says that its Rapport browser security service, which is used by a number of major banks, has detected the Zeus trojan variant on around one in 3000 PCs monitored by the Rapport servers.

According to Trusteer, this is an unprecedented rate of distribution for new financial malware code.

The firm reports that Version 1.4 – also known as version 2 – of Zeus targets Firefox browsers and uses advanced polymorphic techniques to avoid anti-virus detection.

To analyse the new trojan, Trusteer says it used its Flashlight remote fraud investigation and mitigation service to link Zeus 1.4 with fraud committed against both commercial and consumer banking customers on both sides of the Atlantic.

Flashlight was able to collect new Zeus configurations and code samples from infected computers. This new version of Zeus, says the company, is completely different than versions 1.2 and 1.3.

The key feature of the new version of Zeus is that it targets the growing population of Firefox users. Previous versions were incapable of exploiting Firefox to commit sophisticated online fraud against banks using strong layers of authentication.

However, Trusteer reports that Zeus 1.4 supports HTML injection and transaction tampering for Firefox, two techniques that are effectively used to bypass strong authentication and transaction signing solutions.

Amit Klein, the firm's chief technology officer, said that his research team expects this new version of Zeus to significantly increase fraud losses, since nearly 30% of internet users bank online with Firefox.

"The infection rate for this piece of malware is growing faster than we have ever seen before", he said, adding that the Trusteer Flashlight and Rapport services have enabled his research team to detect the rapid distribution of Zeus 1.4 early and alert financial institutions.

"We are recommending they maintain a layered approach to malware blocking and make sure they have the proper detection, investigation, mitigation, and response tools in place", he said.

What’s Hot on Infosecurity Magazine?