New variant of the Zeus Trojan spotted by Trend Micro


New variant of the Zeus Trojan spotted by Trend Micro

Ron Condon, UK Bureau Chief

A new, and more devious, variant of malware linked to the Zeus banking Trojan has been discovered by researchers at Trend Micro Inc.

The new variant generates more domains and thereby doubles the number of domains that

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

researchers will need to detect and block the notorious malware.

The information comes from a new sample of LICAT, a file-infecting Trojan that is closely associated with Zeus. LICAT seeks out executable files on infected systems and modifies them, so when the infected file is opened LICAT generates 800 Internet addresses using pseudo-random alpha characters. It then attempts to connect to each of these destinations to download and execute further components or other payloads.

Trend researchers first spotted a LICAT-Zeus connection in October. While some of the domains generated by LICAT appear to be either not registered or inactive, some are live and could create problems detecting and blocking the malware. The Zeus Trojan, also called Zbot, has been troublesome for banks and financial firms as it is easy to find toolkits to configure an automated attack.

The researchers at Tokyo-based Trend Micro noted that several of the domains LICAT generates appear to coincide with those used by Zeus at the same time.

The new LICAT sample reveals that it now uses a different set of keys for its domain-generating algorithm. It also uses more keys to generate its new batch of domains. And, while the original LICAT variant's domain-generating algorithm used the same key twice -- once for where its configuration file was located, and once for where new/updated variants could be downloaded automatically -- the new variant uses different keys, thereby doubling the number of domains that have to be monitored and blocked by researchers.

"We expect that more LICAT variants with different … keys are probably going to be spotted in recent weeks," said Joseph Cepe, a Trend Micro threats analyst.