New version of Zbot/Zeus found in the wild

Zbot, or Zeus, has been around for many years – at least since 2007 – and has for most of its life been one of the most prolific financial fraud threats on the internet. By the end of 2012 it seemed as if its popularity was being overtaken by alternative malware, such as SpyEye; but Trend Micro predicted at the time that old favorites rarely die, they evolve and carry on.

Now Trend has detected a radically new variant of Zbot. While the old version traditionally spreads through drive-by downloading, where victims are redirected to malicious sites housing exploit kits that deliver the malware, this new version is self-propagating. Once it gets a foot-hold in a network, it seeks to spread itself within the network via removable drives such as memory sticks. The technique itself isn’t new, and is employed by several other threats; but it is a new departure for Zbot.

“This particular ZBOT variant arrives through a malicious PDF file disguised as a sales invoice document,” reported Trend’s Abigail Pichel in a blog posting yesterday. “If the user opens this file using Adobe Reader, it triggers an exploit which causes the following pop-up window to appear...”

But while the victim reads the pop-up, the exploit downloads and runs the Zbot variant. The two main additions to this version are that it includes its own autoupdater, and it self-propagates via memory sticks. The latter is achieved by “searching for removable drives and then creating a hidden folder with a copy of itself inside this folder, and a shortcut pointing to the hidden ZBOT copy,” writes Pichel.

The report doesn’t specify whether the process of creating a copy of itself is specifically used to change its signature; that is, that aspect of malware that is used by anti-virus products to recognize specific threats. It seems likely, however, that it will do so. The effect of such polymorphic behavior is to stay one step ahead of anti-malware, and is a device often used successfully by malware to evade detection. The recent infection of Staples in April this year is a case in point.

One thing that isn’t clear yet, however, is whether this change of infection characteristics also marks a change in the use of Zbot. In the past it has been aimed at mass infections, often via large scale spam phishing. Infection via email attachment, especially when coupled with specific evasion techniques, is more indicative of targeted and possibly APT attacks. Either way, however, Trend warns that this new variant “could mean an increase in ZBOT infections moving forward.”

What’s hot on Infosecurity Magazine?