New Zeus trojan variant digitally signed in the wild

Security researchers at Comodo have detected a new Zeus trojan variant enhanced with digital signature of its source code to avoid detection.

The security community is once again menaced by Zeus banking trojan, a new variant of the malicious ZeuS Trojan has been identified by researchers at Comodo AV labs. This instance presents an interesting feature, it is digitally signed with a stolen digital certificate which belongs to Microsoft Developer.

The technique is not new in the past numerous malware were digitally signed to avoid detection from anti-virus systems, clamorous the theft of digital certificate from Bit9 occurred one year ago when the security company announced that hackers had stolen digital certificates from its network and have utilized it to sign malware.

On Microsoft systems the installation of certain types of software could request that its code is digitally signed with a certificate issued by a trusted CA, by stealing the certificate of a trusted vendor reduces the possibility that the malicious software being detected as quickly. That is exactly what happened to Stuxnet virus, but let’s remark that the technique is very common in the criminal underground, more than 200,000 unique malware binaries were discovered in the last couple of years signed with valid digital signatures.

“The Comodo team identified the Zeus variant because they continuously monitor and analyze scan data from the users of Comodo’s internet security systems. They have found over 200 unique hits for this Zeus variant from our users so far.” reports the official

The new Zeus trojan variant is distributed through infected web page components and via classic phishing email apparently sent by a trusted source including a major bank. The post reports the case of a Comodo user which provides a sample of Zeus Trojan that masquerade itself as file of Internet Explorer with a valid signature issued to “isonet ag”.

The principal components of last Zeus Trojan variant, as reported by Comodo, are:

The Downloader: Delivered to the user system by an exploit or an attachment in a phishing email. It will download the rootkit and malware component of the attack.
The Malware: In this case it is a data stealer, the program that will steal valuable user data, login credentials, credit card info, etc. that the user keys into a web form.
A Rootkit: A rootkit hides the installed malware component, protecting it from detection and removal.

The infection process is quite simple and transparent to defense systems installed on the victim’s machine, once in execution the malicious file is installed without triggering any antivirus control thanks the trick of digital signature of its code, it also tries to download rootkit components from:

lovestogarden.com/images/general/TARGT.tpl
villaveronica.it/images/general/TARGT.tpl

The post published by Comodo On Zeus Trojan also explained how the malicious code implements the Man-In-The-Browser attack method, a technique that we discussed different time in the past.

“If the attack victim goes to an online banking site to perform a transaction, such as transferring funds, they see everything as occurring normally. The payment information they keyed will display as expected, but behind the scenes the hackers will alter the transaction and send it to another account with possibly a larger amount.” researchers explained.

The Zeus Trojan variant detected by Comodo is able to protect its components, by mitigation actions made by antivirus software, the rootkit component is in fact installed within “Boot Bus Extender” to ensure it loads before other drivers.

“Its purpose is to protect malicious files and autorun entries from being deleted by user or antivirus software, increasing difficulty of the removal process.” reports Comodo experts.

We just have to wait for the next version of the dangerous Zeus Trojan.

Pierluigi Paganini

(Security Affairs – Zeus trojan, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.