Websense discovers new Zeus banking malware variant

Websense Security Labs has identified a recently evolved Zeus strain that borrows techniques both old and new to evade detection and siphon and steal important data from those infected.

The company reports the Websense ThreatSeeker Intelligence Cloud has been tracking a malicious, low-volume email campaign over past months, using social engineering tricks to spread the “evolving breed of the Zeus banking malware.”

As with previous variants, Zeus PIF uses a dropper that relies on the hidden Windows ‘PIF’ file extension executable; a technique which was used years ago and now appears to be making a comeback.

This variant persistently evolves and adapts the methodology of the information stealing procedures (a.k.a. hooking); a process seen as evolving from the Zberp variant.

“In uncovering this latest iteration of the Zeus malware, Websense Security Labs researchers have shined a light on the evolving techniques of malware authors’ efforts to evade detection. Malware writers will continue to adapt and update their evasion techniques to stay just above the capabilities of most security solutions. The malware’s of use of encryption and HTTPS in its command-and-control communications underscores their efforts and attempts to stay hidden. This is one reason that it is now crucial for defenders to have security tools that inspect outbound SSL traffic and prohibit the loss of data through encrypted messages,” Surendra Singh, ?regional director, SAARC, Websense Inc.