Trojan armed with hardware-based anti-piracy control

Zeus borrows page from Microsoft

By Dan Goodin, 12th March 2010

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

The latest version of the Zeus do-it-yourself crimeware kit goes to great lengths to thwart would-be pirates by introducing a hardware-based product activation scheme similar to what's found in Microsoft Windows.

The newest version with bare-bones capabilities starts at $4,000 and additional features can fetch as much as $10,000. The new feature is designed to prevent what Microsoft refers to as "casual copying" by ensuring that only one computer can run a licensed version of the program. After it is installed, users must obtain a key that's good for just that one machine.

"This is the first time we have seen this level of control for malware," according to an analysis of the latest Zeus version published this week by SecureWorks.

The hardware-based licensing system isn't the only page Zeus creators have borrowed from Microsoft. They've also pushed out multiple flavors of the package that vary in price depending on the capabilities it offers. Just as Windows users can choose between the lower-priced Windows 7 Starter or the more costly Windows 7 Business, bot masters have multiple options for Zeus.

For a mere $500 more, users can get a Zeus module that will allow them to received pilfered data in real time using the Jabber instant messaging client. A module that grabs data out of fields typed into Firefox fetches an extra $2,000, and a virtual network computing module that allows users to establish a fully functioning connection to an infected computer costs $10,000.

The VNC functionality fetches such a high price because it allows criminals to bypass some of the most advanced security measures, such as smartcards and other pieces of hardware that are used to authenticate high-value victims to a bank or other financial institution.

The latest version of Zeus is 1.3.3.7, SecureWorks researcher Kevin Stevens told The Reg. But the authors are already busy working on version 1.4, which is being beta tested. It offers polymorphic encryption that allows the trojan to re-encrypt itself each time it infects a victim, giving each one a unique digital fingerprint. As a result, anti-virus programs, which already struggle mightily to recognize Zeus infections, have an even harder time detecting the menace. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections

All Reader Comments (46)

Highly Rated

Posted Friday 12th March 2010 22:31 GMT

asdf

russia eastern europe morals

Got to love how criminals can almost legitimately build up a prospering company in that part of the world. I guess the only difference between them and Wall Street is we have fully legalized our thieves.

Posted Friday 12th March 2010 23:24 GMT

ZenCoder

Professional virus development.

This scares me.

Right now most of the malware being written is crap thrown together by incompetent and unprofessional programmers. They succeed only because most of their targets are even more clueless and fail to take even the most basic security precautions.

All that will change if we start seeing teams of highly skilled professional developers developing commercial crime ware products.

Posted Friday 12th March 2010 23:26 GMT

Steen Hive