Peer-to-peer update to Zeus Trojan confers resistance to take-downs

The biggest number of computers infected with this new Zeus variant are located in India, Italy and the US

The Zeus financial malware has been updated with P-to-P (peer-to-peer) functionality that makes it much more resilient to take-down efforts and gives its controllers flexibility in how they run their fraud operations.

The new version of the infamous banking Trojan was discovered and analyzed by Swiss security expert Roman Hüssy, the creator of the abuse.ch Zeus and SpyEye tracking services.

One year ago security researchers from antivirus vendor Trend Micro managed to link a file infector dubbed LICAT to Zeus, concluding that it serves as a delivery platform for the Trojan and is designed to prolong its infections.

LICAT uses a special algorithm to generate random domain names for updating purposes in a similar manner to the Conficker worm. Its creators know in advance what domains the malware will check on a certain date and can register them if they need to distribute a new version.

"A few weeks ago I've noticed that no new murofet/LICAT C&C [command and control] domain names have been registered by the criminals. I was a little bit confused and decided to analyse a recent Zeus sample (spread through a Spam campaign targeting US citizens)," Hüssy wrote on his blog on Monday.

"When I ran the binary in my sandbox, I've seen some weird UDP traffic. My first guess was: This is not ZeuS. But after I've analysed the infection I came to the conclusion that it is actually ZeuS," he noted.

Once installed on a computer, the new Zeus variant queries a set of hardcoded IP addresses that correspond to other infected systems. The Trojan downloads an updated set of IPs from them and if those computers are also running a newer version, it updates itself.

Zeus is one of the oldest and most popular crimeware toolkits available on the underground market. Up until this year the Trojan could only be acquired for significant sums of money from its original author. However, a few months ago the source code leaked online and now anyone with the proper knowledge can create variations of the malware.

Hüssy believes that this new version is a custom build used by a particular fraud gang or a very small number of cybercriminal groups. Fortunately, the variant still relies on a single domain for receiving commands and submitting stolen data, and this allows researchers to hijack the botnet temporarily, at least until it is updated to use another domain via the P-to-P system.

Using this method, which is known as sinkholing, Hüssy managed to count 100,000 unique IP addresses in 24 hours. This doesn't reflect the exact size of the botnet, because infected LAN computers can use the same IP on the Internet, while others might get new IP addresses assigned to them by their internet service providers on each restart.

The effort did, however, allow the Swiss researcher to determine that the biggest number of computers infected with this new Zeus variant are located in India, Italy and the U.S.

"We all know that the fight between criminals and security researchers is a cat and mouse game. I'm sure this wasn't the last change made to ZeuS and we will continue to see efforts from criminals to make their malware stay more under the radar," Hüssy concluded.

According to a recent report from security vendor Trusteer, Zeus and SpyEye are the biggest threats faced by financial institutions, the company estimating that the number of Zeus infections exceeds that of SpyEye four to one.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags spywareantivirustrend microintrusionExploits / vulnerabilitiesDesktop security

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?