Sophisticated New Zeus Variants Continue to Propagate

Friday, February 24, 2012



The Zeus Trojan continues to become more sophisticated, making the malware increasingly hard to combat.

The Zeus Trojan is widely hailed as one of the most dangerous pieces of malware to ever surface in the wild, and the malicious code continues to spread.

The Zeus Trojan can lay dormant for long periods until the user of the infected machine accesses targeted information, like banking accounts. Zeus then harvests passwords and authentication codes.

Security firm Trusteer recently reported that a recent survey has revealed an increasing number of websites are now known to host Zeus variants.

“The increasing usage of automated registration and servicing systems on the internet means that human operator monitoring of hosted systems has become less frequent in those countries with good internet access. As well as driving the cost of hosting downwards, this has the worrying effect of making it all too easy to register and set up a C&C and/or Zeus-infected website plus allied systems, and using the platform to infect the general internet user community.”

The report also shows that a growing number of networks are hosting command and control (C&C) operations for Zeus-based botnets.

Of even greater concern are newer variants of Zeus which do not depend on C&C servers to receive commands and updates, but instead share data with one another, and these variants are becoming ever more present.

Last fall, Swiss security expert Roman Hssy has discovered these variants of the Zeus Trojan that have a newly added peer-to-peer (P2P) functionality, making the malware more resistant to mitigation efforts.

The Trojan still only receives command and control information from one domain at a time, allowing mitigation by blocking the control domain until the malware updates with a new command and control via the P2P functionality, a method called "sinkholing".

"Every peer in the botnet can act as a C&C server, while none of them really are one," said Symantec researcher Andrea Lelli.

"Bots are now capable of downloading commands, configuration files, and executables from other bots - every compromised computer is capable of providing data to the other bots," Lelli said

Researchers at Symantec are stymied by the process in which these variants of Zeus continue to successfully relay stolen data back to the attackers in the absence of the C&C network.

"Analysis is still ongoing, so we are working on uncovering this part of the mystery to figure out the full picture," said Lelli.

Possibly Related Articles:
Viruses & Malware
malware Botnets Research P2P Symantec Zeus Headlines variants Sniffer trojan Command and Control Sinkholing
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked