P2P Zeus is already plenty tough to wipe from infected systems, but researchers with Fortinet have observed the notorious peer-to-peer banking trojan performing a critical update that installs a rootkit driver, consequently making the malware impossible to remove.
Previously, a modified copy of P2P Zeus would be created and placed in a temp folder and the original copy would be deleted, in order to conceal itself from the victim, Kan Chen, junior AV analyst for Fortinet’s FortiGuard Labs, told SCMagazine.com in a Monday email correspondence, adding the names of the directory and malware file are randomly generated.
Now, once the rootkit driver is installed, deleting the autorun registry and malware file in that temp folder is no longer an option, at least not prior to deleting the rootkit driver, Chen said.
“With the new rootkit driver added, it is not possible to remove malicious file and autorun registry,” Chen said. “It simply denies access for the attempt to delete the malware file. It also keeps creating autorun registry once you deleted the malware auto startup registry.”
There is hope, however – Chen said it is possible to remove the malware manually through anti-rootkit software.
P2P Zeus updates itself by receiving encrypted updating packets from remote peers that already have the updates, Chen said, explaining the packets are received through TCP communication, decrypted and then compared with the local hardcoded version number.
“If P2P Zeus determined that it is the newer version, it would further decrypt the payload data into a [portable executable] file,” Chen said. “The newly created file would replace the original P2P Zeus file and run as new process.”
Chen said that another interesting feature in P2P Zeus is that, in order to avoid exposing itself to “anti-virus analysts,” the malware avoids sending packets to peers under certain organization subnets, including Google, Microsoft, Kaspersky Lab, ESET, Bitdefender, and AVAST Software.