Yet another variant of the Zeus banking Trojan has surfaced; this one comes disguised as an Internet Explorer document and uses an authentic digital certificate to download a rootkit onto infected machines.
According to researchers at the SSL firm Comodo, more than 200 examples of the Trojan have been discovered in the wild so far.
Launched via a simple Man-in-the-Browser (MitB) attack, the Trojan relies on a user either downloading a suspicious attachment in an email or being hit with the exploit. From there the fake IE document goes ahead and does some fairly routine Zeus things like stealing user data entered into web forms, login credentials, and credit card information, in order to perpetuate financial fraud.
What’s interesting is that Comodo claims the bogus IE file is signed with a seemingly legitimate certificate from the Swiss software development firm Isonet AG, something that’s allowed the malware to proceed undetected by antivirus systems.
Once it runs the file copies itself to memory, is executed and rootkit components from two locations are downloaded. The rootkit is decrypted into a driver and installed in the Boot Bus Extender group, making certain it can run before other drivers, something that helps keeps the Trojan even more covert.
“Its purpose is to protect malicious files and auto-run entries from being deleted by user or antivirus software, increasing difficulty of the removal process,” Comodo wrote in a description of the malware last Thursday.
Using fake and stolen SSL certificates has become commonplace among criminals looking to con users and put their machines at risk, it was just a few months ago that a slew of fake certificates were caught masquerading as legitimate ones from services like Facebook, YouTube and iTunes.
In the wake of big name CA hacks like GlobalSign and DigiNotar over the last few years, Google updated all of its SSL certificates to 2048-bit RSA up from 1024 last fall and is in the midst of limiting certificate validity to 60 months, along with Mozilla, in hopes of preventing further subordinate certificate abuse.
When it comes to certificate abuse, Comodo found itself in the news back in 2011 when it accidentally granted a certificate to an Iranian hacker who went on to issue himself a handful of valid certificates for Google, Yahoo, Skype, Mozilla, and others domains. Comodo was quick to revoke the fraudulent certificates and deploy additional audits and controls to combat future incidents.