9:00 ET, 9 April 2014

Security researchers at Comodo have detected a new Zeus trojan variant enhanced with digital signature of its source code to avoid detection.

The security community is once again menaced by Zeus banking trojan, a new variant of the malicious  ZeuS Trojan has been identified by researchers at Comodo AV labsThis instance presents an interesting feature, it is digitally signed with a stolen digital certificate which belongs to Microsoft Developer.

The technique is not new in the past numerous malware were digitally signed to avoid detection from anti-virus systems, clamorous the theft of digital certificate from Bit9 occurred one year ago when the security company announced that hackers had stolen digital certificates from its network and have utilized it to sign malware.

On Microsoft systems the installation of certain types of software could request that its code is digitally signed with a certificate issued by a trusted CA, by stealing the certificate of a trusted vendor reduces the possibility that the malicious software being detected as quickly. That is exactly what happened to Stuxnet virus, but let’s remark that the technique is very common in the criminal underground, more than 200,000 unique malware binaries were discovered in the last couple of years signed with valid digital signatures.

“The Comodo team identified the Zeus variant because they continuously monitor and analyze scan data from the users of Comodo’s internet security systems. They have found over 200 unique hits for this Zeus variant from our users so far.” reports the official 

The new Zeus trojan variant is distributed through infected web page components and via classic phishing email apparently sent by a trusted source including a major bank. The post reports the case of a Comodo user which provides a sample of Zeus Trojan that masquerade itself as file of Internet Explorer with a valid signature issued to “isonet ag”.

z1

The principal components of last Zeus Trojan variant, as reported by Comodo, are:

  1. The Downloader: Delivered to the user system by an exploit or an attachment in a phishing email. It will download the rootkit and malware component of the attack.
  2. The Malware: In this case it is a data stealer, the program that will steal valuable user data, login credentials, credit card info, etc. that the user keys into a web form.
  3. A Rootkit: A rootkit hides the installed malware component, protecting it from detection and removal.

The infection process is quite simple and transparent to defense systems installed on the victim’s machine, once in execution the malicious file is installed without triggering any antivirus control thanks the trick of digital signature of its code, it also tries to download rootkit components from:

  • lovestogarden.com/images/general/TARGT.tpl
  • villaveronica.it/images/general/TARGT.tpl

The post published by Comodo On Zeus Trojan also explained how the malicious code implements the Man-In-The-Browser attack method, a technique that we discussed different time in the past.

“If the attack victim goes to an online banking site to perform a transaction, such as transferring funds, they see everything as occurring normally. The payment information they keyed will display as expected, but behind the scenes the hackers will alter the transaction and send it to another account with possibly a larger amount.” researchers explained.

The Zeus Trojan variant detected by Comodo is able to protect its components, by mitigation actions made by antivirus software, the rootkit component is in fact installed within “Boot Bus Extender” to ensure it loads before other drivers.

“Its purpose is to protect malicious files and autorun entries from being deleted by user or antivirus software, increasing difficulty of the removal process.” reports Comodo experts.

We just have to wait for the next version of the dangerous Zeus Trojan.

Pierluigi Paganini

(Editor-In-Chief, CDM)
rsa-logo