New Zeus Malware Discovered

Internet security vendor 'Sophos' informed that it had found a new type of the Zeus also known as the Zbot financial malware kit that employed anti-piracy methods to block the execution of code for uses other than which it had planned.

This is because the new sample is either corrupt or will only run on particular versions of Windows. Another reason could be that the file will only run on a fixed date or some specific payload is only triggered on a specific date as W95/CIH-1106 which runs on the 2nd day of any month.

Commenting on the issue, James Wyke (Malware analyst at SophosLabs, UK) said that these Zbot samples had been created to make sure that they only worked when ran on a specific computer and from a specific path, as reported by InformationWeek on July 26, 2010.

He further stated that any effort to install the sample in a different machine or from a different path would lead to the early extinction of the malicious code with no impact on the target system.

The security firm reported that this new technique was attained through hardware based digital watermarking that made dynamic analysis of the sample impossible for the AV researchers.

It was also noted that the criminals behind Zeus were making their botnet more complicated and sophisticated. Zeus was possibly the best known of all monetary oriented botnets, which intended to exploit individual PCs and launched relay spam, phishing attacks, launch denial of service attacks or just steal people's bank account details.

The previous versions of Zbot (pre version 2.0), when installed initially, would replicate their executable to a specific location (%SYSTEM%\sdra64.exe), sometimes adding random quantity of data to the end of the file to evade checksum based detections.

Version 2 generates a new file which is almost similar to the original file except for a small block that includes the pathname information and hardware that binds the sample's successful execution to a single location on a machine.

The users are suggested to be alert and install all the essential security solutions and update them frequently to lessen the risk of becoming victim.

Related article: New Zealand Releases Code To Reduce Spam

» SPAMfighter News - 8/7/2010