Zeus “in-the-cloud”
Published:
December 09 2009, 04:39 AM
by
Methusela Cebrian Ferrer
A new wave of a Zeus bot (Zbot) variant was spotted taking advantage of Amazon EC2’s cloud-based services for its C&C (command and control) functionalities.
This notable scheme is a highlight from the latest spammed executable “xmas2.exe” (63,488 bytes), for which we have recently published blog titled "Christmas is knocking on the door, so does the malware".
[Figure 01 – Zeus displays cyber-criminal activities]
[Figure 02 – Zeus bot variant communication]
As shown in Figure 03, the Zeus bot variant injects code into the system processes (such as svchost.exe) and connects to its cloud-server [Figure 02] for configuration (config.bin) of the master for it’s criminal activity.
Figure 03 – Injects code and waits for user to enter bank credentials
The group behind this criminal activity is obviously doing it for financial gain – stealing both your identity and your money.
In this variant, we have learned how cloud on-demand (pay-as-you-use) offerings could be used to fuel such online cyber-crimes.
Please Note:The legitimate hacked website was contacted and informed about its participation in the Zeus bot activity and accordingly has stopped serving the malicious variant.
Furthermore, we also reported the observed abuse activities to Amazon Web Service. For future reference, this page explains how to report AWS suspicious activities.
Thanks to Zarestel for his valuable contribution in the code analysis.
Tags: e-card, Zbot Spam, xmas2.exe, Zeus uses Amazon EC2, cloud on-demand, config.bin, zeus configuration, Amazon EC2, hacking e-shop, Zbot Christmas spam, banking trojan, pay-as-you-use, Zeus C&, EC2 trojan, amp, zbot cloud, cloud trojan, Cloud malware