New Zeus Variant with Digital Signature


Reports indicate that Zeus has struck again – this time adding a fraudulent digital signature to its bag of tricks.

Like its predecessors, the financial Trojan is being dropped by malicious email attachments and drive-by downloads. Installation is initiated when users double-click an icon that appears on the desktop and that is made to look like an innocent Internet Explorer document. Users who initiate install are subsequently infected by both a malware that can allow its author to snag information from online financial transactions through “Man-in-the-Middle” attacks and a rootkit designed to hide said malware.

If this sounds pretty nasty, what’s even worse is that this nothing new! Zeus has been around for quite some time, and in fact in 2013 it was responsible for approximately one-third of all computerized attacks on financial institutions. This particular variant has made recent headlines however because it adds a little extra trick that contributes to its already deceptive design.

A Fraudulent Digital Signature

Legitimate software developers utilize digital signatures to validate their identity and to prove that they are not creating malware or perpetuating scams.  But, in malware-land, the digital signatures of legitimate developers are bought and sold on a regular basis, and applying them to malware is really nothing new. That a new variant of Zeus uses one isn’t all that surprising, however to the untrained eye it can be deceptive.

To the average user, who is not running a comprehensive anti-malware, adding a real digital signature to a malicious program basically works like a fake ID. Imagine your computer is a party and you are the doorman. With this new Zeus, the appearance of what looks like a new Internet Explorer document on your desktop raises suspicion, so you ask for Identification. Your skepticism leads you to investigate the document’s signature, and voila: The Document is Digitally Signed. Combine this with the curiosity one is bound to have upon the appearance of something new and mysterious on their desktop, and even the most tech-savvy among us are tempted to Double-Click.

Where the author of this particular Zeus variant obtained a fraudulent signature is really anybody’s guess. The most important thing to realize here is that this an all too common social engineering tactic and that relying on digital signatures alone as a means of preventing malware infection simply doesn’t cut it.

A Bit More on Encryption – Man-in-the-Middle Attacks

Multiple variants of Zeus have seen success because they utilize man-in-the-middle attacks.

For example, when you want to perform a secure, encrypted transaction with your bank online, your bank sends you what is known as a public key to encrypt all data that you send them during the transaction. A public key is essentially a lock, and it can only be opened by the person who holds the matching, private key.

Stealing a private key from a bank would be quite the feat indeed, so instead malware authors use man-in-the-middle attacks. Malware like Zeus is designed to “wake up” when an infected user engages communication with their banking website and requests a public key for data encryption. Zeus is designed to intercept this request and send the user a fake public key, instead. That way, when the user sends what they think is encrypted information to their bank, they are actually sending encrypted information to the attacker – and the attacker, having used his own public key, can open it with his matching, private key and take a look inside.

Protecting Yourself from Zeus, Be He Signed or Not

Much of the press surrounding this latest variant of Zeus has focused on its digital signature and how this might allow it to bypass antivirus software. Signed or not, Emsisoft Anti-Malware detects malware from the Zbot/Zeus family as Trojan.Win32.Zbot.

Additionally, users should remain extremely cautious with mysterious desktop icons of any kind and unsolicited banking emails with attachments and links. If you are worried that you may have become a victim of this latest exploit, please don’t hesitate to contact our experts in the Help, my PC is infected! Emsisoft Forum. Our removal service is free, even if you are not an Emsisoft customer yet.

Now that you know a little bit more about cryptography, we might also suggest our recent post on the OpenSSL Heartbleed Bug. Researchers have uncovered a massive vulnerability that allows anyone on the Internet to accesses OpenSSL secured servers and steal encrypted information, including private keys. This bug went undetected for over 2 years, and very well may change open source encryption technology forever.

Emsisoft Endpoint Protection: Award-Winning Security Made Simple

Experience effortless next-gen technology. Start Free Trial

Have a Great (Zeus-Free) Day!

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next