Malware in August: one year after the First Android Malware Emerged, & the Clones of Zeus

Press release
Published September 13th, 2011 - 08:44 GMT

As of late August, Kaspersky Lab’s analysts detected 35 unique malicious programs that targeted the Bitcoin system in one way or another. Realizing that their potential earnings largely depend on the number of computers they have access to, the cybercriminals have moved from stealing Bitcoin wallets to using Twitter and P2P network-based botnets. Cybercriminals have resorted to this measure to counter the antivirus companies that may block the operation of a single botnet C&C server if no alternate servers exist in the malicious network. For example, a bot would send a request to a Twitter account, which provides commands that are left there by the botnet owner — i.e., where the Bitcoin-generating program is downloaded, along with instructions for which Bitcoin pools to work with. The use of Twitter as a botnet command center is not new; although this is the first time it has been used with the Bitcoin system.

In August, Kaspersky Lab also discovered that one of the largest botnets conceals actual accounts as they can be deleted by server owners who take a proactive stance against unlawful mining programs. To achieve this, the botnet owners had to create a special proxy server that interacts with infected computers, and their requests are then transferred to an unknown Bitcoin pool. It is not possible to identify the specific pools that the botnet works with and thus block the fraudulent accounts. In this situation, the only means of intercepting such criminal activity is to gain full access to one of the proxy servers.

Ice IX: the illegitimate child of ZeuS. Almost a year after the original code of the most wide-spread threat targeting online banking users was leaked, Trojan ZeuS (Trojan-Spy.Win32.Zbot), Russian-speaking cybercriminals created its clone which became quite popular among fraudsters this summer. The new variant which emerged in the spring was dubbed Ice IX by its creator and sells for US $600-1,800.  One of Ice IX’s most remarkable innovations is the altered botnet control web module which allows cybercriminals to use legitimate hosting services instead of costly bulletproof servers maintained by the cybercriminal community. This difference is meant to keep hosting costs down for Ice IX owners. The appearance of Ice IX indicates that we should soon expect the emergence of new “illegitimate children” of ZeuS and an even greater number of attacks against the users of online banking services.

Remote-access worm. The new network worm Morto is interesting in that it does not exploit vulnerabilities in order to self-replicate. Furthermore, it spreads via the Windows RDP service that provides remote access to a Windows desktop – a method which has not been seen before. Essentially, the worm attempts to find the access password.  Provisional estimates indicate that tens of thousands of computers throughout the globe may currently be infected with this worm.

Background Information


Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at

Check out our PR service

Signal PressWire is the world’s largest independent Middle East PR distribution service.


Sign up to our newsletter for exclusive updates and enhanced content