Just in Time for the Holidays; Cutwail and Zeus Deliver Holiday Doom

As the holiday season looms near, many of you are probably scrambling to get your shopping done. If you’re particularly shrewd and adventurous, then you probably did most of that shopping online. Kudos to you. But when you combine the holidays with the online world, there’s always a danger that there’ll be more than bundled glee under the Christmas tree.  Some presents, like socks, were meant to be opened on Christmas day, even if they aren’t that interesting. Some, are best dumped in the trash before they have a chance to rot your mind.

And others should never, ever be opened. That’s the warning we all need to heed this year, as a new spam campaign is being delivered by the notorious and pervasive Cutwail botnet. Several sources reported this week that the folks at Dell SecureWorks Counter Threat Unit have discovered a nasty little package delivered by Cutwail to inboxes everywhere, and it carries with it a nasty little elf better known as the Gameover Zeus banking Trojan.

“The spam message is made to look like it comes from many of the top U.S. banks. It reads: ‘You have received a new encrypted message or a secure message from [XYZ] Bank.’ The spam message encourages recipients to download an attachment and register for a new system designed to protect privacy and personal information. Instead the attachment contains the Pony downloader, which installs the banking malware,” SearchSecurity reports.

Elizabeth W. Clarke, a Dell SecureWorks spokesperson, told SearchSecurity that “the Cutwail botnet only needs to employ approximately 10,000 bots per spam campaign to send out hundreds of millions of malicious spam messages to computer users all over the world.”

Santa Claus it’s not, but it’s more than enough to deliver holiday misery to unsuspecting users across the world this holiday season.

The Gameover Zeus botnet is one of the largest around with more than 678,000 infections. But it’s not your father’s botnet. Rather than utilizing the standard command and control (C&C) server paradigm, Zeus is a peer-to-peer botnet. Dell SecureWorks points out that Gameover is very troubling, because that peer-to-peer design makes taking it down a virtual impossibility. And because it’s privately operated, variants aren’t available on criminal hacking forums. Without the ability to pick up a variant, researchers, security firms, and law enforcement officials can’t get their hands on the Trojan to reverse engineer it.

The pesky little thing, in fact, has been “detected on corporate systems and systems at universities, defense contractors and government agencies,” SearchSecurity reports.

Researchers have apparently detected multiple variants of the email spam, with the common theme of encouraging users to open the attached file, listen to a voicemail message, or register for a new privacy system. Dell SecureWorks has some good, if not obvious, advice, though: train your workers to never, ever open an email attachment or click a link, even if they recognize the sender of the email.

Clark cautions “Always verify that the sender sent the email. Additionally, update your IPS/IDS countermeasures and firewalls to detect the latest threats.”

According to Kaspersky ThreatPost, “a Dell SecureWorks spokesperson stated that as a point a policy Dell does not name victims involved in scams but said they are top U.S. banks.”

SearchSecurity notes that the Zeus Trojan has presented a major headache for banks and other financial firms, “with different variants infecting customer systems attempting to dupe individuals into giving up their account credentials. New variants of Zeus are frequently detected by researchers. The issue has become such a problem that Microsoft took legal action to disrupt some Zeus botnets. But despite a few victories, cybercriminals continue to recover their operations.”

But just in time for Christmas, it gets worse. The criminals behind the Gameover Zeus botnet are considered to be the most devious and aggressive, apparently implementing a system that’s elaborate and smacking of organized crime. They recruit money mules to drain US and European bank accounts and employ a number of nasty tools, like the automated features of the BlackHole Exploit toolkit, and DirtJumper, which is being used to deliver distributed denial of service (DDoS) attacks on financial institutions while bank accounts are being emptied.

As the holidays near, most of us hope for a little quiet time with family, a lot of holiday cheer and good food, and hopefully, a little global peace. What we don’t hope for is total financial ruin and the disasters associated with this lump of coal-inspired atrocity. Keep safe this holiday season and leave some packages unopened.

Written by Malcolm James

3 Comments

  1. Maria Ortiz · December 11, 2012

    Wasn’t Zeus a botnet that was taken down just months ago? Wasn’t it proclaimed a huge victory back then? It seems this botnet managed to get back on its feet much faster than we thought. Those, whose jobs involve work with attachments and banks are most exposed to the risk – the rest of us can simply choose to ignore the attachment and stay safe.

  2. Mark Lopez · December 18, 2012

    Here’s what I think about banks: when it comes to IT security, they haven’t fully evolved. Simply put, they remained to be less developed, so they are the ones that are also most volatile. Let’s not forget too that money is basically with them. It’s just too sad to think that when it comes to threats such as this, we are very much helpless. We’ve never been the one ahead. So we always have to be in the defense, the ones who should be careful. I hope I’d still be around when the time comes that I don’t have to worry about such a thing since scammers will be scared to do it.

  3. Noel Flanders · January 2, 2013

    Even if the holidays are over, spam just continue to pour in. Now they’re taking advantage of the fiscal cliff, and it wouldn’t be too long before they can come up with something that’s related to Valentine’s Day. I think one of the reasons why they’re doing this is because their e-mails don’t sound so disconnected anymore. It’s a far cry from the Nigerian prince or the estate stories a long time ago. And because they are relevant to the time, the chances of being opened are increased, which also boost the click rate of the links. Simply put, they find greater success doing this one.

Leave A Reply