Incident Response, Malware, TDR

Zeus variant uses valid digital signature to avoid detection

Although creative new variants of the nasty Zeus banking trojan are being discovered all the time, anti-virus company Comodo has identified a sneaky version that is skirting threat detection by containing a valid digital signature.

“Malware that includes a valid digital signature from a trusted source is incredibly dangerous because it allows malicious software to be trusted both by users and by software that checks for those signatures before execution,” Adam Kujawa, head of malware intelligence for Malwarebytes, told in a Monday email correspondence.

The certificate is issued to ‘isonet ag,' was issued by VeriSign Class 3 Code Signing 2010 CA, and is valid from Dec. 7, 2012 until Feb. 6, 2016, according to screenshots in a Comodo Antivirus Labs blog posted on Thursday, which adds that the certification ensures the software came from a software publisher, and protects the software from alteration after publication.

“There are numerous systems setup on any user's computer that will check the validity of an executable, be it Windows or their browser,” Kujawa said. “[These] digital signatures fool these systems in order to gain trust.”

This seems to be a pretty standard version of Zeus that goes after data, including login credentials, payment card information and anything else the users inputs into a web form, according to the post, which adds the malware is distributed via infected webpage components and phishing emails that purport to come from major financial institutions.

When downloaded, the malware is presented as an Internet Explorer document, complete with an appropriate Windows icon to sell the scam, according to the post. When double-clicked, the trojan is executed, and a rootkit is installed with other files to increase the difficulty in eliminating the malware.

“Digital Signature theft and fraud have been a problem for many years and not just with executables, but also with SSH certificates on websites,” Kujawa said. “The industry is aware of these problems and always working toward creating an even more secure way to verify the legitimacy of data, but until then a lot of it relies on the judgment of a user who has to decide whether or not to allow something to be executed on their system rather than just clicking through authorization prompts without thinking.”

This variant of Zeus came on the Comodo radar courtesy of a user that submitted a sample to the anti-virus company, according to the post, which added that the Comodo team analyzes scan data from users and has already found more than 200 unique hits for this variant.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.