Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
    • About Us
    blog.trendmicro.com Sites > TrendLabs Security Intelligence Blog > Malware > The Plot Thickens for ZeuS-LICAT
    Oct17
    6:42 am (UTC-7)   |    by

    We have been continuously analyzing this new ZeuS “upgrade” known as LICAT (aka Murofet) for some time now. In this update, I will delve on the monitored URLs and domains that LICAT contacts as well as the latest detection names associated with them.

    The primary difference between LICAT and ZeuS is LICAT’s capability to contact its server using domains generated based on the current date, particularly the year, month, day, and minute. As expected, a number of the generated domains became active and were found to host new or updated versions of LICAT and ZeuS configuration files. Most of the domains, which became live, resolved to already-known ZeuS IP addresses. Below are some grouped (by resolving IP addresses) generated domains.

    Click for larger view

    The domains above were already used to host encrypted configuration files that LICAT downloads and decrypts for use in its information-stealing routine. The configuration file contains a list of the types of information to be stolen, particularly login credentials for conducting various online transactions, as well as instructions on where to upload these.

    Aside from the information-stealing routine the configuration file downloaded from the generated domains, some active domains were also found to host new LICAT or ZeuS malware variants, namely, TSPY_ZBOT.BYZ and PE_LICAT.A-O. The new downloaded samples mostly had different hashes, which are detected via the heuristic detection TSPY_ZBOT.SMEQ. Furthermore, these generated domains can easily be registered by other cybercriminals for use in delivering other malware. This poses a new threat to users and consequently increases the potential for system infection. Indeed, with LICAT’s capability to steal valuable information, it poses a critical threat to user systems and up-to-date virus definitions are a must.

    You can find several discussions on this threat in the following blog entries:

    As we continue to monitor this threat, we will post updates on the Malware Blog. In addition, we are currently working on a more in-depth technical paper that will provide details on the intricacies behind the ZeuS-LICAT plot.





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Sunday, October 17th, 2010 at 6:42 am and is filed under Malware . Both comments and pings are currently closed.





     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice