Malware that only infects high-performance PCs?
November 25, 2010
The hackers behind one variant of the ZeuS Trojan Virus have outrunned themselves in their attempts to move ahead anti-virus analysts by releasing a variant of the worm that only infects high-performance PCs and workstations.
Various Internet security firms all over the world use automation software and virtualisation technology to better cope with the rapidly growing types of malware and viruses published by cybercrooks and hackers every day.
For example, VXers are well aware of this and use virtual server detection and anti-debugging code in their malicious software. The technique is designed to frustrate security researchers and in so doing increase the time it takes to detect, develop and widely distribute anti-virus updates to Internet users no matter where they might be located.
Users of the ZeuS crimeware toolkit are very much involved in the 'mickey mouse and monkey' game between Internet security researchers and cybercriminals of all types, whether they are just newbies or old timers with years of experience at creating malware and worms.
However, and this is really the disturbing part, one particular type of group using the crimeware toolkit has just released a new variant whose anti-debugging efforts are so aggressive it effectively assumes that any computer whose CPU is running at lower than 2 GHz must be running a debugger.
As a result, the malware only runs its malicious routines on high-performance computers and high-end workstations, remaining inert on lower grade PCs.
This particular sample of ZeuS infects only high-speed machines, which might be useful if you're a hacker and you wanted to build a premium botnet for code-cracking or used in mass email spam. Variants of ZeuS are much commonly used to capture online banking credentials before sending them to cybercrooks, and from this perspective the sample is a dead loss to whom ever is at the other end.
Timo Hirvonen, an Internet security analysis at F-secure says "With a CPU below 2 GHz the sample acts as if it is being debugged, aborts execution and does not infect the system. I tested the sample on an IBM T-42 (1.86 GHz) notebook and the system was slow enough to avoid being infected."
Overall, ZeuS is a steadily evolving crimeware toolkit, sold on the black market for a few hundred dollars a licence. But the apparent miscalculation with the particular Trojan captured by F-Secure that only infects high-performance computers has no bearing on the hundreds of other variants of ZeuS-spawned Trojans doing the rounds, unfortunately.
Reverse engineers and assembly code afficionados can easily find a detailed explanation of the high-spec only malware sample's behaviour in a blog posting on F-Secure's website.
You can link to the Internet Security web site as much as you like.