A new, and more devious, variant of malware linked to the Zeus banking Trojan has been discovered by researchers at Trend Micro Inc.
The new variant generates more domains and thereby doubles the number of domains that
The information comes from a new sample of LICAT, a file-infecting Trojan that is closely associated with Zeus. LICAT seeks out executable files on infected systems and modifies them, so when the infected file is opened LICAT generates 800 Internet addresses using pseudo-random alpha characters. It then attempts to connect to each of these destinations to download and execute further components or other payloads.
Trend researchers first spotted a LICAT-Zeus connection in October. While some of the domains generated by LICAT appear to be either not registered or inactive, some are live and could create problems detecting and blocking the malware. The Zeus Trojan, also called Zbot, has been troublesome for banks and financial firms as it is easy to find toolkits to configure an automated attack.
The researchers at Tokyo-based Trend Micro noted that several of the domains LICAT generates appear to coincide with those used by Zeus at the same time.
The new LICAT sample reveals that it now uses a different set of keys for its domain-generating algorithm. It also uses more keys to generate its new batch of domains. And, while the original LICAT variant's domain-generating algorithm used the same key twice -- once for where its configuration file was located, and once for where new/updated variants could be downloaded automatically -- the new variant uses different keys, thereby doubling the number of domains that have to be monitored and blocked by researchers.
"We expect that more LICAT variants with different … keys are probably going to be spotted in recent weeks," said Joseph Cepe, a Trend Micro threats analyst.