Last September, several individuals were arrested for using information-stealing Trojans created with the well-known ZeuS toolkit. Following this, security researchers anticipated the inevitable “upgrade” to the toolkit/Trojans that will allow cybercriminals to continue their money-making ploy. Soon enough, we received reports on a ZeuS Trojan Trend Micro detects as TSPY_ZBOT.BYZ with the following new features:
- Trojanizing .EXE files to keep the malware updated (turning them into PE_LICAT.A) and more difficult to remove
- Contacting pseudorandomly generated domains ala DOWNAD/Conficker to avoid easy takedown
Over the past few weeks, we have been working on completing a comprehensive report on this new ZeuS upgrade. This includes an analysis of its runtime decompression/deobfuscation stub, a decryption of the configuration file it used for its information-stealing payload, an identification of the command-and-control (C&C) servers it used, and an in-depth study of the above-mentioned file infection and domain generation algorithm (DGA).
The full analysis in the report, “File-Patching ZBOT Variants: ZeuS 2.0 Levels Up,” is the result of the collaborative effort of TrendLabs engineers/researchers Alvin Bacani, Mark Anthony Balanza, Feike Hacquebord, Marco Dela Vega, Julius Dizon, Patrick Estavillo, Jasper Manuel, Loucif Kharouni, David Sancho, Ben April, Kevin Stevens, Ryan Flores, Ivan Macalintal, and Robert McArdle.
We have been chronicling our findings about TSPY_ZBOT.BYZ, the ZeuS Trojan with LICAT features, in the following entries: