14 DAY TRIAL // Security researchers from Trend Micro have discovered several links between the recently discovered PE_LICAT.A file infector and the infamous ZeuS banking trojan.
There are very few actively maintained viruses left, because this class of malware has been surpassed in prevalence by trojans and worms, which can be used more efficiently to earn illegal money.
Giving today's heavily cybercrime-oriented threat landscape the discovery of LICAT was a bit unexpected. But, according to researchers, this particular virus might not be so traditional after all.
It spreads by infecting legitimate files, in this case EXE, DLL and HTML. However, it also features an update component similar to the one seen in the Conficker worm.
The update routine runs every time one of the infected files is executed and generates unique update URLs based on the current date, according to a predefined algorithm.
This allows the creators of the virus to know what URLs the infected machines will attempt to contact in advance.
The researchers have checked if any URLs generated in the past were ever registered and as it turns out, some of them were. Not only that, but some are still active and associated with ZeuS operations.
ZeuS, also known as Zbot, is a trojan commonly used by criminals to steal online banking credentials and other financial information from people and organizations.
"Several of the domains that PE_LICAT was scheduled to download files from in late September are confirmed to be known ZeuS domains in that period.
"One of these domains, {BLOCKED}klklmssrr.com, was registered approximately one week before it would have been used by PE_LICAT.
"Another domain was hosted on an ISP that has seen significant levels of ZeuS-related activity in the past, and is a known haven for cybercrime," Jessa De La Torre, a threat response engineer at Trend, writes.
Furthermore, a downloader found on one of these domains, which installs a copy of the virus, exhibits ZeuS-like behavior. This further points to a connection between the two threats and makes LICAT a lot more interesting, as the research continues.