ZeuS developers up the ante with beefed up variant
Posted on 15.10.2010
ZeuS has for a while now been almost a synonym for banking Trojans of every shape and form.

Some say that the attention that the information security community has focused on it and on the the increasing efforts to stomp it out have allowed other lesser known banking Trojans such as Carberp, Bugat and SpyEye to rise in prominence and number of infected computers.

But ZeuS developers are not ready to leave this lucrative business without a fight. According to Trend Micro researchers, new variants are using the brand new LICAT file infector as a way of making computer download the from a variety of sources and execute them.

LICAT infects files that have been executed after it has injected itself into the Explorer.exe process and every time they are executed, it randomly "calculates" which domain name will be contacted to download other malware such as ZeuS.

Once this ZeuS variant is executed, it decrypts and executes the main file infector (LICAT) again, which then opens random ports, deletes some registries and gathers various information from the system and completes the infection chain by repeating the infecting process described earlier:


This new ZeuS variant also employes various techniques to bypass automatic heuristics-based detection. A different type of compression and a larger number of imported external API's changes the way a heuristic scanner sees the file, making it thus harder to detect.

Additionally, this variant is designed to render sandbox analysis more difficult. "Its dropped copy in the %Application Data% folder will have updated information about its “correct” location. If this particular copy is executed in a different folder, it will simply terminate," says Trend Micro researchers, who are still investigating what other detected routines do.






Spotlight

The context-aware security lifecycle and the cloud

Posted on 25 November 2014.  |  Ofer Wolf, CEO at Sentrix, explains the role of the context-aware security lifecycle and illustrates how the cloud is shaping the modern security architecture.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Nov 26th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //