A new malicious program increases the threat posed by the infamous Zeus program, which has taken over countless online banking accounts in recent years.
Zeus' methods have been incorporated into a new version of Ramnit, a program that can infect computers more easily than Zeus could.
"Zeus … has no spreading capability," so if one computer out of thousands on a corporate network is infected, the other computers might be safe, says Amit Klein, chief technology officer of the security vendor Trusteer Ltd. of Boston.
Ramnit's specialty is copying itself to new machines, he says. When "infecting one internal machine with Ramnit alone, it is likely for Ramnit to propagate … inside the network," he says.
That way, one machine infected with Ramnit could compromise thousands of computers on the same network.
Zeus operates by waiting for the legitimate bank customer to log in from an infected machine. After the user has been properly authenticated with the bank's website, the Zeus malware takes over the account and drains it.
Zeus "is still a major threat to online banking even though it is a five-year-old malware," Klein says. Ramnit is just 18 months old, but it is already extremely widespread.
The security vendor Symantec Corp. said in a Tuesday press release that Ramnit was the "most frequently blocked malware for the last month," accounting for 15.8% of the programs the vendor's software blocked in August.
The new version of Ramnit, which mimics Zeus' behavior, was first spotted in July, Klein says. Earlier versions of Ramnit were not focused on financial crime. Those versions import other malware, such as for distributing spam or porn, on infected machines.
It is likely that the new version of Ramnit uses actual code from Zeus, though Klein stressed he is not certain of this.
"The Zeus code leaked out a few months ago, enabling fraudsters to take pieces of the Zeus code and compile them into their own malware," he says. "What we are seeing now is probably exactly that scenario."
Between 4% and 6% of banks' business customers use computers infected with financial malware, says Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner Inc.
With the modified Ramnit program, fraudsters now "have a self-spreading Zeus mechanism," she says. "It's not good news."
Banks have been adding layered security to improve their defenses against malware, and the recently updated mandate from the Federal Financial Institutions Examination Council should help bring more banks up to speed, she says.
The Zeus program is particularly threatening to banks because it can ignore many of the protections banks use.
"The controls they have in place don't pick up on Zeus because Zeus comes in through the legitimate user's PC," Litan says.
