Zeus Trojan Accompanied by Signed Digital Certificate

Friday, April 15, 2011



Researchers at security solutions provider Avira have identified a Zeus Trojan variant accompanied by a signed digital certificate.

The presence of a signed digital certificate from a legitimate CA (certificate authority) makes the task of identifying and defending against the malware more difficult for antivirus software and file scanners.

The Avira Techblog states "we found a Zbot Trojan variant which tries to evade detection by carrying a digital certificate and therewith looking more legitimate. And this certificate is registered to 'DetectMe!:)', also adding random data behind the certificate."


The certificate was signed with a jocular "DetectMe!" challenge to malware researchers, and the gesture was not lost on the Avira team.

"We see hints like these regularly – malware authors proposing names for their malicious creations or suggesting a place where a signature based detection would be suitable. Of course, such hints are ignored by us for detection but make us smile for a short time. In this special case, our heuristics already notice [sic] other suspicious properties of the file and Avira thus detects the malware as TR/Crypt.ULPM.Gen," the Avira Techblog continued.

The presence of the "DetectMe!" signature might show the malware creators have a sense of humor when it comes to taunting researchers, but the presence of a signed certificate from a trusted issuer is no laughing matter, especially where Zeus variants are concerned.

Security firm Trusteer have reported that an increasing number of websites are now known to host Zeus variants, and the report also shows that a growing number of networks are hosting command and control operations for Zeus-based botnets.

And researchers at Trend Micro recently revealed that a Zeus Trojan designed specifically to run on the Blackberry operating system has been detected.

On several occasions, Zeus variants have been detected with forged Kaspersky and Avira digital signatures.

The Zeus Trojan is widely hailed as one of the most dangerous pieces of malware to ever surface in the wild, and the malicious code continues to spread.

The Zeus Trojan can lay dormant for long periods until the user of the infected machine accesses banking accounts. Zeus then harvests passwords and authentication codes.

Possibly Related Articles:
Viruses & Malware
Antivirus Trojans malware Botnets Digital Certificates Zeus
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.