It’s been known for some time now that the creator/maintainer of the Zeus malware had turned over responsibility for his code to the author of the SpyEye Trojan and it was assumed that the two code bases had merged, rendering Zeus extinct. However, some new samples of the Zeus bot have surfaced that include new features, indicating that development of the tool is still underway.
A couple of new samples of the Zeus malware have cropped up recently that sport new capabilities that were not available to users of older versions of the attack tool. Zeus customers have typically used some version of a Zeus builder kit to compile and run their copy of the tool, and each of those builder kits has a unique signature that enables to researchers to identify versions of Zeus that came from it.
After the Zeus and SpyEye code bases were joined later last year–which researchers confirmed through the appearance of versions of each tool that showed up with identical sections of code–it was thought that Zeus as a standalone attack tool had breathed its last. However, that appears not to be the case. Researchers have found new versions that include double decryption routines not seen before, as well as an extra anti-analysis check.
“A few weeks ago a different ZeuS variant appeared that displayed
unusual behavior for that family. All the latest variants of ZeuS had
the same algorithm to decrypt a section in their code which contained
the Trojan’s initial internal settings (a link used to download the
configuration file, traffic encryption key, etc.). In the new, unusual
sample there was double encryption. First of all, data was decrypted
using the standard algorithm, but the address to the configuration file
was a fake. The genuine link to the configuration file, which contained
the address of the botnet command center, was only revealed at the
second decryption,” Dmitry Tarakanov, a malware researcher at Kaspersky Lab, wrote in a detailed analysis of the new Zeus malware versions.
“A few days ago I found a ZeuS sample that also checks if it is being
analyzed, for example, by antivirus companies. The functionality is
basically the same but with minor modifications – another criterion for
detecting a new test platform had been added. In this variant of ZeuS there are also modifications to the structure
in pieces of code, which had remained unchanged for over 6 months and
been used in thousands of samples of the Trojan.”
The subtle variations that surfaced in the versions of Zeus circulating right now are a good indication that someone–whether it’s the SpyEye maintainer or someone else–is actively developing Zeus and adding new capabilities still. If that’s so, it also likely means that there are still paying customers who are asking for new features and functionality. As Tarakanov notes, that could be a small pool of high-value customers.
“Functionality that is capable of detecting a test platform is unique.
It looks like it was probably added to the standard ZeuS functionality
as an optional extra. This suggests that technical support is still
available for the last few VIP clients using ZeuS,” he said.