From the something old: Zeus PIF uses a dropper that relies on the hidden Windows ‘PIF’ file extension executable; a technique which was used years ago and now appears to be making a comeback.
From the something new: this variant persistently evolves and adapts the methodology of the information stealing procedures (a.k.a. hooking); a process seen as evolving from the Zberp variant.
Surendra Singh, Regional Director – SAARC at Websense, said, “In uncovering this latest iteration of the Zeus malware, Websense Security Labs researchers have shined a light on the evolving techniques of malware authors’ efforts to evade detection. Malware writers will continue to adapt and update their evasion techniques to stay just above the capabilities of most security solutions. The malware’s of use of encryption and HTTPS in its command-and-control communications underscores their efforts and attempts to stay hidden. This is one reason that it is now crucial for defenders to have security tools that inspect outbound SSL traffic and prohibit the loss of data through encrypted messages.”