TrustDefender Labs posted in-depth report for “Zeus Trojan Update – New Variants based on leaked Zeus Source Code” by Alex Shipp / Andreas Baumhof.
Three variants were released to improve malware within few weeks which consists ICE IX, Registry Storage Version and RC4 replaced with AES.
************************************
After a period of silence, we have seen at least three new variants based on the leaked Zeus source code appearing within the last couple of weeks. None of the three variants modified the core of the Zeus code; all of them focused on AV evasion and making sure that security researchers/tools cannot easily decrypt the configuration files.
The configuration files define what a Zeus Trojan does, and are therefore the holy grail to each Trojan.
In this report, we look into great detail with respect to these new variants and what changes were introduced.
The Zeus Trojan is complicated, with more than 600 subroutines. Rather than examine the entire code for changes, this research just looks at the processes involved in obtaining a decoded configuration file. This is a useful benchmark for a researcher, because the information we are usually interested in are the sites under attack by any particular copy of Zeus, and any custom code used in those attacks. Both these pieces of information are contained in the configuration file, which is encrypted.
READ MORE HERE
Three variants were released to improve malware within few weeks which consists ICE IX, Registry Storage Version and RC4 replaced with AES.
************************************
1 Introduction
When the source code of the Zeus Trojan (v.2.0.9.8) leaked into the public in April this year, it was clear that this will have some serious implication for the security industry. At the time, there was speculation that this would result in a large amount of new variants, as malware writers got hold of the code and started work on their own versions.After a period of silence, we have seen at least three new variants based on the leaked Zeus source code appearing within the last couple of weeks. None of the three variants modified the core of the Zeus code; all of them focused on AV evasion and making sure that security researchers/tools cannot easily decrypt the configuration files.
The configuration files define what a Zeus Trojan does, and are therefore the holy grail to each Trojan.
In this report, we look into great detail with respect to these new variants and what changes were introduced.
The Zeus Trojan is complicated, with more than 600 subroutines. Rather than examine the entire code for changes, this research just looks at the processes involved in obtaining a decoded configuration file. This is a useful benchmark for a researcher, because the information we are usually interested in are the sites under attack by any particular copy of Zeus, and any custom code used in those attacks. Both these pieces of information are contained in the configuration file, which is encrypted.
READ MORE HERE
0 comments:
Post a Comment