A variant of the Zeus banking Trojan was found to use a legitimate digital signature to avoid detection from Web browsers and anti-virus systems.
According to a blog by Comodo, this new variant of the banking Trojan combines a legitimate digital signature, malware component and a rootkit. The digital signature assures browsers and anti-virus, but Comodo warned that with this “approval”, businesses are much less likely to take action or will give lower levels of warning. To date, over 200 unique hits for this Zeus variant have been detected.
A typical attack using Zeus includes a “Man-the-Browser” (MitB) attack where attackers create a remote session where they can see exactly what the victim is doing and interfere with their actions without their knowledge.
Lancope chief technology officer, TK Keanini, said: “Zeus and its family of malware continues to evolve in two dimensions: how it remains hidden and how it remains effective as a keystone in crimeware activities. I continue to be impressed with each phase of its evolution and Zeus with a valid digital certificate is trouble for everyone.
“The executable part of Zeus resides on the victim’s machine where the primary detection capabilities are provided by an anti-virus suite. Having the valid certificate means that it will likely go undetected by the anti-virus protection. However since Zeus is a Man-In-The-Browser (MiTB) style of attack, the attacker has completely control over what information they steal as you click and type and more importantly, what you see in your audit trail as the bank statements render to your screen.
“I follow Zeus closely mainly because I think it has a tainted past, it is still really effective, and because it’s source code has been released, talented individuals out there keep releasing variant that are more and more sophisticated.”
Zeus was originally disrupted in 2012 when a collection of companies led by Microsoft took down command and control servers for the Trojan, which was one of the most prevalent threats at the time.