Zeus variant by-passing security, say researchers

A variant of the data-stealing Zeus Trojan best known for targeting online banking uses a new technique to bypass security systems.

A variant of the data-stealing Zeus Trojan – best known for targeting online banking – is using a new technique to bypass security systems, researchers have found.

By encrypting the executable file, cyber criminals are sneaking GameOver Zeus malware past web filters, network intrusion detection systems and other defences as a non-executable .enc file.

On 1 February 2014, US-based Malcovery Security alerted the security community and law enforcement agencies after its researchers identified the technique and observed its use trending upwards.

The attackers are using email messages that appear to come from HMRC, HSBC and other well-known brands to trick recipients into opening an attached .zip file, according to a Malcovery blog post.

If the attachment is opened, it launches a new version of the application called Upatre, which downloads and decrypts a .enc file, which is GameOver Zeus executable.

“If you are in charge of network security for your enterprise, you may want to check your logs to see how many .enc files have been downloaded recently,” said Gary Warner, CTO of Malcovery.

Before Malcovery raised the alarm, its researchers found none of the 50 security products used by online virus scanning service VirusTotal were blocking GameOver Zeus distributed in this way.

In a blog update, Warner notes that researcher Boldizsár Bencsáth, from CrySys Lab in Hungary, has published details of how the encoding works.

The researcher found the file is first compressed and then XOR'ed with a 32-bit key. Upatre then reverses the process to create the .exe file.

Malcovery has observed several malicious email campaigns, using this technique, that researchers believe are being distributed by the cyber criminals behind the Cutwail malware delivery infrastructure,” said Warner.

“It is likely that many different criminals are paying to use this infrastructure."

Read more on Hackers and cybercrime prevention

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

my PC laptop with windows 10 came up with a red screen and a message over it stating that the PC had a Zeus Trojan and to call a tech.  The message is repeated below:

"877 507 4529 Persoanlsied tech : Mark thompson Install an antimalware install  a 360 total security install a c c clcenaer Install a network security firewall 30-35 mins Agile technical sofwtare solutions"

I thought it was scam.  I could not, however, access my browser since the message automatically overlaid it.  And eventually could not get any wireless or Ethernet connection.   I bought a CD version of your software and after several hours of trying finally got a wireless connection and installed it.  After scanning it showed no threats.   What am I missing?