Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Zeus Gets an Upgrade! New Features Challenge Researchers and Thwart Hostile Takeover

In its monthly online fraud report, RSA researchers shed some light on the latest evolution of the Zeus Trojan – Zeus 2.1 – which now boasts features that help it avoid analysis and hostile takeover from law enforcement, researchers, or competing cybercriminal organizations.

Zeus 2.1 Malware Trojan

In its monthly online fraud report, RSA researchers shed some light on the latest evolution of the Zeus Trojan – Zeus 2.1 – which now boasts features that help it avoid analysis and hostile takeover from law enforcement, researchers, or competing cybercriminal organizations.

Zeus 2.1 Malware Trojan

Zeus is an advanced form of well-engineered malware, incorporating such features as dynamically downloading a configuration file from a predefined location, but despite being a great feature, something that can actually work against it. For example, other cybercriminals could essentially capture an entire botnet (“botnet theft”) by injecting a ‘poisoned’ configuration file into the command & control server. Once that is done, the next time the malware initiates an update request, the poisoned configuration file is downloaded into the infected bot, redirecting data to a different drop site. Other loopholes in previous versions allowed security researchers or law enforcement agents to “trick” Zeus into downloading a new version, which actually disabled the malware on the infected system.

With Zeus 2.1, cybercriminal software engineers have stepped things up and added some new features to combat botnet theft and making malware analysis much more challenging.

Perhaps the most innovative enhancement in Zeus 2.1 is the new “Digital Signature” mechanism which verifies the digital signature on all files and data it downloads, while keeping most of the Trojan’s strings in encoded form and only decoding when needed. For example, when the Trojan needs a resource, it decodes it, uses it, and then destroys the decoded copy shortly thereafter, rendering the strings used by the Trojan “invisible” to an outsider and ensuring any researchers who may attempt to analyze the malware will be unable to access the data it has captured.

Similar to industrial corporations, hackers have developed their own business models in order to operate as a profitable organization and this is another example of the parallels that cybercriminal businesses have with other enterprises.

The rise and evolution of Zeus has been alarming, as Zeus has been more resistant to detection than other forms of malware. According to a study released in August 2010 by Trusteer involving 10,000 computers, 55 percent could not find and remove Zeus, even though they were equipped with the latest updates of their security and antivirus software.

Zeus also has a mobile version, dubbed SymbOS/Zitmo.A!tr, or “Zitmo,” standing for “Zeus In The Mobile.” As two-factor authentication methods are becoming more popular, cybercriminals are working hard to keep up and develop technologies like “Zitmo” that let them further track and capture user credentials. The Zitmo malware was designed to intercept confirmation SMS messages sent by banks to their customers.

RSA’s Fraud Report notes that, “While the new enhancements will be quite enticing for some cybercriminals, Zeus v2.1 was introduced before the public announcements on the merger between the Zeus and SpyEye. It will be hard to predict whether or not this recent upgrade will gain momentum, but so far to date, the propagation of the latest Zeus version is fairly limited.”

Advertisement. Scroll to continue reading.
Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.