Hybrids seem to be all the rage in the automobile industry, so it’s unsurprising that hybrid threats are the new thing in another industry that reliably ships updated product lines: The computer crime world. The public release of the source code for the infamous ZeuS Trojan earlier this year is spawning novel attack tools. And just as hybrid cars hold the promise of greater fuel efficiency, these nascent threats show the potential of the ZeuS source code leak for morphing ordinary, run-of-the-mill malware into far more efficient data-stealing machines.
Researchers at Trusteer have unearthed evidence that portions of the leaked ZeuS source code have been fused with recent versions of Ramnit, a computer worm first spotted in January 2010. Amid thousands of other password-stealing, file-infecting worms capable of spreading via networked drives, Ramnit is unremarkable except in one respect: It is hugely prolific. According to a report (PDF) from Symantec, Ramnit accounted for 17.3 percent of all malicious software that the company detected in July 2011.
A sample Ramnit injection. Image courtesy Trusteer.
Trusteer says this Ramnit strain includes a component that allows it to modify Web pages as they are being displayed in the victim’s browser. It is this very feature — code injection — that has made ZeuS such a potent weapon in defeating the security mechanisms that many commercial and retail banks use to authenticate their customers.
As this Ramnit variant demonstrates, the real threat from the ZeuS source leak is that it greatly facilitates the addition of this code-injection capability into tons of other ordinary malware. I think we can expect other established malware families to undergo a similar metamorphosis in the months ahead.
It is fitting that the ZeuS leak was the apparent outcome of an earlier hybridization: The merger of ZeuS with SpyEye. One of the more tantalizing conspiracy theories I’ve heard to explain the release of the ZeuS code is that it was done intentionally as part of a marketing ploy to create demand for peripheral code and services. This is not so far-fetched. As I wrote in July, malware writing gangs have taken to posting banner ads to lure talented programmers into the lucrative market for “Web injects” and other innovations designed to make existing malware stealthier and more feature-rich.
Security experts this week cataloged another evolution tied to the ZeuS source spill: On Tuesday, Kaspersky Lab published a blog post on Ice IX, which it claimed was the first crimeware based on the leaked code. Kaspersky said Ice IX, sold in the criminal underground for $1,800, “is the first new generation of web applications developed to manage centralized botnets through the HTTP protocol based on leaked ZeuS source code.”