Dangerous new Zeus Trojan fools anti-virus

A new and "extremely dangerous" version of the notorious Zeus malware has been discovered that can fool detection systems by hiding behind an apparently legitimate digital signature.

Dangerous new Zeus Trojan fools anti-virus
Dangerous new Zeus Trojan fools anti-virus

The new virus was revealed by US vendor Comodo Antivirus Labs in a blog on April 3. The company has found over 200 unique hits by the malware on its customers.

Comodo blog post author Kevin Judge said the Zeus variant disguises itself as an Internet Explorer document, which is served via a web page or a phishing email. This downloads data-stealing malware hidden by a rootkit component. It aims to steal login credentials, credit card and other information that the user keys into a web form.

Judge said the IE file disarms the user – and web browsers and anti-virus systems – “by being digitally signed with a valid certificate, making it appear trustworthy at first glance. The digital certificate is issued to ‘isonet ag'.”

He explained: “Versions of Zeus have been around for several years, but with a valid digital certificate a browser will not display warning messages and anti-virus systems are much less likely to take action or will give lower levels of warning. Malware with a valid digital signature is an extremely dangerous situation. A digital signature assures browsers and anti-virus systems that a file is legitimate and not a threat.”

UK-based security expert Richard Moulds, vice president of strategy at Thales e-Security, confirmed: “If an attacker can sign their malicious code in a way that passes the validation process, they are a huge step further in mounting an attack.”

Moulds explained the process in an email to SCMagazineUK.com: “Windows, iOS, Android and Linux all use code-signing to ensure that only legitimate, signed code is installed and executed. Code-signing provides the best mechanism for proving that code hasn't been modified and therefore is a way of spotting malware infected software and rejecting it.”

To prevent malware like the new Zeus code defeating the validation process, Moulds said software publishers need to strongly protect the secrecy of the cryptographic keys used to create each signature, and strongly enforce the signing authorisation process – typically using hardware security modules (HSMs) which create a tamper-resistant environment for managing and using keys.

But without an HSM, Moulds said: “Keys and processes are subject to a host of attacks since they can be ‘seen' in the processor's memory, easily copied and modified.”

He said: “Code-signing systems must be designed to ensure that only legitimate code is signed and that the signature can be trusted, otherwise the system delivers little value and provides cover for malicious attacks such as those we have witnessed in this case.”

Lancope chief technology officer, Tim Keanini, said in an emailed comment to journalists: "Zeus and its family of malware continues to evolve in two dimensions: how it remains hidden and how it remains effective as a keystone in crimeware activities. I continue to be impressed with each phase of its evolution and Zeus with a valid digital certificate is trouble for everyone.

“The executable part of Zeus resides on the victim's machine where the primary detection capabilities are provided by an anti-virus suite. Having the valid certificate means that it will likely go undetected by the AV protection.”

The Zeus or Zbot Trojan is designed to steal online banking and other sensitive user data. In February, SCMagazineUK.com reported that research from Dell SecureWorks showed Zeus and the related Citadel malware were the two biggest banking botnets of 2013, targeting 900 financial institutions worldwide. Zeus is also used to install the Gameover malware, the CryptoLocker ransomware and it's more recent but flawed lookalike CryptoDefense.