In this post we will examine different variants and branches of the ZeuS Trojan family. ZeuS was discovered 7 years ago, but to this day it continues to evolve and morph, making it one of the most widely used tools to attack mainly financial organisations.
From the timeline above it can be seen how its evolution has taken place and, specially, the variant explosion just after the source code was leaked.
Version 1.x led to different versions, although the 184.108.40.206 version was the most successful one. That is why most of you will quickly recognize the sdra64.exe file as a ZeuS 1.2.x.
Along its evolutionary path many improvements were made both to its functionality and protection against analysis. During 2008 and 2009, the continuous development resulted in the 1.1 to 1.4 versions. By the time the changes were completed so many had been made that the developer(s) decided to number the next version 2.0.
By the end of 2009, ZeuS had established market dominance and became the defacto market leader of banking Trojans (With the SpyEye permission).
The source code leak of 220.127.116.11 during the months of April-May 2011 resulted inevitably in the spawning of many bespoke versions of ZeuS.
It is important to note that prior to the leaking of the source code there was a cluster of gangs who were working on the pre leak source code. This assemblage of developers had constructed versions of ZeuS that ran in parallel to those versions based on the leaked code. The importance of this distinction is that developers involved in purchasing(?) ZeuS, developed what is known as Licat. Licat was used in campaigns against banks and it too went through evolutionary changes that resulted in the emergence of what became known as Murofet. The main significant change to functionality came with the introduction of a P2P communication system. What the code will do is try and connect to the P2P network and it fails to it will use a DGA (Domain generation Algorithm) to make a connection. Licat only had the DGA built into it. Clearly the P2P feature allowed for the Trojan to be far more robust than pervious incarnations of it.
There are in existence a number of other variants but these only have very minor changes contained within them and a good example of this is the variant that was named ZeuS Cryptless (due to its lack of encryption in the used strings). Other examples include the ZeuS Process or ZeuS Tasks variants (because this variants doesn’t inject its code in explorer.exe and its process remains active. It also creates a windows task in order to survive a reboot) used for Click Fraud.
Since the source code leak, there have been more variants, such as ICE-IX (the latest versions are known as ZeuS 18.104.22.168), a ZeuS 22.214.171.124 version using AES for encryption, Ramnit’s banking plug-in, a variant using Tor to connect to its C&C (known as Skynet), and finally one using SSL, the most famous of which was Citadel, and the more recent KINS and PowerZeuS.
We can see that the ZeuS world has become variegated, and a great deal of time and effort is needed to keep track of all the different variants coming from this old banking Trojan. Old it may be but never the less it is still considered to be one of the major threats to the banking sector.
In the next post we will describe some differences between the variants mentioned above. Until then, if you have come across a variant which we have failed to mention then please leave a comment :)
Advanced Cyber Security Services
Advanced Cyber Security Services