Following on the heels of reports late last year that new variants of the infamous Zeus malware family now include 64-bit versions, researchers have discovered more variants equipped with advanced evasion techniques.
The latest versions of malware also include a user mode rootkit capability which hides the malicious agent’s processes, files, and registry activity.
The Zeus Trojan is widely hailed as one of the most dangerous pieces of malware to ever surface in the wild, and the malicious code continues to proliferate. Zeus can lay dormant for long periods of time and can target sensitive information like banking account credentials and authentication codes.
“The other notable feature of this ZBOT variant is its Tor component, which can hide the malware’s communication to its command-and-control (C&C) servers. This component is embedded at the bottom part of the injected code, along with the 32-bit and 64-bit versions,” the researchers reported.
“To initiate this component, the malware suspends the process svchost.exe and injects it with the Tor component’s code then resumes the process. In doing so, the execution of Tor is masked.”
The Tor component runs as a hidden service and acts as a server, redirecting network traffic on ports 1080 and 5900 to different randomly generated ports, allowing the attacker remote access to the system.
The researchers noted that since the new Zeus variant has only a user mode rootkit and is not able to gain root at the kernal mode, users can view the malware’s activities in Safe Mode, where the associated file can be deleted.
“This 64-bit version for ZeuS/ZBOT is an expected progression for the malware, especially after ZeuS source code was leaked back in 2011,” the researchers stated. “Adding other functionalities such as rootkit capability and the use of a Tor component are further proof that we can see more modifications in the future, particularly those that help circumvent or delay antimalware efforts.”
Categories: Top Security Stories