Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Zeus Gets an Upgrade! New Features Challenge Researchers and Thwart Hostile Takeover

In its monthly online fraud report, RSA researchers shed some light on the latest evolution of the Zeus Trojan – Zeus 2.1 – which now boasts features that help it avoid analysis and hostile takeover from law enforcement, researchers, or competing cybercriminal organizations.

Zeus 2.1 Malware Trojan

In its monthly online fraud report, RSA researchers shed some light on the latest evolution of the Zeus Trojan – Zeus 2.1 – which now boasts features that help it avoid analysis and hostile takeover from law enforcement, researchers, or competing cybercriminal organizations.

Zeus 2.1 Malware Trojan

Zeus is an advanced form of well-engineered malware, incorporating such features as dynamically downloading a configuration file from a predefined location, but despite being a great feature, something that can actually work against it. For example, other cybercriminals could essentially capture an entire botnet (“botnet theft”) by injecting a ‘poisoned’ configuration file into the command & control server. Once that is done, the next time the malware initiates an update request, the poisoned configuration file is downloaded into the infected bot, redirecting data to a different drop site. Other loopholes in previous versions allowed security researchers or law enforcement agents to “trick” Zeus into downloading a new version, which actually disabled the malware on the infected system.

With Zeus 2.1, cybercriminal software engineers have stepped things up and added some new features to combat botnet theft and making malware analysis much more challenging.

Perhaps the most innovative enhancement in Zeus 2.1 is the new “Digital Signature” mechanism which verifies the digital signature on all files and data it downloads, while keeping most of the Trojan’s strings in encoded form and only decoding when needed. For example, when the Trojan needs a resource, it decodes it, uses it, and then destroys the decoded copy shortly thereafter, rendering the strings used by the Trojan “invisible” to an outsider and ensuring any researchers who may attempt to analyze the malware will be unable to access the data it has captured.

Similar to industrial corporations, hackers have developed their own business models in order to operate as a profitable organization and this is another example of the parallels that cybercriminal businesses have with other enterprises.

The rise and evolution of Zeus has been alarming, as Zeus has been more resistant to detection than other forms of malware. According to a study released in August 2010 by Trusteer involving 10,000 computers, 55 percent could not find and remove Zeus, even though they were equipped with the latest updates of their security and antivirus software.

Zeus also has a mobile version, dubbed SymbOS/Zitmo.A!tr, or “Zitmo,” standing for “Zeus In The Mobile.” As two-factor authentication methods are becoming more popular, cybercriminals are working hard to keep up and develop technologies like “Zitmo” that let them further track and capture user credentials. The Zitmo malware was designed to intercept confirmation SMS messages sent by banks to their customers.

RSA’s Fraud Report notes that, “While the new enhancements will be quite enticing for some cybercriminals, Zeus v2.1 was introduced before the public announcements on the merger between the Zeus and SpyEye. It will be hard to predict whether or not this recent upgrade will gain momentum, but so far to date, the propagation of the latest Zeus version is fairly limited.”

Advertisement. Scroll to continue reading.
Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.