In its monthly online fraud report, RSA researchers shed some light on the latest evolution of the Zeus Trojan – Zeus 2.1 – which now boasts features that help it avoid analysis and hostile takeover from law enforcement, researchers, or competing cybercriminal organizations.
Zeus is an advanced form of well-engineered malware, incorporating such features as dynamically downloading a configuration file from a predefined location, but despite being a great feature, something that can actually work against it. For example, other cybercriminals could essentially capture an entire botnet (“botnet theft”) by injecting a ‘poisoned’ configuration file into the command & control server. Once that is done, the next time the malware initiates an update request, the poisoned configuration file is downloaded into the infected bot, redirecting data to a different drop site. Other loopholes in previous versions allowed security researchers or law enforcement agents to “trick” Zeus into downloading a new version, which actually disabled the malware on the infected system.
With Zeus 2.1, cybercriminal software engineers have stepped things up and added some new features to combat botnet theft and making malware analysis much more challenging.
Perhaps the most innovative enhancement in Zeus 2.1 is the new “Digital Signature” mechanism which verifies the digital signature on all files and data it downloads, while keeping most of the Trojan’s strings in encoded form and only decoding when needed. For example, when the Trojan needs a resource, it decodes it, uses it, and then destroys the decoded copy shortly thereafter, rendering the strings used by the Trojan “invisible” to an outsider and ensuring any researchers who may attempt to analyze the malware will be unable to access the data it has captured.
Similar to industrial corporations, hackers have developed their own business models in order to operate as a profitable organization and this is another example of the parallels that cybercriminal businesses have with other enterprises.
The rise and evolution of Zeus has been alarming, as Zeus has been more resistant to detection than other forms of malware. According to a study released in August 2010 by Trusteer involving 10,000 computers, 55 percent could not find and remove Zeus, even though they were equipped with the latest updates of their security and antivirus software.
Zeus also has a mobile version, dubbed SymbOS/Zitmo.A!tr, or “Zitmo,” standing for “Zeus In The Mobile.” As two-factor authentication methods are becoming more popular, cybercriminals are working hard to keep up and develop technologies like “Zitmo” that let them further track and capture user credentials. The Zitmo malware was designed to intercept confirmation SMS messages sent by banks to their customers.
RSA’s Fraud Report notes that, “While the new enhancements will be quite enticing for some cybercriminals, Zeus v2.1 was introduced before the public announcements on the merger between the Zeus and SpyEye. It will be hard to predict whether or not this recent upgrade will gain momentum, but so far to date, the propagation of the latest Zeus version is fairly limited.”
