ZeuS has for a while now been almost a synonym for banking Trojans of every shape and form.
Some say that the attention that the information security community has focused on it and on the the increasing efforts to stomp it out have allowed other lesser known banking Trojans such as Carberp, Bugat and SpyEye to rise in prominence and number of infected computers.
But ZeuS developers are not ready to leave this lucrative business without a fight. According to Trend Micro researchers, new variants are using the brand new LICAT file infector as a way of making computer download the from a variety of sources and execute them.
LICAT infects files that have been executed after it has injected itself into the Explorer.exe process and every time they are executed, it randomly “calculates” which domain name will be contacted to download other malware such as ZeuS.
Once this ZeuS variant is executed, it decrypts and executes the main file infector (LICAT) again, which then opens random ports, deletes some registries and gathers various information from the system and completes the infection chain by repeating the infecting process described earlier:
This new ZeuS variant also employes various techniques to bypass automatic heuristics-based detection. A different type of compression and a larger number of imported external API’s changes the way a heuristic scanner sees the file, making it thus harder to detect.
Additionally, this variant is designed to render sandbox analysis more difficult. “Its dropped copy in the %Application Data% folder will have updated information about its “correct” location. If this particular copy is executed in a different folder, it will simply terminate,” says Trend Micro researchers, who are still investigating what other detected routines do.