It’s a fact that, among the members of the ZeuS family, version 2 is taking over, but lately we've come across the odd sample from version 1.x, with features halfway between versions 1 and 2 or even some functions unseen to date.
According to their respective configuration files, the versions of these samples are 126.96.36.199 and 188.8.131.52. Let’s see the most relevant differences in comparison with the most common versions:
- Fixed names, as in 1.x but their hidden in %windir%, instead of %system%. Let’s see the names used for the .exe file, configuration file and captured data file:
- The boot registry path is the same as in versions 1.x (Winlogon), but it is continuously overwritten, as in versions 2.x. In order to clean up the computer, deleting it and then rebooting is not enough.
- The files are kept hidden (as in version 1.x), which makes it useless to clean up by deleting them.
- As it can be seen in the screenshot above, its new home is services.exe, instead of winlogon.exe (v1.x).
- The pipe is: "_FISIDISI223122347_"
- Encrypted connection. Both the downloading of the configuration file and access to the control panel are made through SSL connection. This is new; both 1.x and 2.x perform an HTTP connection in plain text, sending the encrypted data along with their respective algorithms.
- Change of encryption. The encryption used is the RC4 seen to date, but with a slight change in its “step”. It doesn't use the xor encryption layer used by versions 2.x
We’re facing a version rather different to the usual 1.x. Will it further develop, or will everyone choose version 2.x in the end?
If anyone bumps into one these samples, the simplest procedure to remove it is to download an anti-rootkit tool (like gmer), locate the file, "kill" it and reboot the computer. Then, the registry entries and files can be deleted without problems.