[Swordmaker]

Upon investigation, I learn that ~3000 Macs that were part of the Zeus BotNet were running WINDOWS in either BootCamp or VMWare or Parallels instances... not OSX of any flavor.

The BotNet is spreading a very hard to detect Trojan plug-in for Internet Explorer... that empties UK bank accounts at a specific bank. It leaves approximately $50 equivalent in the account but when a victim checks his account online, it puts up a FAKE page showing all the money is still in the account.

New ‘Sophisticated’ Trojan, Which Is Undetectable, Has Emptied Bank Accounts Worldwide

by Nicholas Deleon on August 11, 2010

Hold onto your hats. A new version of the Zeus trojan, called Zeus3, has wreaked havoc on thousands of bank accounts worldwide, stealing just over $1 million. The best part? There’s pretty much no way to detect the trojan if it’s on your system. Hooray for humanity, right?

The trojan first popped up last month, and has drained more than 3,000 bank accounts.

M86 Security, the first group to discover the trojan, says:

We’ve never seen such a sophisticated and dangerous threat. Always check your balance and have a good idea of what it is.

The last thing you want to do is hear a bank account-draining sophisticated trojan.

Oh, it only affects Windows systems. But you knew that already.

The scariest part is that the trojan, after clear out your bank account, serves up a fake bank statement page. It looks like you have all of your money, but you actually have $50 left in your entire account.

Again, no current anti-malware software can detect the trojan, so for the time being you’re on your on.

I suggest we all stop using the Internet to be safe. An overreaction? Yes, obviously, but this actually sounds like a nasty bit of malware.

Beware!

[Swordmaker]

Large Zeus3 BotNet that includes ~3000 Macs running virtualized Windows and over 100,000 PCs is spreading a Trojan that has stolen almost $1 million from a UK bank -PING!

Please!
No Flame Wars allowed!
Discuss hardware.
Don't attack people!

Apple and Windows Security Ping!

If you want on or off the Mac Ping List, Freepmail me.

[NVDave]

There is little in the analysis by M86 that leads me to believe that this attack would not work on OS X:

http://www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf

A big piece of this attack is social engineering. Apparently, the British are a very gullible people.

But then again, we knew that already.

[antiRepublicrat]

A good reminder to people that a virtual machine is still a machine that can get infected like any other Windows installation. The host doesn’t automatically put up some magic protection for the VM, and being on Mac hardware doesn’t magically protect Windows running in Boot Camp.

Plus with the host/client integration these days, and that OS X can now natively read Boot Camp partitions, VMs could become an unexpected vector for stuff the can harm your Mac.

[stripes1776]

It's not clear from the article how the trojan got on a user's computer. Was the trojan embedded in the "free security software" that the bank offered to its customers? Or was it part of some other installation?

[ConservativeWarrior]

This sounds like an inside job, at least in part.

- Only one bank affected
- This wasn’t a simple username & password stealing Trojan. The C&C server supplied the bots with valid, appropriate Java transactions to be posted against the bank’s site in real-time. There was no guesswork in what was necessary to be sent for the desired result.
- The bank recently sacked two senior programmers - “Michael Bolton” and “Zamir Naga, Nag-, Naga-, NaGonnaWorkHereAnymore”