A recently discovered variant of the Zeus banking Trojan was found to use a legitimate digital signature to avoid detection from Web browsers and anti-virus systems.
Security vendor Comodo reported Thursday finding the variant 200 times while monitoring and analyzing data from users of its Internet security system. The variant includes the digital signature, a rootkit and a data-stealing malware component.
"Malware with a valid digital signature is an extremely dangerous situation," the company said in a blog post.
Zeus is typically distributed through a compromised Web page or through a phishing attack in which cybercriminals send email that appear to come from a major bank.
A sample of the latest Zeus variant tried to trick the recipient into executing it by posing as an Internet Explorer document that included an icon similar to the Windows browser.
Because the file is digitally signed with a valid certificate, it appears trustworthy at first glance, Comodo said. The certificate is issued to "isonet ag."
When executed, the malware downloads the rootkit and a program capable of stealing login credentials, credit card information and other data a person keys into a Web form. The rootkit prevents the malicious files from being deleted by either the computer user or AV software.
Zeus malware typically launches a man-in-the-browser attack when a person visits an online banking site. The malware lets hackers create a remote session where they can see what the victim is doing and secretly intercept all data flowing from the activity.
For example, if the victim transfers funds on a banking site, the payment information will display as usual, but behind the scenes the hackers will alter the transaction and send the money to another account.
Zeus is one of the oldest families of financial malware. Also called Zbot, the malware's source code was leaked on the Internet in 2011, resulting in a surge of customized versions. Among the more popular Zeus-based Trojans are Citadel and GameOver.
In December, Kaspersky Lab discovered a 64-bit version of Zeus, an indication that hackers were preparing for the software industry's move away from older 32-bit architectures.