In the past, we reported about the emergence of malware based on the leaked ZeuS code such as Ice IX and ZeuS 2.3.2.0. The usage of the leaked code continued on since then and has resulted in attacks such as the one I’m about to share on.

My colleagues and I have been monitoring another new ZeuS version since the latter part of September, one that we believe is also based on the leaked ZeuS source code. Although this new ZeuS variant seems to have no reference in its code as to its version number, we believe it was developed by the same gang behind LICAT.

This new version, which Trend Micro detects as TSPY_ZBOT.SMQH, spread around late September through spam that claimed to be from the Australian Taxation Office (ATO). The spammed messages contained a malicious link that when clicked directed users to a malicious website that served the BlackHole Exploit Kit. The exploit kit, in turn, downloads a variant of the new ZeuS version.

Unlike earlier ZeuS versions that used HTTP to download the configuration file, this version opens a random UDP port and accesses a hardcoded list of IP addresses to download the configuration file.

Read the rest of this entry »

With ZeuS’s source code leakage, we expected more cybercriminals to craft their own HTTP-controlled bots based on ZeuS.

Last week, we started to see the first generation of modified ZeuS variants called Ice IX, based on the said source code. According to the seller’s post on underground forums, one of Ice IX’s main selling points is protection from trackers. Its configuration file cannot be downloaded and analyzed if the request is not from the bot as well although this was not the case.

We recently received another updated variant detected as TSPY_ZBOT.IMQU that we can say belongs to this new generation of ZeuS variants. From its code, this sample is possibly generated by ZeuS version 2.3.2.0.

We believe this is a private version of a modified ZeuS version created by a private professional gang comparable to that responsible for LICAT. Even though we have yet to see someone sell this new toolkit version on underground forums, we expect to see more similar variants in the not-so-distant future.

Unlike Ice IX, this version proved that current trackers may fail to decrypt its configuration file due to its updated encryption/decryption routine. The download method used for the configuration file is similar to ZeuS 2.o variants but this variant does not use RC4 encryption algorithm. Instead, it uses an updated encryption/decryption algorithm that we are still in the process of analyzing.

Read the rest of this entry »

The last time a significant ZeuS/ZBOT development cropped up in the threat landscape, a new ZeuS-LICAT variant was identified. It was also not too long ago when news of a possible merger between the creator of ZeuS and SpyEye made headlines. This time, it is interesting to see an earlier version of the notorious malware recently making its rounds online.

A spammed message, purportedly from the Executive Office of the President of the United States, spreads holiday cheer with a message and links to what is supposedly a greeting card. Clicking the link, however, leads users to a website injected with malicious iframe tags, which Trend Micro detects as HTML_IFRAME.SMAX. Viewing the malicious HTML page leads to the download of a .ZIP file, which contains the malware detected as TSPY_ZBOT.XMAS.

This particular variant exhibits routines that ZeuS version 1.x are known for. Apart from the typical information theft routines, it modifies HOSTS files to prevent affected victims from accessing antivirus-related websites. The technique of using important events to lure potential victims to open the spammed messages is not new either. While some targeted victims may have an idea that the these types of messages may be malicious, some people simply rely on their antivirus programs. The cybercriminals behind this attack took advantage of this fact by ensuring that the file was heavily packed and was not yet detected by most antivirus programs, leaving unknowing users vulnerable.

Trend Micro customers are protected by the Trend Micro™ Smart Protection Network™,  which detects and blocks the malicious components of this threat.

Special thanks to threat analyst Edgardo Diaz, Jr. for initially bringing this threat to light and to anti-spam research engineer Mary Aquino for the spam sample analysis.

Trend Micro has received reports from users about a new, dangerous file infector. This threat, detected as PE_LICAT.A, uses a domain generation algorithm, a technique last seen in WORM_DOWNAD/Conficker variants. This technique allows the file infector to download and execute malicious files from various servers on the Internet.

Like WORM_DOWNAD, PE_LICAT.A generates a list of domain names from which it downloads other malicious files. The domain name generation function is based on a randomizing function, which is computed from the current UTC system date and time. This particular randomizing function returns different results every minute.

According to Escalation Engineer Alvin Bacani, whenever a file infected by PE_LICAT.A is executed, the malware generates a pseudorandom domain name, with the exact value depending on the system’s time. It then tries to connect to the said domain name. If it is successful, it downloads and executes the file at that pseudorandom URL. If not, it tries up to 800 times, generating a “new” URL every time. This helps ensure that the malware will be able to keep itself updated and even if one or more domains are taken offline, others can take its place.

Systems that are infected and synchronized to the current UTC date and time will compute and contact the same set of domain names.

Based on PE_LICAT.A’s code, the downloaded files are first validated before executed, which is the same technique WORM_DOWNAD employed. Users whose systems have been infected are at risk of downloading more malicious files onto their systems every time PE_LICAT.A is executed.

Trend Micro protects product users from this attack via the Trend Micro™ Smart Protection Network™,  which detects and blocks the said file infector from running. CTO Raimund Genes talks more about this protection in How Analyzing a New Virus Can Lead to Multiple Protections.

Analysis of this threat is ongoing and further details will be provided when they become available.

Update as of October 11, 2010 12:10 p.m. UTC

PE_LICAT.A uses the domain generation algorithm to try and access a live URL. From our monitoring, PE_LICAT.A downloads TSPY_ZBOT.BYZ, a ZeuS variant. Even more interesting, apart from info-stealing routines, TSPY_ZBOT.BYZ also decrypts and executes a malware code in memory: PE_LICAT.A-O‘s. More information about this threat and its relation to ZeuS can be found in the blog entry, ZeuS Ups the Ante with LICAT.

As reported last week, exploits targeting the Windows shortcut zero-day vulnerability have risen in number.

It is also now being used to spread ZBOT variants via malicious attachments to spammed messages, now blocked by Trend Micro products, with the subject Microsoft Windows Security Advisory and the following message:

The message claims to come from Microsoft and suggests that users apply the attached update to protect them from a threat that is currently proliferating in the wild. It even gives the password to the protected .ZIP file attachment as well as instructions for installing the supposed security update. Note, however, that Microsoft has not issued a patch to resolve the said vulnerability, only a “fix tool” which disables .LNK and .PIF.

Upon investigation, we found that the attached archive contains a malicious .LNK file that Trend Micro proactively detects as LNK_STUXNET.SM. Also included is a malicious .DLL file detected as TROJ_ZBOT.BXW.

When the exploit code in the shortcut is triggered, it runs the malware component, which then downloads and executes the main malware, TROJ_ZBOT.BXW. TROJ_ZBOT.BXW is one of the ZBOT 2.0 variants that we spotted earlier this year, highlighting how widespread the vulnerability is now being exploited.

SALITY file infectors are now using this vulnerability as well, as demonstrated by PE_SALITY.LNK-O:

Let us compare the previous commonly used method by USB malware, AUTORUN.INF, to spread:

It should be made clear, however, that malware using the LNK vulnerability can spread more easily than those that use the AUTORUN.INF file. Until a patch to resolve the vulnerability is released, even more malware families are likely to exploit it.

Update as of August 3, 2010, 3:30 a.m. (UTC-7)

Microsoft has issued an out-of-cycle patch to resolve this issue. Details may be found here.

Additional text by Julius Dizon and Marvin Cruz, Escalation Engineers