Recently Trend Labs found security researchers detect as TROJ_ZCLICK.A, which seemingly “locks” the desktop to display websites. This kind of behavior is out of the ordinary for a ZBOT variant. Once it infiltrates the system, this occurs every time the user performs any activity, such as opening a window or file.
TROJ_ZCLICK.A is spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
The ZEUS malware family is used for data theft. Variants monitor the user's Web browsing activities using the browser window titles or address bar URLs as triggers for its attack.
It insert JavaScript codes into legitimate banks’ web pages. It sends the gathered information via HTTP POST to remote URLs.
Cybercriminals may then use this information for their malicious activities. Cybercriminals may either steal money directly from the victim or they may sell the information in underground markets.
ZEUS variants are capable of disabling Windows Firewall and of injecting themselves into processes to become memory-resident.
It also terminates itself if certain known firewall processes are found on the system. Variants add registry entries to ensure automatic execution at every system startup.
It should be noted that the sites being displayed are all legitimate–running from gaming sites, ticketing sites, music sites to search engines.
Users can actually navigate these displayed sites. One curious feature of this malware is that it also performs various mouse movements and scrolling when the mouse is idle.
It is noteworthy to say that this variant doesn’t perform traditional routines associated with this malware family like stealing information.
However, analysis reveals that the sample does contain the ZBOT code and this only means that this ZBOT variant only loads the clickbot routine. In this light, it’s only logical to assume that the main motivation for this variant is to generate income via the pay-per-click model.
This malware proves that cybercriminals are continuously tweaking familiar or known malware to deliver new payloads, all in the name of generating income from victimizing users.
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
No comments:
Post a Comment