Attackers Improve Zeus Trojan to Beat Security

Malware authors have released a new version of the Zeus crimeware, security researchers reported Oct. 20.

The latest version of Zeus, which Trusteer is calling 2.1, has improved the Trojan's "business logic" as well as its ability to avoid detection by antivirus protection. The enhancements run the gamut from "a 1024-bit RSA public key, which will probably be used for one-way encryption of data and authenticating the C&C server to Zeus clients," to "URL matching based on a full implementation of the Perl Compatible Regular Expressions (PCRE) library."

Zeus 2.1 also has a "fine-grained 'grabbing' mechanism, again based on PCRE, which can extract very specific areas of the page ... and report them to the C&C host. The grab mechanism provides an efficient way of collecting user data (such as account balance), as opposed to ... having to copy the full page," Trusteer said. Its "injection mechanism ... now uses sophisticated regular expressions based on PCRE as well."

"Since the Trusteer Secure Browsing software is installed on the PCs of millions of bank customers, automatically classifying, blocking, analyzing and removing financial malware such as Zeus, our researchers can see the enhanced attack vectors to real time," Mickey Boodaei, CEO of Trusteer, said in a statement. "The improvements are similar in those seen in commercial software, but instead of enhancements being released on a monthly or annual basis, the timescales are now being compressed to just days and weeks, largely because of the immense fraudulent revenues involved."

And like commercial software, Zeus has its rivals -- Clampi, SpyEye and Bugat, to name a few.

"The big question is, How long can Zeus stay in pole position in the malware fraud charts? Our researchers suggest that, given its ability to be morphed and enhanced, it's going to be some while yet before other malware gets a look in at the top spot. And this means that hackers have a vested interest [in keeping] Zeus ahead of the game as far as its ability to defraud, forcing them to improve and increase their effort all the time to avoid losing the cyber-criminal's business," Boodaei said.