The Latest in IT Security

ZeuS Gets Another Update

03
Sep
2011

With the leak of ZeuS source code, we expected that more cybercriminals would craft their own HTTP controlled bots based on ZeuS.

Last week, we started to see the first generation of modified ZeuS based on the leaked source code, called Ice IX. According to the seller’s post on underground forums, one of Ice IX’s main advantages is it has protection from trackers. Also, the configuration file cannot be downloaded and analyzed if the request is not from the bot, although this has subsequently shown not to be the case.

Recently, we have received another updated variant (detected as TSPY_ZBOT.IMQU ) that we could say belongs to this new generation of ZeuS variants. From its code, this sample is possibly generated by ZeuS toolkit version 2.3.2.0.

We believe this is a private version of a modified ZeuS and is created by a private professional gang comparable to LICAT. Though we have yet to see someone sell this new version of toolkit on underground forums, we expect that we will see more similar variants which will emerge in the not-so-distant future.

Unlike Ice IX, this version proved that current trackers may fail to decrypt its configuration file due to its updated encryption/decryption routine. The download method used to download the configuration file is similar to the original ZeuS2, but this variant does not use RC4 encryption algorithm – it uses an updated encryption/decryption algorithm which we are currently determining at the moment.

 

In earlier versions of ZeuS2, the builder has the capability to check for bot information and to uninstall the bot.

The builder does this by calling the hooked API GetFileAttributesExW. If a machine is infected with ZeuS, calling this API via a specific parameter would return with the bot information, which includes bot name, bot version, and a pointer to a function that will uninstall the bot.

Antivirus software may utilize this function to identify ZeuS bot information and to clean ZeuS infection automatically. However, the new version of ZeuS also updated this functionality and removed the pointer to the bot uninstall function, thus, eliminating the opportunities for AVs to utilize this function.

It is also worth mentioning that this malware targets a wide selection of financial firms including those in the United States, Spain, Brazil, Germany, Belgium, France, Italy, Ireland, etc. More interestingly, it targets HSBC Hong Kong, which suggests that this new Zeus variant may be used in a global campaign, which may already include Asian countries.

The emergence of these latest ZeuS variants clearly implies that ZeuS is still a very profitable piece of malware and that cybercriminals are continuously investing on the leaked source code. As always, we will continuously monitor this threat.

Thanks to Threat Research Manager Ivan Macalintal for initially bringing attention to this new ZeuS variant.

With additional text by Roland Dela Paz.

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments