A couple of months ago, there was an overly polite variant of ZeuS circulating here in Finland. And while the Finnish localization was pretty good — it used "Suo anteeksi" within an error message… not typically the kind of thing you'd read via software.

We continue to see decent localization within ZeuS variants (and not just Finnish). Clearly, some bad guys out there have evolved from Google Translate, which is the level of localization we used to expect in the past.

But the bad guys still make basic mistakes. One variant of ZeuS, which is circulating now, includes a Finn's name within the localized efforts. Instead of stating "Welcome Bank Customer", the trojan declares "Welcome name withheld".

Here are some of the banks that are being targeted.



For banks that use Java applications, this ZeuS appears to attempt a replace and imitate approach. (Our analysis is ongoing.)

The server which hosted the configuration file (from which the screenshot was taken) has been taken offline, so this variant can infect, but cannot download the locations of its Command & Control servers. Unfortunately, any computers infected last week will have downloaded a configuration file that includes lots of redundant server names.

But fortunately… most of the banks that we've worked with in the past have extensive transaction controls on their back end systems. So it isn't just a simple thing for the ZeuS trojan to transfer funds from the account of somebody with an infected computer.

Best advice: update your computer software to avoid infection. Also: avoid haphazard web searches. There are tons of compromised sites out there, and you're most likely to fall into a trap when you're searching for something.

Best advice for those infected: don't panic. If you see something that looks unusual in your online bank account, it's not too late to block the bad guys. Call your bank's customer support and they'll be able to assist.