Botnet Surge Expected After Malware Builder Leak

The tools to build and customize malware based on the ZeusVM banking Trojan were published online for free in June. Malware Researchers Malware Must Die! went public with the information on their blog. The group began on twitter when a band of malware researchers joined together to form a volunteer campaign to raise awareness of malware issues.

The security research is the work of two hackers, Xylit0l and unixfreaxjp. The two discovered the malware builder being sold on black markets. Shortly thereafter, the builder was available for free download.

On Jun 26th 2015 we were informed (thank you Xylit0l) about this and after several internal discussion, considering that: “Still so many bad guys know about this than good guys..” today we decided to raise warning about this matte – Malware Must Die!

The ZeusVM Trojan hijacks browsers and modifies or steals information from sites victims open on their computer. The malware commonly targets banking and financial websites and can embed configuration information into images hosted on remote servers. ZeusVM is based on a previous malware, Zeus Trojan, whose source code was leaked in 2011 after a holding a long monopoly on banking malware.

Botnet Surge Expected Config JPG
Cleaned Image used to serve configurations to botnets

The trojan builder leak allows attackers to create customized binaries for their own command and control servers. The trojans will periodically connect to the server and receive configurations, ‘check in’ for a bot head count, or receive keys to use to encrypt files.

Also read: Linux Australia Hacked

So far MMD has tracked ten botnets in the wild running the default configuration from the leaked builder. They posted six urls where the bots were receiving configuration updates through steganographic messages – updates concealed inside image files.

Malware Must Die!’s ambitious plan to mitigate the crisis is:

– take down EVERY shared archive that spreads the files
– release blocking signatures to antivirus software
– block default toolkit configuration
– seek & clean up infrastructure used by surged botnets

Malware Must Die! is offering copies of the bundle to private inquiries on their website.

Images from Psoup216 & Malware Must Die!

Big? Little? It's all Endian