A variant of Zeus banking Trojan found recently by malware analysts emerged totally invisible to antivirus engines at the time of the assessment.
Zeus, also known as Zbot, is well known in the security industry since 2007 and made millions of victims since. Its versatility allowed the creation of Gameover Zeus (GoZ), which captured banking information and was also used to distribute CryptoLocker ransomware.
The activity of both GoZ and Cryptolocker was disrupted in early June 2014, during Operation Tovar, an effort involving multiple law enforcement agencies and private security firms.
Detection is bound to increase quickly
Stephen Ramage from PricewaterhouseCoopers discovered that the latest version of Zeus was delivered via Neutrino exploit kit, a web-based attack tool that takes advantage mostly of unpatched versions of Flash Player browser plugin to funnel in a malicious payload.
The researcher learned that the sample was a variant of Zeus by running it through the analysis platform at Malwr.com, which showed that it created mutexes matching the banking Trojan
Uploading the sample to VirusTotal showed that none of the antivirus products in the collection could identify the piece of malicious.
Things are changed at the moment, as Malwr.com reports that at least one security solution at VirusTotal flags the file.
Recently registered domain indicates a fresh campaign
Ramage’s research also revealed that check-in response from Neutrino includes base64 encoded data pointing to a domain (sells-store[.]com) registered on June 1, indicating that the malicious campaign is new.
He also found that the registrant’s name, Wuxi Yilian LLC, has been used for taking other domains, many of them used for malicious purposes.
Ramage released signatures for Suricata and Snort IDS (Intrusion Detection System) for both the second stage infection, when the executable is downloaded and the command and control (C&C) server contacted by Zeus.