NPC Seal
We use cookies to ensure you get the best browsing experience. By continued use, you agree to our privacy policy and accept our use of such cookies. For further information, click FIND OUT MORE.
I AGREE FIND OUT MORE
x
advertisement
Filtered by: Scitech
SciTech

Faster ZeuS malware linked to cybercriminal gang


A new variant of the ZeuS malware is on the loose, using a "faster" protocol to communicate with the computer that controls it, a computer security site said. Trend Micro said its observation since late September indicates a cybercriminal gang may be behind the new version of ZeuS. "Unlike earlier ZeuS versions that use HTTP to download its configuration file, this version opens a random UDP port and connects to a hardcoded list of IP addresses to download its configuration file," it said in a blog post. UDP, which stands for User Datagram Protocol, is one of the most commonly used protocols on the Internet, but is used for streaming audio and video. An article on Skullbox.net said UDP is faster than TCP but has no form of flow control or error correction, and may thus be affected by collisions and errors. "Remember that UDP is only concerned with speed. This is the main reason why streaming media is not high quality," it said. Trend Micro said the new version, detected as TSPY_ZBOT.SMQH spread around late September through spam that claims to be from the ATO (Australian Taxation Office). It said the spammed messages contain a malicious link, which when clicked directs users to a malicious website that serves the BlackHole exploit kit. The exploit kit, in turn, downloads a variant of this new ZeuS version. Communicating with controller According to Trend Micro, TSPY_ZBOT.SMQH establishes connection with the server by sending encrypted data which contains the bot ID and a stream of characters. Each IP address in the hardcoded has a corresponding stream of characters which the server seems to check to validate the communication. "If any of the IP addresses is alive, it will reply with the encrypted configuration file via TCP," Trend Micro said. Once the configuration file is downloaded, TSPY_ZBOT.SMQH will employ a decryption algorithm for its configuration file. "(T)his new variant also seems to be crafted by a private professional gang, probably the same creators of LICAT, or affiliated with them at least. In fact, the configuration file for TSPY_ZBOT.SMQH has the same format as that of the configuration file of LICAT," it noted. "Although the spammed messages only target Australian users, the contents of the decrypted configuration file suggest that it may be used in a global campaign, including the United States, European, and even Asian countries," it added. — TJD, GMA News

Tags: trendmicro, malware, zeus, hackers
LATEST ELEKSYON 2025 RESULTS
News
Voter's Education
Candidates
Find out your candidates' profile
Debates
Find the latest news
Stand on Issues
Find out individual candidate platforms
MyKodigo
Choose your candidates and print out your selection.
Voter's Profile
Voter Demographics
Most Popular
LOADING CONTENT