Peer-to-peer update to Zeus Trojan confers resistance to take-downs

The biggest number of computers infected with this new Zeus variant are located in India, Italy and the US

The Zeus financial malware has been updated with P-to-P (peer-to-peer) functionality that makes it much more resilient to take-down efforts and gives its controllers flexibility in how they run their fraud operations.

The new version of the infamous banking Trojan was discovered and analyzed by Swiss security expert Roman Hüssy, the creator of the abuse.ch Zeus and SpyEye tracking services.

One year ago security researchers from antivirus vendor Trend Micro managed to link a file infector dubbed LICAT to Zeus, concluding that it serves as a delivery platform for the Trojan and is designed to prolong its infections.

LICAT uses a special algorithm to generate random domain names for updating purposes in a similar manner to the Conficker worm. Its creators know in advance what domains the malware will check on a certain date and can register them if they need to distribute a new version.

"A few weeks ago I've noticed that no new murofet/LICAT C&C [command and control] domain names have been registered by the criminals. I was a little bit confused and decided to analyse a recent Zeus sample (spread through a Spam campaign targeting US citizens)," Hüssy wrote on his blog on Monday.

"When I ran the binary in my sandbox, I've seen some weird UDP traffic. My first guess was: This is not ZeuS. But after I've analysed the infection I came to the conclusion that it is actually ZeuS," he noted.

Once installed on a computer, the new Zeus variant queries a set of hardcoded IP addresses that correspond to other infected systems. The Trojan downloads an updated set of IPs from them and if those computers are also running a newer version, it updates itself.

Zeus is one of the oldest and most popular crimeware toolkits available on the underground market. Up until this year the Trojan could only be acquired for significant sums of money from its original author. However, a few months ago the source code leaked online and now anyone with the proper knowledge can create variations of the malware.

Hüssy believes that this new version is a custom build used by a particular fraud gang or a very small number of cybercriminal groups. Fortunately, the variant still relies on a single domain for receiving commands and submitting stolen data, and this allows researchers to hijack the botnet temporarily, at least until it is updated to use another domain via the P-to-P system.

Using this method, which is known as sinkholing, Hüssy managed to count 100,000 unique IP addresses in 24 hours. This doesn't reflect the exact size of the botnet, because infected LAN computers can use the same IP on the Internet, while others might get new IP addresses assigned to them by their internet service providers on each restart.

The effort did, however, allow the Swiss researcher to determine that the biggest number of computers infected with this new Zeus variant are located in India, Italy and the U.S.

"We all know that the fight between criminals and security researchers is a cat and mouse game. I'm sure this wasn't the last change made to ZeuS and we will continue to see efforts from criminals to make their malware stay more under the radar," Hüssy concluded.

According to a recent report from security vendor Trusteer, Zeus and SpyEye are the biggest threats faced by financial institutions, the company estimating that the number of Zeus infections exceeds that of SpyEye four to one.

Tags intrusionsecuritytrend microDesktop securityspywareExploits / vulnerabilitiesantivirus

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?