Zeus malware found with valid digital certificate

A recently discovered variant of the Zeus banking Trojan was found to use a legitimate digital signature to avoid detection from Web browsers and anti-virus systems.

Security vendor Comodo reported Thursday finding the variant 200 times while monitoring and analyzing data from users of its Internet security system. The variant includes the digital signature, a rootkit and a data-stealing malware component.

"Malware with a valid digital signature is an extremely dangerous situation," the company said in a blog post.

Zeus is typically distributed through a compromised Web page or through a phishing attack in which cybercriminals send email that appear to come from a major bank.

A sample of the latest Zeus variant tried to trick the recipient into executing it by posing as an Internet Explorer document that included an icon similar to the Windows browser.

Because the file is digitally signed with a valid certificate, it appears trustworthy at first glance, Comodo said. The certificate is issued to "isonet ag."

When executed, the malware downloads the rootkit and a program capable of stealing login credentials, credit card information and other data a person keys into a Web form. The rootkit prevents the malicious files from being deleted by either the computer user or AV software.

Zeus malware typically launches a man-in-the-browser attack when a person visits an online banking site. The malware lets hackers create a remote session where they can see what the victim is doing and secretly intercept all data flowing from the activity.

For example, if the victim transfers funds on a banking site, the payment information will display as usual, but behind the scenes the hackers will alter the transaction and send the money to another account.

Zeus is one of the oldest families of financial malware. Also called Zbot, the malware's source code was leaked on the Internet in 2011, resulting in a surge of customized versions. Among the more popular Zeus-based Trojans are Citadel and GameOver.

In December, Kaspersky Lab discovered a 64-bit version of Zeus, an indication that hackers were preparing for the software industry's move away from older 32-bit architectures.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags malwaresoftwaredata protectionapplicationsComodoDigital CertificateZeuS banking Trojan

More about CitadelComodoKasperskyKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

More videos

Blog Posts