The Zeus financial malware has been updated with P-to-P (peer-to-peer) functionality that makes it much more resilient to take-down efforts and gives its controllers flexibility in how they run their fraud operations.
The new version of the infamous banking Trojan was discovered and analyzed [http://www.abuse.ch/?p=3499] by Swiss security expert Roman H
One year ago security researchers from antivirus vendor Trend Micro managed to link a file infector dubbed LICAT to Zeus, concluding that it serves as a delivery platform for the Trojan and is designed to prolong its infections.
LICAT uses a special algorithm to generate random domain names for updating purposes in a similar manner to the Conficker worm. Its creators know in advance what domains the malware will check on a certain date and can register them if they need to distribute a new version.
"A few weeks ago I've noticed that no new murofet/LICAT C&C [command and control] domain names have been registered by the criminals. I was a little bit confused and decided to analyse a recent Zeus sample (spread through a Spam campaign targeting US citizens)," H
"When I ran the binary in my sandbox, I've seen some weird UDP traffic. My first guess was: This is not ZeuS. But after I've analysed the infection I came to the conclusion that it is actually ZeuS," he noted.
Once installed on a computer, the new Zeus variant queries a set of hardcoded IP addresses that correspond to other infected systems. The Trojan downloads an updated set of IPs from them and if those computers are also running a newer version, it updates itself.
Zeus is one of the oldest and most popular crimeware toolkits available on the underground market. Up until this year the Trojan could only be acquired for significant sums of money from its original author. However, a few months ago the source code leaked online and now anyone with the proper knowledge can create variations of the malware.
Using this method, which is known as sinkholing, H
The effort did, however, allow the Swiss researcher to determine that the biggest number of computers infected with this new Zeus variant are located in India, Italy and the U.S.
"We all know that the fight between criminals and security researchers is a cat and mouse game. I'm sure this wasn't the last change made to ZeuS and we will continue to see efforts from criminals to make their malware stay more under the radar," H
According to a recent report from security vendor Trusteer, Zeus and SpyEye are the biggest threats faced by financial institutions, the company estimating that the number of Zeus infections exceeds that of SpyEye four to one.