GreatestArcadeHits serves ZEUS ZBOT banking trojan

Pierluigi Paganini November 07, 2013

Intelligence Ian Malloy has discovered an hidden variant of the popular Zeus banking trojan in the GreatestArcadeHits servers.

GreatestArcadeHits.* serves up more than entertainment, in fact they don’t serve up entertainment at all.  Hidden in the application is the infamous ZEUS/ZBOT, a banking trojan that has the capacity to spoof online banking sites to steal credentials in order to drain the victim’s finances.  This comes in the form of a purported Chrome (c) update.

 GreatestArcadeHits server host malware Zeus


 As can be seen from the URL, I was attempting to access my student portal for school when I was redirected automatically.  Now we’ll take a deeper look at the HTML underlying ‘Superfish.’

 GreatestArcadeHits server host malware Zeus 2


luckyleap‘ serves the popup while Superfish handles the redirect.

 GreatestArcadeHits server host malware Zeus 3


Here GreatArcadeHits is found installed without permission, likely from being injected into trusted software.  The initial software download that installed GreatestArcadeHits was from download.cnet.com, a trusted site.

It is unclear who is behind this specific resurgence of the Superfish Zeus/Zbot although Malloy Labs has its suspicions.

“We believe at Malloy Labs that the suspects involved are using legacy code for a reason, they themselves lack the proper tools to develop this type of software so they do what most cyber criminals do and mix and match code with a little HTML injection thrown in to display the infector site.  My only hope is that this is not the same group behind the Zeus/Zbot on Facebook which Eric Feinberg, Frank Angiolelli and myself had found, because the block list would only grow exponentially.   #MalwareMustDie!” said Ian Malloy.

Ian Malloy Intelligence Analyst and member of US-CERT and CSFI-CWD.  CEO of Malloy Labs, studying CYOPS at Utica College.

(Security Affairs – Zeus, banking)



you might also like

leave a comment