Researchers of Trend Micro say that Interesting Details of New Zeus Variant Pops-Up
Kaspersky spotted a 64-bit edition of the infamous Zeus Trojan and reported it in December 2013. Experts at that time highlighted that the malware was relying on Tor to protect its C&C (command and control) infrastructure and now security firm 'Trend Micro' has also analyzed the 64-bit Zeus Trojan and come up with some fascinating details.
Apparently, the threat comes with improved anti-malware evasion tricks and the malware is capable of identifying certain study tools like StudPE, WinHex, OllyDbg and ProDump. However, execution is prevented if any of these tools is detected.
Zbot's or Zeus user-mode rootkit ability is another noteworthy addition which successfully conceals its files, processes, and registry. The said version also veils its dropped files and auto-start registry. Folders created by the malware can be observed using the dir command in 'CMD' but are concealed when browsed through File Explorer.
Users can view TSPY_ZBOT.AAMV auto-start registry, formed folders and files by starting over in 'Safe Mode' as the malware only has a user-mode rootkit potentiality that only covers malware-related files and processes as conflicting to a kernel mode rootkit and users can remove these files while continuing to be in 'Safe Mode'.
Amusingly, it Zeus (variant detected by Kaspersky) also has rootkit capabilities and is capable to hide files and folders it drops (File Explorer doesn't highlight them), processes it starts and registry keys it creates.
Anthony Joe Melgarejo, Threat response Engineer of Trend Micro, published a report on blog.trendmicro.com on 7th January, 2014 as "This 64-bit edition for Zeus/ZBOT is an anticipated progression for the malware particularly after source code of Zeus was leaked in 2011. Ever since then, we've witnessed numerous reincarnations of the malware in the form of KINS and its participation with other malwares like 'Cryptolocker' and 'UPATRE'. Addition of functionalities like rootkit capability and the employment of a Tor module are added proof that we can observe more changes in the future principally those which help dodge or delay anti-malware attempts."
The security firm suggests users to employ up-to-date anti-virus software on their systems to avoid being infected by the latest version of Zeus Trojan.
» SPAMfighter News - 21-01-2014