Changes in new ZeuS variants

The ZeuS/Zbot Trojan variants have been around for a long time. It has come to the point where the name is no longer recognized only by security specialist, but by the general public as well. And why should they not? By stealing the users’ various credentials, the Trojan has a direct impact on their everyday life, since a great many people have moved part of it online.

Its longevity is not a matter of chance – the dedication and promptness with which the toolkit makers strive to jump over the obstacles the security firms puts in front of them could almost be admired.

Symantec offered a peak into the new variants of the Trojan and the changes that will assure its longevity for a good while yet:

1. Executable and component files don’t have fixed file names anymore
Random names of files and folders they create make them more difficult to spot and recognize for what they are.

2. New variants are doing something previous variants did not – they inject themselves into a variety of processes: taskeng.exe, taskhost.exe, ctfmon.exe, explorer.exe, rdpclip.exe, wscntfy.exe. That they target the first two processes mentioned is particularly interesting to note, because they are found only in Windows Vista and Windows 7. In previous variants, the support for those OS versions had to be acquired via separate add-ons, and this change goes to show that the ZeuS developers are keeping pace with the latest developments.

3. Some variants had the ability to modify target Web pages and make them ask the users for additional information. This feature was restricted only for those users that were using IE. Well, not anymore. New variants also target Firefox users.