Dangerous new Zeus malware fools anti-virus

A new and "extremely dangerous" version of the notorious Zeus malware has been discovered with the ability to fool detection systems by hiding behind an apparently legitimate digital signature.

The virus was revealed by US vendor Comodo Antivirus Labs late last week. The company found over 200 unique hits by the malware on its customers, it said in a blog post.

The post's author Kevin Judge said the Zeus variant disguises itself as an Internet Explorer document, which is served via a web page or a phishing email.

It downloads data-stealing malware hidden by a rootkit component, aiming to steal login credentials, credit card and other information that the user keys into a web form.

Judge said the IE file disarms the user – and web browsers and anti-virus systems – “by being digitally signed with a valid certificate, making it appear trustworthy at first glance. The digital certificate is issued to ‘isonet ag'.”

“Versions of Zeus have been around for several years, but with a valid digital certificate a browser will not display warning messages and anti-virus systems are much less likely to take action or will give lower levels of warning," he wrote.

"Malware with a valid digital signature is an extremely dangerous situation. A digital signature assures browsers and anti-virus systems that a file is legitimate and not a threat.”

UK-based security expert Richard Moulds, vice president of strategy at Thales e-Security, said if an attacker can sign their malicious code in a way that passes the validation process, "they are a huge step further in mounting an attack.”

“Windows, iOS, Android and Linux all use code-signing to ensure that only legitimate, signed code is installed and executed. Code-signing provides the best mechanism for proving that code hasn't been modified and therefore is a way of spotting malware infected software and rejecting it," he said.

To prevent malware like the new Zeus code defeating the validation process, Moulds said software publishers need to strongly protect the secrecy of the cryptographic keys used to create each signature, and strongly enforce the signing authorisation process – typically using hardware security modules (HSMs) which create a tamper-resistant environment for managing and using keys.

But without an HSM, keys and processes are subject to a host of attacks since they can be ‘seen' in the processor's memory, easily copied and modified, Moulds said.

The Zeus or Zbot Trojan is designed to steal online banking and other sensitive user data.

In February, research from Dell SecureWorks showed Zeus and the related Citadel malware were the two biggest banking botnets of 2013, targeting 900 financial institutions worldwide. Zeus is also used to install the Gameover malware, the CryptoLocker ransomware and its more recent but flawed lookalike CryptoDefense.

This article originally appeared at scmagazineuk.com