Oct 20 2010
Zues 2.1…Dangerous, Undetectable
Posted by chris.mark
Data Breaches, Data Security, Risk/Fraud, Technical Discussions
No Comments
As companies scramble to shore up their defenses against cybercriminals, the criminals are responding in kind. Over the past several year, malicious software has taken center stage in the fight to steal sensitive data. Data theives are continually revising their tools, and tactics to exploit vulnerabilities in security. The web-browser is once again at the forefront of the fight. Disturbingly, the criminals are managing to often stay one step ahead of companies.
Trusteer reported today that they have identified and analyzed a new version of the very dangerous Zues financial malware. Zues (Zbot) is a trojan that is designed specifically to capture banking and other information which is then used for fraud. In an earlier report Trusteer outlined how Zues was injecting fraudulent Verified by Visa and MasterCard Secure Code pages into financial institution websites and obtaining user credentials which were then used to bypass the control systems.
Trusteer’s analysis of Zues version 2.1 shows that the developers have upgraded the code to create a much more flexible and dangerous version. According to Trusteer, the new capabilities include:
- URL matching based upon a full implementation of the Perl Capable Regular Expressions Library (PCRE). As an example, Zues can now target all URLS that start with HTTPS and zero in on those that contain specific digits or keywords.
- The injection mechanism has been upgraded to use PCRE, as well. This helps avoid detection by allowing the system to inject into very specific pages without injecting into other pages.
- Zues has been upgraded with a more fine-grained ‘grabbing’ mechansim which allows it to extract very specific areas of the page (e.g. account balance).
- Finally, Zues has been upgraded with a 1024-bit RSA public key which is likely used for one-way encryption and authenticating the command and control server to Zues clients.
The increasingly sophisiticated features being added to the malware should provide some indication of how profitable fraud can be. The Zues developers have a refined R&D capability which allows their product to stay ahead of competing malware products such as Bugat, Clampi, and SpyEye. More troubling is the fact that modern anti-virus capabilities appear to have limited ability to detect Zues. As stated by Trusteer: “This version of Zues is extremely elusive and veritually undetectable by antivirus products.”
Chris Mark, EVP; Data Security & Compliance
No Responses to “ Zues 2.1…Dangerous, Undetectable ”