Almost undetectable ZeuS variant discovered

A variant of the key-logging ZeuS trojan that is almost undetectable has been discovered by anti-malware researchers at Trend Micro.

The variant, known as TSPY_ZBOT.BYZ, uses a number of techniques to avoid automatic heuristics-based detection, such as importing a large number of external APIs, a characteristic not shared by other ZeuS trojans, and one that means there is a significantly lower chance of detection.

The trojan is also compressed in a different manner to other ZeuS variants, meaning that the calculable entropy is different. This is usually similar and allows anti-malware researchers and software to analyse and detect the trojan, but the difference in this variant helps keep it under the radar.

Trend Micro said the trojan is “designed to make analysis in sandboxed environments more difficult.” This makes things harder for anti-malware researchers who provide virus database updates to keep computer users protected, allowing for the spread of the trojan to many more machines.

The ZeuS trojan has been responsible for a string of major attacks throughout the year, including most recently on LinkedIn. The prevalence of the malware has led to multiple arrests around the world, including 19 people involved in a £6 million bank scam in the UK and further arrests in the US, which could see dozens of people jailed.

The problem is also getting worse. Trend Micro issued an update today that a further variant, named  TSPY_ZBOT.SMEQ, has been detected, and there could be many more of them, slipping under the watchful eyes of our anti-malware software.

“These new variants show the impact of TSPY_ZBOT.BYZ being able to avoid heuristic detection. Determining the relationship between TSPY_ZBOT.BYZ and the new variants would become harder; correspondingly the new variants would be more difficult to detect,” said Julius Dizon, Research Engineer at Trend Micro. 

“To properly guard against this threat, conventional antivirus [software] is not sufficient. Both improved detection techniques and proactive blocking of the websites, working together, can protect users.”