Information stealer malware is a type of malicious software designed to collect sensitive information from a victim’s computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, it’s highly adept at exfiltrating login credentials, financial information and personal data.

Info stealers typically operate by monitoring keyboard input, capturing screenshots and intercepting network traffic. They may also search a hard drive for specific types of data. The stolen information is then exfiltrated to the attacker’s command-and-control (C2) server for further exploitation.

Information stealer malware has flourished on underground criminal networks. With extortion currently thriving, info stealer malware is also on the rise. Plus, info stealer services for financial fraud attacks are available on the dark web for as little as $200 per month.

Though this type of malware has been around in some form for over two decades, the ZeuS trojan was by far one of the most influential info stealers in that timeframe. Let’s take a look at the history of info stealers, and how this type of threat impacted cybersecurity then and now.

What was the first info stealer?

One of the earliest known examples of a successful information stealer attack was the Melissa virus in 1999. One of the first highly successful email worms, Melissa spread rapidly through the use of infected Microsoft Word macros. The worm arrived in the form of an email with an attached document named “list.doc.”

When the recipient opened the attachment, the worm infected the victim’s computer and continued to spread. It replicated itself by sending infected emails to the first 50 contacts in the victim’s Microsoft Outlook address book. Experts categorize Melissa as an info stealer because, in addition to its worm-like behavior, it also accessed the victim’s email address book and harvested email addresses.

Harvesting information from the infected computer is a hallmark of info stealer malware. However, it’s worth noting that Melissa was primarily a self-replicating worm. The information-stealing capability was a secondary feature. Threat actors design more recent info stealer malware with the primary purpose of stealing sensitive information, often with the goal of committing financial fraud or extortion.

The ZeuS Trojan info stealer

While Melissa was the first email worm, ZeuS was the first true information stealer used in an intent-to-harvest-data attack. First discovered in 2007, the ZeuS trojan malware became one of the most prevalent information stealers ever.

The main objective of the malware was to steal online banking credentials. ZeuS used a variety of techniques — including keylogging and form grabbing — to steal sensitive information from infected computers. Malicious actors then used that stolen information to perform unauthorized transfers from the victims’ bank accounts to the attacker’s accounts.

The malware could identify when a user visited specific websites, particularly those related to banking, and record the keystrokes entered during login. ZeuS also affected mobile devices running Android, Symbian and Blackberry. It is known for being the first malware to steal Mobile Transaction Authentication Numbers (mTANs), a type of two-factor authentication used by banks during transactions. These mTANs are typically unique, 6-digit numbers sent via SMS.

ZeuS had various methods for stealing sensitive information. These included capturing keystrokes, collecting data entered into web forms, taking screenshots when the mouse is clicked and executing man-in-the-browser (MiTB) attacks. MiTB attacks manipulate web forms to request personal information such as social security numbers or bank PINs.

ZeuS marked a significant turning point in the evolution of info stealers and demonstrated their growing sophistication. Since then, numerous other information stealers have been discovered, including SpyEye, Citadel and Emotet, which continue to be used for financial fraud on a massive scale.

Other famous info stealers

Information stealers typically spread through phishing emails, malicious links, attachments, infected software downloads or unpatched software vulnerabilities. Attackers use them for various malicious purposes, such as identity theft, financial fraud or the sale of sensitive information on the black market.

Other significant information stealer incidents since the emergence of Melissa and ZeuS include:

1. SpyEye: A banking Trojan active between 2009 and 2012. It stole victims’ personal and financial information through web injects, keystroke loggers and credit card grabbers. Criminals then transmitted the stolen data to the C2 servers to commit fraud.
2. Conficker: A worm that spread rapidly across computer networks starting in 2008 and exfiltrated sensitive information, including login credentials and personal information. Conficker reportedly infected 10 million computers.
3. CryptoLocker: A ransomware variant from 2013 that encrypted files on a victim’s computer and demanded payment in exchange for the decryption key.
4. GameOver Zeus: A variant of ZeuS that malicious actors used to steal banking credentials and to distribute other types of malware, including ransomware.
5. Emotet: A banking Trojan detected in 2014 used in numerous large-scale attacks aimed at stealing financial information from individuals and businesses. The U.S. Department of Homeland Security estimates the cost of Emotet cleanup is around one million U.S. dollars per incident.

The impact of ZeuS and info stealers on cybersecurity

The rise of information stealers has led to a shift in the focus of cybersecurity efforts towards protecting against data theft rather than just protecting against malware and other forms of malicious software. This resulted in the widespread adoption of strong authentication methods, such as two-factor authentication, and increased investment in security technologies, such as intrusion detection systems.

The rise of information stealers has increased the focus on creating secure payment systems. Banks have since deployed stronger online security measures, such as enhanced fraud detection capabilities and improved encryption.

How to thwart info stealer attacks

Some of the common steps that companies took to defend against ZeuS malware included:

1. Installing anti-virus software: Companies installed and regularly updated anti-virus software to detect and prevent the spread of ZeuS.
2. Implementing firewalls: Effective firewalls blocked unauthorized access to their computer networks to prevent ZeuS infection.
3. Using application whitelisting: Application whitelisting allowed only approved applications to run on their computers, helping to prevent the execution of malicious software.
4. Updating software regularly: Companies kept all software, including operating systems and applications, up to date to prevent ZeuS and other malicious software from exploiting vulnerabilities in outdated software.
5. User education: Organizations educated users about the dangers of malware and how to avoid falling victim to this type of attack. This included training users to be cautious when opening attachments from unknown sources and to avoid public Wi-Fi networks.
6. Network segmentation: Segregating sensitive information and systems from the rest of their networks helped prevent malware from accessing sensitive information.
7. Two-factor authentication: Companies implemented two-factor authentication to add an extra layer of security to online accounts and to prevent ZeuS from accessing sensitive information, even if it had stolen login credentials.
8. Deploying intrusion detection systems: Intrusion detection systems monitored their networks for signs of ZeuS and other malicious activity.

Beyond ZeuS

As per Malwarebytes, in 2011, the source code for ZeuS was leaked. Cyber criminals began creating new ZeuS-based information stealers. Citadel, GameOver, Panda Banker, Terdot, Floki and Sphinx are some of the known ZeuS variants to date. As info stealers continue to inhabit the threat landscape, robust anti-stealer security is imperative.