Critical update makes P2P Zeus trojan even tougher to remove

Share this article:
Reachers discovered Nemim in 2006, but have now detected new variants of the malware.
The installation of a rootkit driver that makes deleting the malware even tougher.

P2P Zeus is already plenty tough to wipe from infected systems, but researchers with Fortinet have observed the notorious peer-to-peer banking trojan performing a critical update that installs a rootkit driver, consequently making the malware impossible to remove.

Previously, a modified copy of P2P Zeus would be created and placed in a temp folder and the original copy would be deleted, in order to conceal itself from the victim, Kan Chen, junior AV analyst for Fortinet's FortiGuard Labs, told SCMagazine.com in a Monday email correspondence, adding the names of the directory and malware file are randomly generated.

Now, once the rootkit driver is installed, deleting the autorun registry and malware file in that temp folder is no longer an option, at least not prior to deleting the rootkit driver, Chen said.

“With the new rootkit driver added, it is not possible to remove malicious file and autorun registry,” Chen said. “It simply denies access for the attempt to delete the malware file. It also keeps creating autorun registry once you deleted the malware auto startup registry.”

There is hope, however – Chen said it is possible to remove the malware manually through anti-rootkit software.

P2P Zeus updates itself by receiving encrypted updating packets from remote peers that already have the updates, Chen said, explaining the packets are received through TCP communication, decrypted and then compared with the local hardcoded version number.

“If P2P Zeus determined that it is the newer version, it would further decrypt the payload data into a [portable executable] file,” Chen said. “The newly created file would replace the original P2P Zeus file and run as new process.”

Chen said that another interesting feature in P2P Zeus is that, in order to avoid exposing itself to “anti-virus analysts,” the malware avoids sending packets to peers under certain organization subnets, including Google, Microsoft, Kaspersky Lab, ESET, Bitdefender, and AVAST Software.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

TorrentLocker developers patch error

Victims had been able to restore encrypted files without paying a ransom.

Home Depot: breach risks 56M payment cards, 'unique' malware used

Home Depot confirmed that approximately 56 million payment cards may have been compromised as result of a malware attack.

Gartner: 75 percent of mobile apps will fail security tests through end of 2015

Gartner: 75 percent of mobile apps will fail ...

As BYOD and mobile computing become more critical to business, app downloads will raise security risks.