After a large international campaign, the FBI and Europol coordinated to run “Operation Tovar” which resulted in the arrest of Evgeniy Bogachev, the leader of the group behind CryptoLocker. The criminal group is believed to have made $30 million in 100 days from approximately 500,000 victims.
While CryptoLocker is officially dead (thanks to a law enforcement sinkhole), that hasn’t stopped its code appearing in numerous newer versions, from Crypt0Locker to CryptoLocker v3 and CryptoGraphic Locker. “Zeus and CryptoLocker live on in the code that have been published and re-used to create more recent malware strands, meaning businesses are still being victimized by old malware threats reincarnated,” says Pieter Arntz, malware Intelligence researcher, Malwarebytes.
Zeus was an extremely successful Trojan horse, which, having been successful in financial services, has undergone a recent transformation. Prolific between 2007 and 2009, Zeus – which ran on versions of Windows – stole banking details through man-in-the-browser keystroke logging and form grabbing, and it would also attempt to install CryptoLocker for extra monetary gain.
Zeus spread through phishing emails and drive-by-downloads and hit some notable targets, including the US Department of Transportation. Today, Zeus lives on in other forms. According to Denmark-based Heimdal Security, the potent nine-year-old malware has morphed into the up-and-coming Atmos malware which has been targeting banks in France.
Now Zeus is wider-spread than just financial services. “I see still Zeus and Conficker popping up on most LANs,” says Steve Armstrong, SANS instructor and incident response expert. “Zeus probably once a month for medium or large companies with poor controls.”
“As Zeus's source code was leaked, many banking Trojans are still based on it,” adds Chris Doman, security researcher at Alienvault. “Malware authors even advertise ‘not based on Zeus’ when selling their malware, and charge a premium if so.”
Duqu was discovered September 2011 and is believed to be closely related to the infamous Stuxnet worm, which resulted in the destruction of Iranian centrifuges. Indeed, many say that Duqu borrows much of the same source code as Stuxnet.
Duqu was used in a number of intel-gathering attacks against industrial targets, and was suspected of being used to spy on Iranian nuclear negotiations. The latest version – Duqu 2.0 – is believed to be the most sophisticated malware ever. FireEye has found Duqu 2.0 on the networks of European hotels used by participants in the Iranian nuclear negotiations, while Symantec has identified it has been on networks of telco operators and electronics companies.
Duqu 2.0 was signed using a legitimate digital certificate issued to Chinese electronics manufacturer Foxconn, whose customers include Microsoft, Google and Amazon. Kaspersky Lab found the code-signing and says that Windows trusts the Foxconn-signed code because the certificate was issued by VeriSign, a trusted certificate root. As such, device operating systems will load and run Duqu 2.0’s 64-bit kernel-level driver with no alarms, and this allows the malware to get complete control over the infected machine.
“Duqu is rumored to be the work of the Israeli government. As a technically capable nation in an unstable region, I have no doubt they are still active. But you are very unlikely to see them,” says Doman.
Sign up for CIO Asia eNewsletters.