Reports indicate that Zeus has struck again – this time adding a fraudulent digital certificate to its bag of tricks.

Like its predecessors, the financial Trojan is being dropped by malicious email attachments and drive-by downloads. Installation is initiated when users double-click an icon that appears on the desktop and that is made to look like an innocent Internet Explorer document. Users who initiate install are subsequently infected by both a malware that can allow its author to snag information from online financial transactions through “Man-in-the-Middle” attacks and a rootkit designed to hide said malware.

If this sounds pretty nasty, what’s even worse is that this nothing new! Zeus has been around for quite some time, and in fact in 2013 it was responsible for approximately one-third of all computerized attacks on financial institutions. This particular variant has made recent headlines however because it adds a little extra trick that contributes to its already deceptive design.

A Fraudulent Digital Certificate

Legitimate software developers utilize digital certificates to validate their identity and to prove that they are not creating malware or perpetuating scams. The most common way to create a Digital Certificate is with Public Key Infrastructure (PKI). With PKI, Certificate Authorities (CAs) issue certification to software vendors after the vendors have verified their identity and proven that their product is not malicious. The Certificate Authority signs this certification with their unique, cryptographic “digital signature” and keeps a record of this certification on file.

A software that is “Digitally Certified” is therefore supposed to be a software created by a legitimate developer that has passed a Certificate Authority’s set of standards. As malware, one would think that this new variant of Zeus would be flat out denied certification, and in a perfect world, it very well would have been. Certificate Authorization is a sprawling business, however, and many of the largest players distribute their certificates through retailers. As a result, certificates leak through, as monitoring the behavior of each and every retailer is quite impossible. In fact, in malware-land, digital certificates are bought and sold on a regular basis, and applying them to malware is really nothing new. That a new variant of Zeus uses one isn’t all that surprising, however to the untrained eye it can be deceptive.

To the average user, who is not running a comprehensive anti-malware, adding a real Digital Certificate to a malicious program basically works like a fake ID. Imagine your computer is a party and you are the doorman. With this new Zeus, the appearance of what looks like a new Internet Explorer document on your desktop raises suspicion, so you ask for Identification. Your skepticism leads you to Right Click > Properties > Digital Signatures, and voila: The Document is Certified by a Trusted CA. Combine this with the curiosity one is bound to have upon the appearance of something new and mysterious on their desktop, and even the most tech-savvy among us are tempted to Double-Click.

Where the author of this particular Zeus variant obtained a fraudulent certificate is really anybody’s guess. The most important thing to realize here is that this an all too common social engineering tactic and that relying on Digital Certification alone as a means of preventing malware infection simply doesn’t cut it.

A Bit More on Encryption – Man-in-the-Middle Attacks

Multiple variants of Zeus have seen success because they utilize man-in-the-middle attacks. Like Digital Certification, a man-in-the-middle attack is related to cryptography. This is a highly technical arena, however at its basis cryptography relies on pairs of keys and really is not too difficult to understand.

Say for example you want to perform a secure, encrypted transaction with your bank, online. Your bank will send you what is known as a public key to encrypt all data that you send them during the transaction. A public key is essentially a lock, and it can only be opened by the person who holds the matching, private key.

Stealing a private key from a bank would be quite the feat indeed, so instead malware authors use man-in-the-middle attacks. Malware like Zeus is designed to “wake up” when an infected user engages communication with their banking website and requests a public key for data encryption. Zeus is designed to intercept this request and send the user a fake public key, instead. That way, when the user sends what they think is encrypted information to their bank, they are actually sending encrypted information to the attacker – and the attacker, having used his own public key, can open it with his matching, private key and take a look inside.

Protecting Yourself from Zeus, Be He Certified or Not

Much of the press surrounding this latest variant of Zeus has focused on its legitimate Digital Certificate and how this might allow it to bypass antivirus software. Certified or not, Emsisoft Anti-Malware detects malware from the Zbot/Zeus family as Trojan.Win32.Zbot.

Additionally, users should remain extremely cautious with mysterious desktop icons of any kind and unsolicited banking emails with attachments and links. If you are worried that you may have become a victim of this latest exploit, please don’t hesitate to contact our experts in the “Help, my PC is infected!” Emsisoft Forum. Our removal service is free, even if you are not an Emsisoft customer yet.

Now that you know a little bit more about cryptography, we might also suggest our recent post on the OpenSSL Heartbleed Bug. Researchers have uncovered a massive vulnerability that allows anyone on the Internet to accesses OpenSSL secured servers and steal encrypted information, including private keys. This bug went undetected for over 2 years, and very well may change open source encryption technology forever.

Have a Great (Zeus-Free) Day!