14 DAY TRIAL // A new version of the infamous ZeuS has been seen roaming the internet, masqueraded as a message coming from the Australian Taxation Office, informing you of changes in the ways of submitting a tax report.
Trend Labs discovered the popular bank account-stealing Trojan at the end of September, identifying the piece of malware as TSPY_ZBOT.SMQH, which lands on a machine with the aid of a Blackhole exploit kit.
After injecting itself into a process running in the computer's memory, it adds registry entries that enable it to automatically execute at each start-up of the machine. It then silently waits for you to perform banking operations that supply it with a set of credentials which the cybercriminals can use to access your financial records.
Once it gathered all the data it needs, it removes itself to wipe any trace, stripping the victim of his savings.
The researchers believe that the new spy is based on the ZeuS source code which was made public some time ago and they suspect that it was created by the same individuals who came up with LICAT.
Even though in this case it seems to target only Australians, the way its built allows for it to be utilized anywhere around the world.
I don't know if it's the same variant, but the way it works looks somewhat like the one we've seen a few days ago. It requests the configuration file by opening a random UDP port which connects to a default list of IP addresses, unlike the older versions which utilized HTTP to download the config component.
The bot ID is encrypted and sent to the server along with a stream of characters. Once the communication is validated, the malevolent element gets the encrypted config via a TCP connection. The received file is decrypted using the same RC4 algorithm as ZeuS 2.
As this is one of the most dangerous pieces of malware known, make sure you don't trust any notifications coming from state institutions of other suspicious companies as these seem to represent the perfect opportunity for hackers to fill their pockets.