Zeus dropper causes computers to be re-infected

Warnings have been made about a new plug-in for the Zeus Trojan that allows PCs to be constantly re-infected with fresh malware.

Initially discovered by Trend Micro at the start of this month, PE_LICAT.A-O injects itself into an executable process that causes it to become memory-resident and any file executed afterwards becomes infected with malicious code.

Trend Micro said that every time PE_LICAT.A is executed, it attempts to download files from top-level domains including biz, com, info, org and net, which it tries to do a maximum of 800 times.

The vendor claimed that the downloader file shows certain behaviours often associated with Zeus, but the capability to act as a downloader is not a functionality seen in Zeus to date.

Rik Ferguson, senior security advisor at Trend Micro, called this the ‘evolution of Zeus', with an addition that is either a new Zeus component, or a plug-in that has been developed and gives Zeus the ability to be a file infector and also to become a dropper so it has download capabilities.

He said: “We think it is being driven by downloads, when the ‘master infector file' is downloaded it infects all of the .exe files on the system and when any of those files are run then it will download a fresh copy of Zeus. So we think its prime purpose is to prolong infection, so somehow you get infected, you clean up and get re-infected with Zeus.

“Microsoft added it to the malicious software removal tool (MSRT) this week and removed around 200,000 globally. The problem with Zeus is that the average detection rate across the security industry is 50 per cent, so even if Microsoft removes it, it is a simple job for criminals to change what those files look like.”

Trusteer called the developments ‘version 2.1' and said that like commercial application developers, the creators of Zeus run an R&D programme to ensure it can avoid detection and side-step the growing number of IT security mechanisms designed to detect, block and eliminate it.

Mickey Boodaei, CEO of Trusteer, said: “While commercial software needs to undergo extensive quality assurance processes before being released, Zeus has the luxury of pushing rapid updates without worrying too much about software quality.

“The big question is how long can Zeus stay in pole position in the malware fraud charts? Our researchers suggest that, given its ability to be morphed and enhanced, it's going to be some while yet before other malware gets a look-in at the top spot. This means that hackers have a vested interest to keep Zeus ahead of the game as far as its ability to defraud, forcing them to improve and increase their effort all the time to avoid losing the cyber criminal business.”

See original article on scmagazineus.com