Comodo Antivirus Labs has identified a new and extremely dangerous variant of the Zeus banking Trojan. Hackers use Zeus to launch attacks that obtain the login credentials of visitors to online banking sites and commit financial fraud. The significance of this variant is the combination of a legitimate digital signature, rootkit and malware component. Malware with a valid digital signature is an extremely dangerous situation.
A digital signature assures browsers and antivirus systems that a file is legitimate and not a threat. Versions of Zeus have been around for several years, but with a valid digital certificate antivirus systems are much less likely to take action or will give lower levels of warning.
The Comodo team identified the Zeus variant because they continuously monitor and analyze scan data from the users of Comodo’s internet security systems. They have found over 200 unique hits for this Zeus variant from our users so far.
Zeus is distributed to a wide audience, primary through infected web page components or through email phishing. The phishing emails appear to be from a trusted source, such as a major bank, but are actually from hackers.
A Typical Attack
The type of an attack launched by Zeus is called a “Man-the-Browser” (MitB) attack. The hackers are sent information required to create a remote session where they can see exactly what the victim is doing and interfere with their actions without their knowledge.
For example, if the attack victim goes to an online banking site to perform a transaction, such as transferring funds, they see everything as occurring normally. The payment information they keyed will display as expected, but behind the scenes the hackers will alter the transaction and send it to another account with possibly a larger amount.
The hackers work with “Money Mules” who establish bank accounts using false credentials and receive a commission for handling ill-gotten gains.
Protecting from Zeus
To stay protected from such threats, install Comodo Internet Security and make sure to keep all of its real time shields enabled.
There are three components to an attack launched by Zeus:
- The Downloader: Delivered to the user system by an exploit or an attachment in a phishing email. It will download the rootkit and malware component of the attack.
- The Malware: In this case it is a data stealer, the program that will steal valuable user data, login credentials, credit card info, etc. that the user keys into a web form.
- A Rootkit: A rootkit hides the installed malware component, protecting it from detection and removal.
Comodo first learned of the variant from a sample submitted by a Comodo user. It attempts to trick the user into executing it by presenting itself as some type of Internet Explorer document, including an icon similar to the Windows browser. What is alarming about this is that the file is digitally signed with a valid certificate, making it appear trustworthy at first glance. The digital certificate is issued to “isonet ag”.
Upon running, the file copies itself into memory, adds to end of file the full path it was executed from and then writes it to %temp%\tahol.exe.
The file is then executed and installer exits.
Further, the executed file tries to download rootkit components from two web locations, lovestogarden.com/images/general/TARGT.tpl and villaveronica.it/images/general/TARGT.tpl.
After decrypting downloaded payload, the rootkit is installed within “Boot Bus Extender” to make sure it loads before other drivers. Its purpose is to protect malicious files and autorun entries from being deleted by user or antivirus software, increasing difficulty of the removal process.
The protected executable which is added into startup is a variant of the known Zbot banker trojan designed to retrieve banking and other sensitive data from user’s computer.