The first hardware-based licensing model seen in malware

Mar 15, 2010 14:49 GMT  ·  By

The creators of the ZeuS crimeware toolkit are taking unprecedented measures to protect their product from cyber-criminals who don't want to pay up a hefty price for it. Security researchers report that a complex hardware-based licensing system has been introduced with the latest version of the trojan-generating software.

ZeuS, also known as Zbot, is one of the most widespread and successful computer trojans in circulation today. This trojan is primarily used to steal financial information from organizations and end users alike, with the purpose of fraud, but it can also be employed to capture sensitive data for corporate espionage.

Computers infected with the ZeuS crimeware form botnets, which receive updates and instructions from Command and Control (C&C) servers operated by different cyber-criminal gangs. There are hundreds of Zbot variants at any given time in the wild, the ZeuS Tracker listing almost 700 active ZeuS hosts at the time of writing this article.

According to researchers from Atlanta-based security vendor SecureWorks, the latest version (1.3.4.x) of the ZeuS builder toolkit, which is used to generate custom variants of the trojan, can be acquired for around $4,000 on the underground market. Additional modules are priced between $500 and $10,000, depending on their functionality.

However, by far the most intriguing change in the latest toolkit version is the new licensing system. "Once you run it, you get a code from the specific computer, and then the author gives you a key just for that computer. This is the first time we have seen this level of control for malware," the SecureWorks researchers explain.

The ZeuS trojan helped fraudsters steal millions of dollars from the accounts of U.S. companies, non-profit organizations and public institutions during last year alone. Antivirus vendors are having a hard time keeping up with this malware, but if SecureWorks is right, things are only going to get worse. The vendor warns that version 1.4 of the ZeuS crimeware kit, which is in beta testing, features polymorphic encryption of the executable files.

"The 1.4 version of ZeuS will enable the ZeuS Trojan to re-encrypt itself each time it infects a victim, thus making each infection unique. The 1.4 version also enables the ZeuS file names to be randomly generated, thus each infection will contain different file names. This will make it very difficult for anti-virus engines to identify the ZeuS Banking Trojan on the victims’ system," SecureWorks' analysis reads.