Cyber Criminals Use Zeus Variants To Snatch Certificates

According to Trend Micro (a security firm), their researchers had noticed lots of suspicious files with a strange digital signature.

While analyzing some samples of Zeus, Trend Micro discovered numerous other files with signature that appears to belong to another renowned security vendor, Kaspersky. The researchers at Trend Micro explained that the signature instantly grabbed their attention because that appeared to be signed by an authentic antivirus company called Kaspersky, as reported by The Tech Herald on August 5, 2010.

The researchers further explained that while they were examining the certificate, they observed that the hash value related to the suspect file was not valid. This was because the hash values were particular to the original file to which they were related but this specific signature had been stolen.

The signature exploited in this particular case seems to be stolen from Kaspersky's "ZbotKiller" cleaning tool. On further investigations, the security researchers found that the dubious files were certainly malicious -- ZeuS (ZBOT) variants, identified as TSPY_ZBOT.BWP, TROJ_ZBOT.BYM, and TROJ_ZBOT.KJT.

In addition, they disclosed that this wasn't the first incident when cyber criminals had stolen digital signatures. The first ever STUXNET malware was signed using a certificate from Semiconductors Corp. Another variant was later on signed with JMicron Technology.

Commenting on the issue, the security experts said that this seemed to be a fast emerging pattern among malware distributors and served as a good reminder to users, to always verify the details of signatures and to make sure that they were valid.

They further explained that unluckily certificates could be replicated by any cyber criminal with target from any firm. For instance - in this particular case, the company could not have avoided this incident from talking place, and it is possible to see many such confrontations in future.

Meanwhile, it is noted that the Zeus Trojan has been continuously in news for the past many days. In the first week of August 2010 alone, there have been two incidents and studies linked to Zeus (excluding the one mentioned above) that gained wide media attention, with each one highlighting the power of this malware and the harm it can cause. The security experts commented that the Zeus Trojan had been busy all this year (2010).

Related article: Cyber Child abuser Sentenced To Imprisonment

» SPAMfighter News - 8/14/2010