As we mentioned earlier this week, information stealers were still the most serious threat in 2010 and will probably be so moving forward. There were three major developments in this area in 2010.
ZeuS 2.0 Emerged
The ZeuS/ZBOT family of information stealers released a new version in the first half of the year. ZeuS 2.0 made significant under-the-hood changes to the already successful ZeuS family of malware.
In terms of actual information theft, the differences were relatively modest. Before, support for newer versions of Windows such as Windows Vista and Windows 7 or alternative browsers like Mozilla Firefox was not integrated into the toolkits “core” functionality; ZeuS 2.0 made this standard.
The big changes in ZeuS 2.0 were meant to make it more stealthy. Where ZeuS 1.x versions used fixed file names (which sometimes changed from version to version), version 2.0 used random names. Similarly, mutexes also used pseudo-randomly generated GUID names. (In addition to making it more stealthy, these allowed multiple ZeuS infections to affect one machine, which was not the case with 1.x). The encryption ZeuS used was also strengthened.
In addition to (temporarily) making ZeuS more difficult to detect, these steps also made gathering threat intelligence somewhat more difficult although since then, the security industry has learned how to deal with ZeuS 2.0’s increased sophistication.
We discussed ZeuS 2.0 in the following blog posts:
ZeuS Competitors Appeared (and Took Over?)
ZeuS’ success continued into 2010, which may have fertilized the ground for its competitors. The price for a ZeuS toolkit rose to as high as US$8,000 for the basic package without any additional features. Additional modules and features can push the price up to as high as US$20,000. This led to the appearance of more information-stealers in 2010, the foremost of which was SpyEye.
The origins of SpyEye date back to 2009 though it only caught our attention for the first time when one of our analysts found a SpyEye variant. This particular variant was noteworthy because it terminated known ZeuS processes, thus eliminating the competition, so to speak. SpyEye was, and still is, cheaper than ZeuS: the basic package costs only US$1,000; additional features could raise the overall price tag to $2,500–in both cases, far less than ZeuS toolkits.
Further investigation led to our discovery of multiple SpyEye control panels featured in:
- Uncovered Spyeye C&C Server Targets Polish Users
- One Server, Multiple Botnets
- The SpyEye Interface, Part 1: CN 1
- The SpyEye Interface, Part 2: SYN 1
Eventually, SpyEye “won.” On October 1, an international effort codenamed Operation Trident Breach led to the shutdown of a ZeuS gang and the arrest of over a hundred people. Those arrested included some of the gang’s ringleaders. It’s probably not a coincidence that within weeks, it was announced that ZeuS’ author (known as Slavik or Monstr) announced his “retirement” and passed ZeuS on to the SpyEye author, Gribodemon or Harderman. An official merger has been announced though this does not appear to have been implemented yet. However, speculation is rife that Slavik will actually continue to write malware for his higher-paying elite clients.
ZeuS’ New Tricks
In October, Trend Micro first found samples of a new ZeuS variant, TSPY_ZBOT.BYZ, that had unusual routines. In addition to its normal information theft routines, it also infected executable files on systems—a behavior not usually seen in previous ZeuS variants. These infected files, in turn, used a dynamic domain generation algorithm (DGA) to download malicious files (including the original ZeuS variant) from various websites.
This was a dangerous development, as the last malware to use DGA download routines was DOWNAD/Conficker. The in-depth analysis revealed a well-engineered threat, the results of which was documented in our white paper, “File-Patching ZBOT Variants: ZeuS 2.0 Levels Up.”
We continue to see new ZeuS variants that use the techniques first seen in TSPY_ZBOT.BYZ with different seed values used for their DGAs (which change the domains generated). This indicates that this tactic has become “standard” for at least some syndicates.
Taken together, these developments highlight our predictions for 2011—malware threats are becoming more advanced in terms of tactics. This is particularly true for information-stealers, for whom stealth and escaping notice are particularly important.