Fraudsters fuse Zeus and Ramnit to fleece financial institutions

Hackers have infused an 18-month-old worm with Zeus financial malware to attack two-factor authentication and transaction signing systems used in online banking sessions.

Configurations of the Win32.Ramnit worm, captured and reverse engineered by Trusteer, were found to incorporate tactics from the Zeus financial malware platform. Zeus source code was published on the internet earlier this year.

Trusteer researchers found the method used to configure Ramnit to target a specific bank is identical to the one used by Zeus. This allows fraudsters to easily port Zeus configurations to Ramnit.

According to the Symantec Intelligence Report for July, Ramnit accounts for 17.3 per cent of all new malicious software infections. Trusteer estimates tens of thousands of machines used for online banking are currently infected with Ramnit.

Ramnit, an old-school file-infection virus, was first detected in 2010 and targets EXE, SCR, DLL, HTML and other file formats. Its command and control servers in Germany are currently live.

"Unlike the past, when financial institutions had to defend against a limited number of malware platforms, attacks can now come from virtually any malicious software program, old or new," said Amit Klein, chief technical officer of Trusteer. "The malware distribution channel for fraudsters has increased in scale significantly."