Despite the recent arrests of criminal gang members linked to the ZeuS botnet, new malicious programs are still emerging that support its spread. Zeus has become one of the most commonly used and best-selling spy programs on the online black market, due mainly to the ease with which the Trojans in the Zeus family can be configured to steal online data.
Virus.Win32.Murofet, detected in early October, generates domain names that are later used to spread the ZeuS botnet. The links to downloadable and executable Zeus files are generated using the current date and time on the victim's computer. The virus obtains the year, month, day and minute from the system, generates two double words, adds one of several popular domain zones, adds "/forum" to the end of the string and uses it as a link.
"This piece of malware demonstrates just how inventive and eager the Zeus developers are to spread their creation around the world," stated Vyacheslav Zakorzhevsky, senior virus analyst at Kaspersky Lab and author of the report.
Another clear trend in October was the continuing growth in the popularity of fake archiving programs. These programs typically disguise themselves as popular freeware or tools to remove license protection from legal software. After a user launches a fake archiving program, they are asked to send an SMS to a premium number so they can access the contents of an archive. In most cases after a message is sent, the user receives instructions on how to use a torrent tracker and/or a link to it.
"There are a variety of hoax scenarios, but the result is always the same," commented Zakorzhevsky. "The victim ends up spending money and does not get the file they wanted. This type of fraud is relatively new and only came to light a few months ago. It has attracted a lot of interest from cybercriminals ever since." Kaspersky Lab has detected more than a million attempted infections of this type each month since July 2010.
Kaspersky Lab's experts once again warn users to be more careful while surfing the net and refrain from visiting web resources that look suspicious. Trojan.JS.FakeUpdate.bp, a script from the FakeUpdate family that commonly occurs on porn sites, is at the top of the ranking. When the user clicks on a video clip, a pop-up window appears saying a new media player has to be installed in order to watch the clip. The player also happens to contain a Trojan that modifies the 'hosts' file. This Trojan associates a number of popular sites with a local IP address and installs a local web server on the infected computer. After this, every time the user tries to access one of the sites, a page appears in the browser demanding that the user pay for viewing adult content.
For a complete version of Kaspersky Lab's October malware report, go to www.securelist.com.
