ZeuS developers up the ante with beefed up variant
Posted on 15.10.2010
ZeuS has for a while now been almost a synonym for banking Trojans of every shape and form.

Some say that the attention that the information security community has focused on it and on the the increasing efforts to stomp it out have allowed other lesser known banking Trojans such as Carberp, Bugat and SpyEye to rise in prominence and number of infected computers.

But ZeuS developers are not ready to leave this lucrative business without a fight. According to Trend Micro researchers, new variants are using the brand new LICAT file infector as a way of making computer download the from a variety of sources and execute them.

LICAT infects files that have been executed after it has injected itself into the Explorer.exe process and every time they are executed, it randomly "calculates" which domain name will be contacted to download other malware such as ZeuS.

Once this ZeuS variant is executed, it decrypts and executes the main file infector (LICAT) again, which then opens random ports, deletes some registries and gathers various information from the system and completes the infection chain by repeating the infecting process described earlier:


This new ZeuS variant also employes various techniques to bypass automatic heuristics-based detection. A different type of compression and a larger number of imported external API's changes the way a heuristic scanner sees the file, making it thus harder to detect.

Additionally, this variant is designed to render sandbox analysis more difficult. "Its dropped copy in the %Application Data% folder will have updated information about its “correct” location. If this particular copy is executed in a different folder, it will simply terminate," says Trend Micro researchers, who are still investigating what other detected routines do.






Spotlight

The security threat of unsanctioned file sharing

Posted on 31 October 2014.  |  Organisational leadership is failing to respond to the escalating risk of ungoverned file sharing practices among their employees, and employees routinely breach IT policies.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 31st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //