Zeus malware targets Citrix Access Gateway

Versions of the Zeus malware have begun harvesting log-in credentials for network appliances, according to researchers.

Security firm Trusteer has uncovered new code within certain Zeus configuration files that attempts to collect data from Citrix VPN tools.

The company said that the code appears to be specific to certain Zeus 2.0 installations, and instructs an infected machine to capture and transmit a screenshot of all mouse clicks whenever the text '/citrix/' appears in the browser's address bar.

"Citrix is aware that the Zeus trojan is targeting authentication credential harvesting in the use of Citrix products, along with the other enterprise products already specified in Zeus configuration files," said Kurt Roemer, Citrix chief security strategist.

"Citrix recommends that enterprise-grade anti-malware solutions are utilized on all endpoints to prevent infection and proliferation of the Zeus trojan and to generally protect against malware."

Researchers at Trusteer believe that the code is an attempt by a Zeus botnet operator to harvest account details from Citrix Access Gateway deployments by using screenshots to capture 'keystroke' images from virtual keyboards. The on-screen keyboards are typically used to thwart key-logging malware tools.

"This attack code clearly illustrates that Zeus is actively targeting enterprises, and specifically remote access connections into secure networks," Trusteer said.

"Fraudsters are no longer satisfied with simply going after bank accounts. They are also targeting intellectual property and sensitive information contained in company IT networks and applications."

Zeus has become increasingly popular among criminals for its ability to embed code directly into otherwise legitimate web pages.

Adding to the danger, the malware is easy to manage and older versions can be obtained for little to no cost. McAfee recently ran a demonstration designed to show the ease with which a malware botnet can be built and deployed.