ZeuS Virus Continues to Dominate Malware Landscape in October

08 Nov 2010
Virus News

Despite the arrests of gang members controlling ZeuS botnets, new malicious programs are still emerging that support its spread, according to Kaspersky Lab's October malware statistics. ZeuS has become one of the most commonly used and best-selling spy programs on the online black market due mainly to the ease with which the Trojans in the ZeuS family can be configured to steal online data.

The report shows that additional viruses have been appearing which are used to help grow the ZeuS botnet. Virus.Win32.Murofet, detected in early October, generates domain names that link to downloadable and executable ZeuS files. The virus obtains the year, month, day and minute from the system, generates two double words, adds one of several popular domain zones, adds "/forum" to the end of the string and uses it as a link.

"This piece of malware demonstrates just how inventive and eager the ZeuS developers are to spread their creation around the world," stated Vyacheslav Zakorzhevsky, Senior Virus Analyst at Kaspersky Lab and author of the report.

Another clear trend in October was the continuing growth in the popularity of fake archiving programs. These programs typically disguise themselves as tools to remove license protection from legal software. After a user launches a fake archiving program, they are asked to send an SMS to a premium number so they can access the contents of an archive. In most cases, after a message is sent, the user receives instructions on how to use a torrent tracker and/or a link to it.

"There are a variety of hoax scenarios, but the result is always the same," commented Vyacheslav Zakorzhevsky. "The victim ends up spending money and does not get the file they wanted. This type of fraud is relatively new and only came to light a few months ago. It has attracted a lot of interest from cybercriminals ever since."

More than a million attempted infections of this type have been detected each month by Kaspersky Lab since July 2010.

Kaspersky Lab's experts once again warn users to be more careful while surfing the net and refrain from visiting web resources that look suspicious. Trojan.JS.FakeUpdate.bp, a script from the FakeUpdate family that commonly occurs on porn sites, is at the top of the ranking. When the user clicks on a video clip, a popup window appears saying a new media player has to be installed in order to watch the clip. The player contains a Trojan that modifies the 'hosts' file. This Trojan associates a number of popular sites with a local IP address and installs a local web server on the infected computer. After this, every time the user tries to access one of the sites, a page appears in the browser demanding that the user pay for viewing adult content.

For a complete version of Kaspersky Lab's October malware report, please visit www.securelist.com.