14 DAY TRIAL // New variants of the infamous ZBot computer trojan list fake configuration URLs in an attempt to mislead security researchers and refuse to run in virtualized environments.
ZeuS is a crimeware toolkit, which allows criminals to create customized versions of an information stealing trojan called ZBot (short for ZeuS Bot).
Because of its flexibility and extensive feature set, ZBot is preferred by fraudsters for stealing online banking credentials, credit card details and other financial information.
Computers infected with ZBot join together in botnets and communicate with a command and control (C&C) server in order to download updates, receive instructions or upload captured data.
Since configuration pages accessed by the bots are part of the C&C Web application itself, they are usually hosted on the same domain as the rest of it.
The trojan can also maintain a short list of backup URLs, just in case attackers loose control of the primary domain and need to relocate the server.
However, while analyzing some recent ZBot variants, Roland Dela Paz, threat response engineer at Trend Micro, found unusually long lists of URLs pointing to domains that were already inactive or not even registered.
The real config URL, located on the same domain as the C&C, is hardcoded into the bot itself and can be viewed by inspecting the binary code.
"From what I can see, cybercriminals using ZeuS intentionally did this to prevent security researchers from easily gathering information on their activities.
"Alternately, these extra URLs can be used as backup update locations, just in case the main location is taken down," Dela Paz writes.
In addition, some recent ZBot variants contain routines that prevent the trojan's execution inside virtual machines, which is the default environment for malware analysis.
Of course, there are solutions to overcome this, such as creating a VHD (Virtual Hard Disk) from a live Windows installation (XP or above) then booting from it using the Windows 7 boot manager.
In this way, the installation uses the actual physical devices of the computer, unlike in virtualized environements, and a clean copy can always be saved.