Marked increase of Zeus Trojan family activity in May

Posted: June 4, 2013 in IT Security News
Tags: ,

ESET LogoThe company Eset today published a report on the most active threats in May 2013.

Month was marked increase in the activity of the family of banker Trojans ZeuS, as well as a phishing attack using one of the services of Google. Last month, the world was recorded increased activity of a family of ZBot (ZeuS), whose rating was 1.36%. Under the general title Win32/Spy.Zbot we detected all the possible variants of this Trojan program, including the Citadel and Gameover. Peak activity ZeuS fell on May 2, when the level of its prevalence has reached 4.83%.

The main goal of attackers using ZeuS, is to steal user credentials from various services, including online banking. Stolen information is used to transfer funds to the dummy account from which they promptly cashed “mules” – individuals who are prepared to withdraw funds of dubious origin for a small percentage. Note that an impressive number of modifications due to the ZeuS source code leak this Trojan in 2011.

As for other threats from the global top ten, then the growth demonstrated Win32/Bundpil (3,46%) and Win32/Dorkbot (2,22%), the virus Win32/Ramnit (1,62%), as well as Trojan Win32/Qhost ( 1.53%). The worm Win32/Bundpil, which spreads via removable drives, retained the first place and even increased activity compared with April.

Increased activity of the worm Win32/Dorkbot associated with the May-spam campaign to spread malware. The users were sent messages with malicious links, when you click on that there was a risk install Trojan Win32/PowerLoader, loaded on your computer Win32/Dorkbot.

To disguise malicious links in emails uses the service Google URL Shortener, by which shortened the address begins with “”. According to the statistics of transitions on malicious links that participated in this campaign, one of the leaders in the number of victims of the attack was Russian.

Embedded in a web page malicious elements, which are detected by the common names HTML / ScrInject (2,47%) and HTML / Iframe (1,90%), in May were recession. HTML / ScrInject losing ground the past two months, the same two months of falling activity INF / Autorun (2,77%) and Win32/Conficker (1,95%).

It should be noted that the Trojan Win32/Qhost, which showed a decline since the beginning of this year, experienced a rise in May – its rating was 12.40%. In addition, the growth showed malicious Java-script with a total detection JS / Iframe (2,84%). All other threats have reduced activity.

Trojan Win32/Agent.UPF markedly reduced activity – this month its prevalence rate was 1.55%. Also note that the Trojan Win32/StartPage, who was present in the rating of the previous two months, in May, much lost ground, and left the top ten most active threats.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s