Zeus 2.0

The title of this post might confuse some people. The 2.0 symbol may trigger thoughts about yet another social networking story we have all read in the last three years and probably do not want to hear about any more. However, this post is about something completely different. It’s about one of the most successful pieces of malware out there that has managed to stay alive for a long time.

Although you have read about Zeus/Zbot in the past, that was probably about Zeus 1.0 or its many sub-versions 1.2, 1.3, etc. that have spread all over the web for several years now. This post is about the latest Zeus version that hit ‘the market’ recently - Zeus 2.0

The fact that Zeus keeps developing and new releases are still coming out from its developer/s is a story for a separate post. It just indicates on the amount of money involved. The provider of Zeus makes enough money to keep the development running; otherwise this project would have been dead a long time ago, as has happened to other less successful malwares.

The new version of Zeus introduces new features and enhancements to make the work of security vendors even more challenging to detect it.

Here are some improvements in the new Zeus 2.0 that we found in the samples we analyzed:

· Zeus 2.0 incorporates new encryption layers to hide its data and communication. Those of you that found ways to break the 1.x encryption and get the keys may find v2.0 as more challenging.

· In v2.0 the binary is installed in "%APPDATA%\{random chars}\{random chars}.exe". Zeus 1.x was using hardcoded filename and was usually installed under %WINDIR%\System32.

· While Zeus 1.x infected the whole PC if it had sufficient permissions. Zeus 2.0 by-design infects only the current user. That's also the reason why file paths and registry entries have changed. This new behavior makes Zeus 2.0 less detectable but also limits the damage if several users use the same PC.

· Zeus 2.0 registers itself in HKCU\..\Run key while Zeus 1.x normally registered itself in UserInit Key.

· Zeus 2.0 binaries and configuration files are no longer protected by ring-3 rootkit.

· Zeus 2.0 does not hook code in svchost.exe, lsass.exe, services.exe.

· Since v1.3 Zeus Builder is protected with "hardware-based licensing system", thus fighting "malware piracy" and preventing AV researchers from analyzing the builder engine.

· In v2.0 Mutex and event names are now pseudo-random GUID strings. Zeus 1.x used hardcoded mutex names like _XXXX_2109, __SYSTEM__64AD0625__, etc.

This change is probably business-driven, as it allows several copies of Zeus from different "vendors" (infections) to coexist on one PC. Maximizing monetization of a single infected PC by various hackers – each can steal the bank credentials of the same user and cash out.

These are not all the changes in Zeus 2.0; however, they ensure that even users with very limited rights on their computer will get infected.

Zeus 2.0 commands for botnet were completely changed. The new commands are much more descriptive:

user_flashplayer_remove; user_flashplayer_get; user_ftpclients_get; user_homepage_set; user_url_unblock; user_url_block; user_certs_remove; user_certs_get; user_cookies_remove;

user_cookies_get; user_execute; user_logoff; user_destroy; fs_search_remove; fs_search_add;fs_path_get; bot_httpinject_enable; bot_httpinject_disable; bot_bc_remove; bot_bc_add; bot_update; bot_uninstall; os_reboot; os_shutdown;

What should we expect to come on the next Zeus update? Here is our guess:

The following commands are present in malware body but are not implemented yet: bot_httpinject_disable;bot_httpinject_enable;fs_path_get;fs_search_add;fs_search_remove;user_destroy;

As long as Zeus continues to make money for its developer/s, we will continue to find new releases and new features in the market.

Preventing the infection from such malware requires more than just one security technology. At AVG we use multiple security layers: Proactive, reactive, real-time and reputation-based technologies to provide our FREE and Paid users with the most advanced protection against the most advanced malware out there. This is how we came across Zeus 2.0.

Be safe out there …

This post was authored by: Kaspars Osis / Yuval Ben-Itzhak