Picture the banking Trojan Zeus hiding in innocuous images — photos of your kids, a kitten, a sunset — and that just may be the worst horror show imaginable.

And it may be coming to a computer near you.

That's the loud alert from security firm Trusteer, which has sounded an alarm about what it dubs ZeusVM.

And, said Trusteer fraud prevention expert Etay Maor, it allows cyber crooks to hide command and control instructions for Zeus malware in pictures that at first glance seem harmless. At second glance too: “the human eye does not detect that the image has been altered,” Maor said.

Back up a step: Zeus — first identified in 2007 — quickly established itself as the most pernicious banking malware ever. It is estimated to be on over three million Windows-based computers in the U.S. alone. It is not known to run on Apple operating systems, Linux or Chrome OS.

What it is does, much of the time, is absolutely nothing. That is key to its genius. It lies dormant until the infected computer visits a targeted banking or credit union website and then it hops into motion, downloading login credentials such as username and password. Later, those juicy details are transmitted to a criminal who busies himself looting that account.

|

Also of Interest:

Threat Manager Claims 100% Flaws in Cyber Security

Threat of the Week: Has PCI Failed?

3 Ways to Cut Card Losses


To the financial institution, it looks like the rightful owner has logged in because the credentials are perfect.

Zeus divides into two parts. There's the actual malware code, usually installed when an unwitting victim clicks on an email link that purports to take him to a legitimate site, but there is a detour where a tiny chunk of evil code is installed.

The other part of Zeus is instructional sets, typically constructed for particular banks or credit unions. These command and control instructions tells the malware what to collect, from which fields, when the victim visits specified banking sites.

Both parts are needed for Zeus to steal.

What is delivered in the images, said Jesper Jurcenoks, director of research at security firm Critical Watch, is not the so-called executable code — the actual Zeus malware Trojan — but the instructional sets.

Since there is no executable it is even harder for security screening tools to tumble to the fact that the picture is bad.

Note, too, there is no need to download the infected image to a victim computer. If the image is on a website, just looking at it in the browser is enough. The instructions will download to your computer,” said Kevin Epstein, a vice president at cyber-security firm Proofpoint.

By the time your eyes have focused on the image, the instructions are on your computer, said Epstein.

What makes ZeusVM important, said various security experts, is that Zeus detection systems had been making progress in blocking delivery of instructional sets because all revolve around particular words such as “bank.”

With ZeusVM, the words are camouflaged in that innocuous image. That's why the image may let Zeus evade standard detection screens.

Worse news: this may be just the start of an avalanche of bad images and other, ever more devious strategies designed to hide toxic payoffs, said Chad Davis, an expert in what is called steganography with Backbone Security.

Steganography, which goes back centuries, involves hiding information in plain sight and, said Davis, “most security systems don't look hard at images, which is why this can be so effective.”

Imagine a credit union employee gets an email with a half dozen embedded pictures of a member's children. Now imagine that those pictures have ZeusVM hidden in them. The nightmare hits full speed if the employee's computer — maybe one at home — has a dormant version of Zeus on it.

The additional uses of the technique boggle the mind.

“With steganography, you could hide thousands of credit card numbers in a single image. This would pass through almost all data exfiltration screens,” Davis elaborated. “This is a big threat. There may be an infinite number of ways to hide information.”

His firm prediction: “You will see more and more sophisticated attacks, using steganography.”

And that means existing security systems, generally useless against the attack vector today, need to be tweaked, fast, before these kinds of picture-based and other camouflaged attacks multiply.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.