That initial dropper wouldn't be classified as ZeuS. Instead, it has a list of hard coded addresses to download ZeuS from. After it downloads and executes, a new variant is created on the fly for each infection, then the original dropped ZeuS is deleted. This makes it difficult for antivirus vendors to identify all compromised systems since each infected system has its own unique copy.
A little over a month ago, I analyzed a Gameover sample. Manual analysis uncovered that while installing ZeuS, the dropper quickly ran a special purpose password stealer, designed to grab saved passwords from popular software such as web browsers, then deleted it. That very important detail wasn’t evident in reports generated by automated malware analysis engines.
I shared my analysis in the comments section in this VirusTotal report. Additionally, you can see in this report that as of four weeks ago when the dropped ZeuS sample was last submitted, only 6 of 52 antivirus engines detected it. I submitted all samples to the Antivirus vendors and the detection rate is probably much better now.
ZueS/Zbot botnets are extremely common and simple to operate with minimal investment. Criminals pay for a custom variation of the ZeuS builder which is guaranteed to create new variants undetectable by antivirus software. They then go on their phishing campaigns, which costs them nothing or they pay for an exploit kit so that they don’t have to worry about email attachments getting blocked.
Most security software that detects botnet droppers only has information on one or two servers hosting the botnet executable. It takes manual analysis to uncover all the indicators produced by any given ZeuS campaign. You can see the manual analysis I did on a fresh sample unrelated to Gameover that arrived in my home email on June 1st. See the comments section of this VirusTotal entry for my manual analysis results, then compare to this automated threat report. The automated report identified one domain that the dropper downloads ZeuS from. Manual analysis uncovered all ten and a narrative sequence of events.
People and organizations worried about botnet infections could avoid a lot of hassle by following these recommendations:
1. Block email attachments containing executable files or zip files with executable files like exe and scr.
2. Use vulnerability mitigation software to make up for unpatched software to avoid getting hit by exploit kits. The Microsoft Enhanced Mitigation Experience Toolkit (EMET) has a proven track record of protecting from attacks including rare 0days before software patches are even available. Also, EMET can be managed in corporate environments using group policies.
3. Install antivirus software. Although not perfect, antivirus software can still catch a large percentage of malware and reduce noise.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.