As we have blogged in the past, Zeus (Trojan.Zbot) and other banking Trojans have been a headache to online banking customers all over the world for years. Certain countries such as Japan have in the past escaped attacks from banking Trojans, perhaps due to the language barrier or some other unknown reason. As the National Police Agency of Japan has reported several times, Japanese online banking customers have now started to fall victim to this type of attack.
Symantec recently came across a new Zeus file targeting five major banks in Japan. Figure 1 shows part of the decrypted configuration file. The malware targets only Japanese banks.
Figure 1. Target banks listed in Zeus configuration file
Figure 2 shows the infection of the variant only observed in Japan, which targets Japanese online banking customers.
Figure 2. World map image illustrating the Zeus variant specifically targeting Japan
The functionality is the same as that of other Zeus variants. Once infected, Zeus monitors the Web browser visiting the targeted banks and injects HTML code that displays a message in Japanese that states in English:
"In order to provide a better service to our customers, we are updating our personal internet banking system. Please re-enter the information that you provided when you first registered."
The user is asked to enter personal information including passwords and any other information the attacker can use access the account. The log in credentials are recorded using Zeus’s built-in key logging functionality.
Figure 3. Fake alert HTML code asking the user to input information
Figure 4. Fake alert HTML code asking the user to input the date of issue of the authentication card
The attacker uses Blackhole exploit kit in order to install Zeus. Symantec security products provide protection against this with the following detections:
Antivirus:
Intrusion Prevention System (IPS):
- 25616 Web Attack: Malicious Website Accessed 2
- 26002 Web Attack: Exploit Toolkit Website 32
- 26434 System Infected: Citadel C&C Activity
Behavior blocking:
SONAR.Heuristic
Zeus is typically delivered through exploit kits. Symantec advises users to keep all installed software updated. This type of malware may also arrive on your computer through email. Do not open emails or attachments from untrusted sources. Finally, be suspicious if your online banking site asks for information that is not usually requested.