The notorious Zeus Trojan from is back to the market with a new set of variants. This was first spotted since 2007, a wide spread powerful trojan targeting bank accounts. Now a report from TrendMicro has shown the come back of Zeus with a new variant.
As per net-security :
“In this particular instance, the malware variant is initially delivered via a malicious PDF file disguised as a sales invoice document.
Potential victims that attempt to open the file with Adobe Reader are faced with a notice that says that it can’t be opened because “use of extended features is no longer available.” But in the background, the malware has already been silently dropped onto the system and run.
It first contacts its C&C center to download an updated copy of itself (if there is one available), but immediately after it checks whether removable drives are connected with the computer, and if there are, it drops a copy of itself in a hidden folder, then creates a shortcut to it. “
Trend Micro shows a nice comparison between version. Below is the snapshot of it
ZBOT Earlier Versions vs. Current Versions
Early generation of ZBOT variants creates a folder in %System% folder where it would save the stolen data and configuration file. Users can also find a copy of itself in the said folder. These ZBOT versions modify the Windows hosts file to prevent users from accessing security-related websites. The strings appended to the hosts file can be seen in the downloaded configuration file. An example of earlier ZBOT versions include TSPY_ZBOT.SMD andTSPY_ZBOT.XMAS.
Current ZBOT variants were observed to create two random-named folders in the %Applications Data% folder. One folder contains the copy of the ZBOT folder while the other folder contains encrypted data. Example of this is TSPY_ZBOT.BBH, which was found to globally on top based from Smart Protection Network.
ZBOT malware of this generation are found to be mostly either Citadel or GameOver variants. Unlike earlier version, the mutex name is randomly generated.
Both variants send DNS queries to randomized domain names. The GameOver variant also opens a random UDP port and sends encrypted packets before sending DNS queries to randomized domain names.
Entire Description can be found here
Self propagation Malware info
