Now a detailed analysis by Verizon’s RISK team suggests that Dexter may be a creation of a group responsible for the ubiquitous Zeus banking Trojan.
By analyzing early variants of Dexter discovered in the wild, Verizon determined that the IP addresses used for Dexter’s command and control were also used to host Zeus related domains and several domains for Vobfus, also known as “the porn worm,” which has been used to deliver the Zeus malware.
Verizon also produced some tantalizing clues as to the identity of one individual who may be a part of the crew responsible for the malware. The RISK team linked the domain registration for a Dexter C&C server to an unusual online handle, “hgfrfv,” that was used to post a number of suggestive help requests (“need help with decrypting a table encrypted with EncryptByKey") in online technical forums, where a live.com e-mail address was also provided. The account name was also linked to a shell account on the outsourcing web site freelancer.com, which lists “hgfrfv” as an individual residing in the Russian Federation."