14 DAY TRIAL // A new variant of the infamous ZeuS Trojan has been discovered to host a more limited set of functions than the original. The differences are noteworthy and can still have a significant impact.
Malware authors do not waste time, even after a major takedown has forced them to relinquish access to the command and control servers for the infected machines.
The new version, uncovered by Fortinet last week and named ZeuS Lite, relies only on TCP to communicate to the remote server and has the initial server list encrypted and hardcoded in the malware body, together with the packet cipher key.
Encryption of the network data is no longer carried out with the RC4 algorithm, as the authors implemented the more secure AES-128.
However, it appears that the authors have implemented a second layer of encryption for incoming and outgoing communication, a simple byte-to-byte XOR algorithm, which is used at first. Then, the data is encoded once more using AES-128.
Another difference when compared to the original is the support for control over the infected machine, as the malware can perform commands for shutting down the system, rebooting it, executing external programs or scripts, or updating the malicious components.
Kan Chen of Fortinet says that “Even though it is shorter, this new version of Zeus is capable of performing sophisticated tasks that could cause great harm to the infected host,” and that the features it includes amount to increased flexibility, which allows downloading new malicious functions from the remote servers and executing them.