The most impressive of the escape and evasion techniques employed by the Zeus trojan is its use of a stolen Digital Certificate. Every P.C running a Windows operating system is set up to accept genuine Microsoft programs without question. This is done by including with the code a cryptographic seal of authenticity (like a signature). In 2014, the authors of Zeus managed to hack one of these from a Microsoft-registered third party developer in Switzerland. As the trojan then had the digital signature of Microsoft as the developer, anti-virus systems simply did not identify it as malware. The theft and use of digital certificates is far from rare (if not widely reported) and their use for mal-authentication in attacks like Zeus is frequent.
The Zeus trojan is actually a malware toolkit that can call on many components to accomplish a wide number of tasks (Zeus and ZeusVM have been mainly used for financial and banking fraud). Once the trojan element is in the system, it can call its C&C server and get a rootkit delivered to take care care of security. This malware decrypts into a driver and is coordinated to execute early in the P.C’s boot-up sequence; to delete the trojan’s start-up registry key on running, and then replace it when a system shutdown is detected. This keeps the trojan hidden from the rest of the operating system and any security applications or tools that may run scans or searches. The other function of the rootkit is to provide the trojan with running priority so that it cannot be ambushed on start-up by a security program already running.
The later (2014) variant ZeusVM also uses steganographic techniques to hide configuration data inside images; this successfully bypasses signature-based detection. The malware configuration is injected into the meta-data of a .jpg for example without damaging the image file and is invisible. It can be detected if viewed in bitmap mode and compared with the original version of the file.
Other trojans use different methods of evasion – for instance in some very effective trojan-ransomware, the malware will obfuscate a registered system file, overwriting it but leaving the authenticated title. It hides the original file in an unused part of the drive and presents this when a security scan is performed. The fact that the Zeus trojan is still used almost a decade after its creation demonstrates that its fake credentials and rootkit method of evasion are still as good as any modern malware techniques (especially demonstrated in by the fact that it remains the weapon of choice for the most high-value operations carried out by organized cybercrime syndicates to date).
Modern security software can have great difficulty detecting Zeus, especially signature-based programs, mostly due to its signature fraud. Heuristic (behavior-based) detection can be much more effective in identifying such threats.
