One of the “standard” behaviors of the ZeuS/ZBOT Trojans is that it downloads a configuration file. This configuration file contains details on its bot routines such as what sites to target, what URLs to access to download an updated copy of itself, what URLs to send stolen information to, and what URLs to access to download additional/backup configuration files.

Recently, however, I’ve been seeing ZeuS variants whose default configuration file references a suspicious list of URLs from which it can download backup configuration files.

This particular list is from a ZeuS variant detected by Trend Micro as TSPY_ZBOT.BVQ. The list from its configuration file seems longer than most of the typical of ZeuS variants and the domain names looked atypical. When I checked, all of these URLs are already inaccessible and most of the domains are unregistered.

In addition, the list of URLs does not include {BLOCKED}ikal.com, where its drop zone and updated copy are located. It is typical of ZeuS variants’ drop zones, updated copies, and configuration files to be contained in the same domain.

Checking the code of the malware itself revealed that the malware does actually download its main configuration file from http://{BLOCKED}ikal.com/eu5.bin.

From what I can see, cybercriminals using ZeuS intentionally did this to prevent security researchers from easily gathering information on their activities. Alternately, these extra URLs can be used as backup update locations, just in case the main location is taken down.

Furthermore, I found that the more recent ZeuS variants no longer run in a virtual machine environment, meaning that security researchers now need to exert more effort to test ZeuS samples in actual Windows environments. Clearly, efforts by antivirus companies are taking their toll on cybercriminal operations and are forcing criminals to make analysis more difficult.

All things considered, this is really not unexpected. ZeuS is still a continuing threat and it continuously evolves to become more dangerous and elusive.

For more information on ZeuS, you may check out our report, Zeus and Its Continuing Drive Toward Stealing Online Data. You may also consult our white paper on ZeuS, ZeuS – A Persistent Criminal Enterprise.

Update as of September 29, 2010, 6:15 PM UTC-7

Upon further analysis, the malware does not directly detect virtual machines. It queries the affected machine’s system information via the ZwQuerySystemInformation (SystemProcessorInformation) API. It will then check for a specific value of the system’s ProcessorLevel (defined by the CPU vendor). If the ProcessorLevel matches, it will not continue its execution.