Critical update makes P2P Zeus trojan even tougher to remove

Share this article:
Reachers discovered Nemim in 2006, but have now detected new variants of the malware.
The installation of a rootkit driver that makes deleting the malware even tougher.

P2P Zeus is already plenty tough to wipe from infected systems, but researchers with Fortinet have observed the notorious peer-to-peer banking trojan performing a critical update that installs a rootkit driver, consequently making the malware impossible to remove.

Previously, a modified copy of P2P Zeus would be created and placed in a temp folder and the original copy would be deleted, in order to conceal itself from the victim, Kan Chen, junior AV analyst for Fortinet's FortiGuard Labs, told SCMagazine.com in a Monday email correspondence, adding the names of the directory and malware file are randomly generated.

Now, once the rootkit driver is installed, deleting the autorun registry and malware file in that temp folder is no longer an option, at least not prior to deleting the rootkit driver, Chen said.

“With the new rootkit driver added, it is not possible to remove malicious file and autorun registry,” Chen said. “It simply denies access for the attempt to delete the malware file. It also keeps creating autorun registry once you deleted the malware auto startup registry.”

There is hope, however – Chen said it is possible to remove the malware manually through anti-rootkit software.

P2P Zeus updates itself by receiving encrypted updating packets from remote peers that already have the updates, Chen said, explaining the packets are received through TCP communication, decrypted and then compared with the local hardcoded version number.

“If P2P Zeus determined that it is the newer version, it would further decrypt the payload data into a [portable executable] file,” Chen said. “The newly created file would replace the original P2P Zeus file and run as new process.”

Chen said that another interesting feature in P2P Zeus is that, in order to avoid exposing itself to “anti-virus analysts,” the malware avoids sending packets to peers under certain organization subnets, including Google, Microsoft, Kaspersky Lab, ESET, Bitdefender, and AVAST Software.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.