The first one writing about this new threat was Marco Giuliani. So, Murofet or Zeus++?
Taking a look at a couple of samples we were able to identify:
- Same API hooks
- Same encryption routine for configuration file (RC4)
- Pretty much the same configuration file format
Here you can take a look at a decrypted configuration file. It’s possible to realize that it makes use of the same block-based structure of Zeus configuration files. Just like any other Zeus it has a block with id 0x214e (at offset 0x1c) where the version of the builder used to create the bot is stored (at offset 0x2c). In our case that is 2.1.0.7.
So what about calling it just Zeus 2.1 ?
« Trojan Carberp Forensic Challenge 2010/6 – Analyzing Malicious Portable Destructive Files is now live »
Trend Micro was the first to write about it, not Marco. See http://blog.trendmicro.com/file-infector-uses-domain-generation-technique-like-downadconficker/ and http://blog.trendmicro.com/links-between-pe_licat-and-zeus-confirmed/.
cool I missed all of those, thanks for the info
Btw it’s funny that trendmicro doesn’t actually detect it:
http://www.virustotal.com/file-scan/report.html?id=b3e3b3d389d48ae056845b8223402e1d27c8950eadaa7ffecaebeda93af73a03-1287136181
and instead it just deleted all my cygwin executables detecting them as pe_licata…