We’ve been spending some time looking into TSPY_ZBOT.BYZ—the ZeuS variant that was used in the recent LICAT file infector attack.
Aside from the behaviors noted in previous blog posts (File Infector Uses Domain Generation Technique Like DOWNAD/Conficker and ZeuS Ups the Ante with LICAT), TSPY_ZBOT.BYZ also uses techniques designed to avoid automatic heuristics-based detection. For example, common ZeuS 2.0 variants contain relatively few imported external APIs. (ZeuS 2.0 refers to variants of the ZeuS banking malware that have been spotted since the start of the year with improved information theft routines. They have been discussed in the previous blog posts At A Glance: New ZeuS Variants and A Look at ZBOT 2.0 Information Theft.)
By contrast, TSPY_ZBOT.BYZ imports many external APIs. To a heuristic scanner, this changes the appearance of the file and lowers the possibility of detection.
In addition, TSPY_ZBOT.BYZ is compressed somewhat differently from other ZeuS 2.0 variants. While to the human eye no differences can easily be seen, the calculable entropy of these samples is quite different. Encrypted and packed malware that are related will have similar entropy values, something that can be used in analysis and heuristic detections.
TSPY_ZBOT.BYZ is also designed to make analysis in sandboxed environments more difficult. Its dropped copy in the %Application Data% folder will have updated information about its “correct” location. If this particular copy is executed in a different folder, it will simply terminate.
Another routine especially worth noting is that TSPY_ZBOT.BYZ conducts an integrity check by searching for the string “DAVE” in its configuration file before performing its malicious routines. We are currently conducting further investigation on this routine and we will release an update as soon as information becomes available.
Update as of October 13, 2010, 6:00 PM (UTC – 7)
Clarification has been made with regard to the malware’s behavior in sandboxed systems.
Update as of October 14, 2010, 2:00 AM (UTC – 7)
Some of the domains used in these ZeuS attacks are now live and spreading new ZeuS variants. These variants show behavior similar to the original TSPY_ZBOT.BYZ sample, and are being proactively detected as TSPY_ZBOT.SMEQ. These active domains are also being actively blocked as well.
These new variants show the impact of TSPY_ZBOT.BYZ being able to avoid heuristic detection. Determining the relationship between TSPY_ZBOT.BYZ and the new variants would become harder; correspondingly the new variants would be more difficult to detect. However, our smart patterns are able to deal with this and detect these new variants accordingly.
To properly guard against this threat, conventional antivirus is not sufficient. Both improved detection techniques and proactive blocking of the websites, working together, can protect users.