14 DAY TRIAL // Security researchers from Trend Micro have identified a new variant of LICAT, a file infector associated with the ZeuS trojan, which doubles the daily number of domains the malware contacts to recieve updates.
LICAT is a file infecting virus discovered at the beginning of October, which propagates by adding its malicious code to any EXE or DLL it finds.
Security experts have identified two intriguing aspects of LICAT. One is that it employs a pseudo-random domain name generation algorithm similar to the one used by the Conficker worm.
The algorithm uses the computer’s date to generate a list of unique URLs each time a LICAT-infected file is executed. The virus then attempts to contact them in order to check for updates and instructions.
Malware analysts have reverse-engineered the algorithm and know in advance what domains the virus will attempt to contact on a particular day.
These are being monitored in orer to detect when one becomes operational and grab the instructions or updates it serves.
The fact that a recent LICAT sample attempted to contact a domain name that wasn’t on the list of pre-generated monitored URLs, triggered the attention of researchers from Trend Micro.
Upon closer inspection they discovered that it was a new variant that used an improved URL generation scheme to doubles the number of domains.
“The original LICAT variant’s domain generation algorithm (DGA) used the same XOR key twice: once for where its configuration file was located, and another were new/updated variants could be downloaded automatically,” the Trend Micro malware analysts explain.
“In this new variant, however, different keys are used; neither do they share the same value from the original variant,” they note.
The other interesting fact about LICAT is that it downloads the ZeuS banking trojan. Researchers believe that the file infector is meant to prolong the lifespan of ZeuS infections.