Zeus Malware Attacks Citrix Access

Versions of the infamous Zeus malware have begun harvesting login credentials for network appliances, according to researchers.

Security firm Trusteer is reporting the discovery of new code within certain Zeus configuration files that attempts to collect data from Citrix VPN tools.

The company said that the code appears to be specific to certain Zeus 2.0 installations and instructs an infected machine to capture and transmit a screenshot of all mouse clicks whenever the text "/citrix/" appears in the browser's address bar.

Researchers at Trusteer believe that the code is an attempt by a Zeus botnet operator to harvest account details from Citrix Access Gateway deployments by using screenshots to capture 'keystroke' images from virtual keyboards. The on-screen keyboards are typically used to thwart keylogging malware tools.

"This attack code clearly illustrates that Zeus is actively targeting enterprises and specifically remote access connections into secure networks," Trusteer said.

"Fraudsters are no longer satisfied with simply going after bank accounts. They are also targeting intellectual property and sensitive information contained in company IT networks and applications."

The Zeus malware has become increasingly popular amongst criminals for its ability to embed code directly into otherwise legitimate web pages.

Adding to the danger, the malware is easy to manage and older versions can be obtained for little to no cost.

Trusteer is recommending that administrators protect all VPN systems by limiting access to trusted applications and users as well as adopt best practices such as keeping updated software and security tools and educating users.

At the time of publishing Citrix had yet to return a request for comment on the report.

print this article

Return to security news headlines
View Security News Archive

Share with: