The Mutation of ZeuS

Researchers at TrendMicro - and elsewhere - have identified changes to the infamous ZeuS trojan and how it is propagated. The new method involves another piece of malware named Licat, which uses techiques pioneered by the "conficker" worm to try and contact its Command and Control hosts. When Licat successfully finds a C&C host it downloads a new variant of ZeuS from them.

As the TrendMico researchers point out the new ZeuS variant is far stealthier than its predecessors and the calling home technique of "Licat" blows up a lot of domain reputation services since it uses pseudorandom strings as the domain names it tries to resolve. Together these facts mean that it will be far harder for organizations to identify whether they have compromised machines on their networks and extremely difficult for most existing anti-malware solutions to block an infection - or even alert administrators to the fact that infection has occurred.

ThreatSTOP, however, will remain just as effective against this ZeuS variant as it has against previous ones because it is able to block the actual IP addresses that Licat's pseudorandom URL algorithm point to when the algorithm works (note part of the skill with the Licat/conficker approach is that many of the domains the worm seeks to resolve will fail, however it only needs one success to infect the computer). However, as was pointed out in the previous post on this blog, the IP addresses used by the criminals tend to be a fairly small number that are reused in different ways. Thus the chances are extremely high that the IP address a Licat infected machine tries to download the new ZeuS trojan from will be in our blocklists.

Share this: