Fresh Zeus Sample Contaminating Merely High-Performance Computers
F-Secure an anti-virus software provider warns that Zeus in a fresh incarnation is contaminating PCs that specifically operate at super-fast paces.
In particular, the malware just won't get planted on machines that have a processor of less than 2GHz. That isn't due to any assumption that the computer-operators are not rich enough to be defrauded through Internet banking; rather it is since the slow paces may be the result of a virus-detecting situation.
Therefore, with an in-built safeguard mechanism, the malicious Trojan terminates action leaving the PC free of infection in case it believes that a virus test is being applied to it. For, the test may partly consist of slowing down the pace of the PC through a debugger.
To experiment if the theory is correct, F-Secure released the Trojan into one IBM T42 laptop whose speed was no more than 1.86GHz. The company found that the laptop came through unharmed.
Elaborating on the theory further, Timo Hirvonen a malware analyst at F-Secure stated that when not even 232 timer updates happened at the time of an application pause for 2-secs, the Trojan thought that the system ran a debugger following which it terminated so that not much could be learnt of its presence. Techeye.net published this on November 25, 2010.
The above behavior of the Trojan thus implies that for a processor, which runs at a speed less than 2GHz, the new Zeus will consider it a test ambience and so leave the system un-infected.
Hirvonen further elaborated that the current Zeus sample might be helpful in case anyone desired constructing a botnet with high-profile specifications to crack codes. However, since Zeus variants were normally known to steal Internet banking credentials, the current variant was an utter loss from that standpoint, he added. Theregister.co.uk published this on November 25, 2010.
Sadly, Zeus is that crime-ware toolkit which's constantly developing and is illegally traded for a license worth only some hundred dollars. Meanwhile, the seeming mistake in connection with the F-Secure-detected Zeus variant, which merely contaminates high-speed systems, is totally unrelated with the numerous other Zeus-generated trojans that are actively circulating online.
Related article: Fark.com Files Suit against Suspected Hacker from Fox13
» SPAMfighter News - 07-12-2010