ThreatMetrix Labs: Make a Trojan once again invisible to antivirus software authors took a couple of hours.
The widespread application of Trojan Zeus, as well as its enhanced support from the virus writers cause for serious concern. This statement was made by experts from ThreatMetrix Labs, which are examined in detail the recent modification of the virus in his analytical report.
Experts recalled that at the moment Zeus does not use the C & C-servers, replacing them with the commands being sent to the P2P network through one of the bots. The integrity of the entire system is maintained by strong encryption of configuration files. Moreover, the constant change of cryptographic protection of Zeus does not visible to the existing anti-virus systems, to emphasize the ThreatMetrix Labs.
“The constant change in the way it (Ed. – virus) encryption alarming. In fact, experts ThreatMetrix recorded at least six different ways, “- the researchers reported in the report. According to them, continual change in attack vectors and cryptographic protection makes it virtually powerless to antivirus companies.
Note also that the specialists have provided some examples of new types of attacks Zeus, which was detected after decoding of a configuration file (the sample was analyzed by Zeus with a MD5-hash 7ebe4e6f8e5ea5981f4b32cd9465e6a3).
According to ThreatMetrix Labs, a modification of this Trojan has 988 functions, 561 of whom had in the past year, and another 427 have been added since November 2011, indicating a very fast pace appears varieties Trojan.
Currently, configuration files are encrypted with Zeus four-byte key XOR, formed from these elements: (item length << 0×10) | (0xFFFF & item id) | (BinStorage Count << 8).
Changing the encryption method prior to this variation of the virus taken from the authors’ only a few hours, “but it made a new version of Zeus is again not visible to the vendors.