14 DAY TRIAL // Security researchers from Trend Micro have identified several routines in the ZeuS sample distributed by the Licat file infector, which attempt to make analysis and detection harder.
Trend Micro named the threat TSPY_ZBOT.BYZ and according to its research engineers it is an unusual variant of ZeuS 2.0.
ZeuS is a crimeware toolkit developed for information stealing purposes and sold on the underground forums to other cybercriminals.
The toolkit can be used to generate customized versions of a trojan called ZBot (ZeuS Bot) and associated command and control applications.
ZeuS supports third-party plug-ins, which are usually sold separately, and is commonly used by fraudsters to steal online banking credentials, credit card data and other sensitive information.
The variant discovered by the Trend Micro researchers makes use of a never-before-seen file infector component to prolong its lifespan on a system, but iit also has other tricks up its sleeve.
"[…] Common ZeuS 2.0 variants contain relatively few imported external APIs. By contrast, TSPY_ZBOT.BYZ imports many external APIs.
"To a heuristic scanner, this changes the appearance of the file and lowers the possibility of detection," explains Julius Dizon, a research engineer at Trend.
In addition, the compression of the malicious file differs from what is commonly seen in other ZeuS variants and routines that make it difficult to analyze in sandboxed environments, were also found.
"Its dropped copy in the %Application Data% folder will have updated information about its 'correct' location. If this particular copy is executed in a different folder, it will simply terminate," revealed Mr. Dizon.
It's not clear whether this variant is the work of the main ZeuS developers or an independent modification of the toolkit, especially since other significant changes were seen recently, as well.
Before the Licat file infector was discovered, researchers found a new ZeuS component in the form of a malicious mobile application, designed to steal two-factor authentication tokens sent via SMS.