Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Last September, several individuals were arrested for using information-stealing Trojans created with the well-known ZeuS toolkit. Following this, security researchers anticipated the inevitable “upgrade” to the toolkit/Trojans that will allow cybercriminals to continue their money-making ploy. Soon enough, we received reports on a ZeuS Trojan Trend Micro detects as TSPY_ZBOT.BYZ with the following new features:

    1. Trojanizing .EXE files to keep the malware updated (turning them into PE_LICAT.A) and more difficult to remove
    2. Contacting pseudorandomly generated domains ala DOWNAD/Conficker to avoid easy takedown

    Over the past few weeks, we have been working on completing a comprehensive report on this new ZeuS upgrade. This includes an analysis of its runtime decompression/deobfuscation stub, a decryption of the configuration file it used for its information-stealing payload, an identification of the command-and-control (C&C) servers it used, and an in-depth study of the above-mentioned file infection and domain generation algorithm (DGA).

    Earlier this week, reports on the supposed SpyEye and ZeuS toolkit merger came out. The result of this merger may be a hybrid toolkit that uses the best features of both SpyEye and ZeuS.

    The full analysis in the report, “File-Patching ZBOT Variants: ZeuS 2.0 Levels Up,” is the result of the collaborative effort of TrendLabs engineers/researchers Alvin Bacani, Mark Anthony Balanza, Feike Hacquebord, Marco Dela Vega, Julius Dizon, Patrick Estavillo, Jasper Manuel, Loucif Kharouni, David Sancho, Ben April, Kevin Stevens, Ryan Flores, Ivan Macalintal, and Robert McArdle.

    We have been chronicling our findings about TSPY_ZBOT.BYZ, the ZeuS Trojan with LICAT features, in the following entries:

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice