ZeuS developers up the ante with beefed up variant
Posted on 15.10.2010
ZeuS has for a while now been almost a synonym for banking Trojans of every shape and form.

Some say that the attention that the information security community has focused on it and on the the increasing efforts to stomp it out have allowed other lesser known banking Trojans such as Carberp, Bugat and SpyEye to rise in prominence and number of infected computers.

But ZeuS developers are not ready to leave this lucrative business without a fight. According to Trend Micro researchers, new variants are using the brand new LICAT file infector as a way of making computer download the from a variety of sources and execute them.

LICAT infects files that have been executed after it has injected itself into the Explorer.exe process and every time they are executed, it randomly "calculates" which domain name will be contacted to download other malware such as ZeuS.

Once this ZeuS variant is executed, it decrypts and executes the main file infector (LICAT) again, which then opens random ports, deletes some registries and gathers various information from the system and completes the infection chain by repeating the infecting process described earlier:

This new ZeuS variant also employes various techniques to bypass automatic heuristics-based detection. A different type of compression and a larger number of imported external API's changes the way a heuristic scanner sees the file, making it thus harder to detect.

Additionally, this variant is designed to render sandbox analysis more difficult. "Its dropped copy in the %Application Data% folder will have updated information about its “correct” location. If this particular copy is executed in a different folder, it will simply terminate," says Trend Micro researchers, who are still investigating what other detected routines do.


Credential manager system used by Cisco, IBM, F5 has been breached

Pearson VUE is part of Pearson, the world's largest learning company. Over 450 credential owners (including IT organizations such as IBM, Adobe, etc.) across the globe use the company's solutions to develop, manage, deliver and grow their testing programs.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Nov 25th