14 DAY TRIAL // The new 2.1 version of the infamous ZeuS trojan features significant improvements in detection evasion, targeting and injection mechanisms, as well as C&C communication.
Security researchers from Trusteer, a provider of secure browsing services, who analyzed the new ZeuS variant, reveal that most of the improvements are due to the malware developers' adoption of the Perl Compatible Regular Expressions (PCRE) C library.
One place where PCRE was intensively used is the URL matching mechanism. In the past, Zeus used a rather basic regular expression to define new targets, but now the procedure is significantly improved.
"For example, Zeus can now target all URLs that start with 'https' and then zero in on those that contain specific digits and keywords," the researchers explain.
Another PCRE-enhanced component is the injection mechanism, which ZeuS uses to add rogue content to Web forms and phish sensitive information from unsuspecting users.
This is considered one of its primary features and is directly responsible for the trojan's success in the cybercriminal underworld.
Thanks to the use of advanced regular expressions, this component is now much more accurate when targeting pages.
The so called "grabbing" routine can now extract data from specific areas of a page, instead of copying it completely, thanks to PCRE-based improvements.
The new 2.1 version uses a Conficker-like update algorithm, which involves generating hundreds of unique URLs every day and querying them to locate the C&C server. This allows botnet owners to easily switch domains if their primary one is taken down.
In addition, a 1024-bit RSA public key has been added and will probably be used to encrypt the communication between C&C servers and the botnet clients.
"The improvements are similar in those seen in commercial software, but instead of enhancements being released on a monthly or annual basis, the timescales are now being compressed to just days and weeks, largely because of the immense fraudulent revenues involved," said Mickey Boodaei, the CEO of Trusteer.
"While commercial software needs to undergo extensive quality assurance processes before being released, Zeus has the luxury of pushing rapid updates without worrying too much about software quality," he added.