With the leak of ZeuS source code, we expected that more cybercriminals would craft their own HTTP controlled bots based on ZeuS.
Last week, we started to see the first generation of modified ZeuS based on the leaked source code, called Ice IX. According to the seller’s post on underground forums, one of Ice IX’s main advantages is it has protection from trackers. Also, the configuration file cannot be downloaded and analyzed if the request is not from the bot, although this has subsequently shown not to be the case.
Recently, we have received another updated variant (detected as TSPY_ZBOT.IMQU ) that we could say belongs to this new generation of ZeuS variants. From its code, this sample is possibly generated by ZeuS toolkit version 184.108.40.206.
We believe this is a private version of a modified ZeuS and is created by a private professional gang comparable to LICAT. Though we have yet to see someone sell this new version of toolkit on underground forums, we expect that we will see more similar variants which will emerge in the not-so-distant future.
Unlike Ice IX, this version proved that current trackers may fail to decrypt its configuration file due to its updated encryption/decryption routine. The download method used to download the configuration file is similar to the original ZeuS2, but this variant does not use RC4 encryption algorithm – it uses an updated encryption/decryption algorithm which we are currently determining at the moment.
Antivirus software may utilize this function to identify ZeuS bot information and to clean ZeuS infection automatically. However, the new version of ZeuS also updated this functionality and removed the pointer to the bot uninstall function, thus, eliminating the opportunities for AVs to utilize this function.
The emergence of these latest ZeuS variants clearly implies that ZeuS is still a very profitable piece of malware and that cybercriminals are continuously investing on the leaked source code. As always, we will continuously monitor this threat.
Thanks to Threat Research Manager Ivan Macalintal for initially bringing attention to this new ZeuS variant.
With additional text by Roland Dela Paz.
Leave a reply