Zeus variant uses encryption to evade detection

A Zeus variant that uses encryption mechanisms to remain undetected has been identified by researchers.

According to Kan Chen, a junior AV analyst with Fortinet's FortiGuard Labs, the malware dubbed “Lite Zeus” is distinct from other versions of Zeus, like Gameover, due to its network communication, command-and-control protocol and encryption techniques.

According to Chen’s recent blog post, Lite Zeus only uses transmission control protocol (TCP) communication to send or retrieve information from its control hub, Chen wrote, and it is capable of performing a number of feats, including causing operating systems to shutdown or reboot.

Attackers can also update the botnet at will to carry out other malicious activities of their choosing, the blog post said.

Chen also revealed that the “lite” version of Zeus employs AES-128, instead of older encryption cipher RC4.

“In many other Zeus variants, RC4 has been widely used in data encryption and decryption due to its fast speed and easy implementation,” Chen wrote.

“Surprisingly, this Zeus variant does not use RC4, but implements AES-128 instead.”

Chen told SC Magazine that, following the Gameover Zeus' takedown, other Zeus variants “definitely took over the market temporarily.”

Despite the Gameover botnet disruption earlier this month, where law enforcement named and indicted the botnet's alleged administrator Evgeniy Bogachev, other versions of the banking trojan, like “Maple,” have been adopted by criminals.

Maple, which targeted users in Canada, also employs AES-128 encryption.

“This Lite Zeus is similar to Maple,” Chen wrote. “There are also other types of Zeus variants taking over the Gameover Zeus market [and] Lite Zeus is one of them. As for the AES-128 encryption, it could be a future trend of some Zeus variants. However, the Zeus author could always decide which encryption to use in the future since the Zeus library is released publicly.”