Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Trojan.Zbot
Showing posts in English
How Attackers Steal Private Keys from Digital Certificates
Hiroshi Shinotsuka | 22 Feb 2013 11:10:22 GMT | 0 comments

Regular readers of the Symantec blog may sometimes read blogs that mention a fraudulent file that is signed with a valid digital certificate or that an attacker signed their malware with a stolen digital certificate.

You may recall that the creators of Stuxnet, arguably the most notorious malware in history, signed it using the private keys of valid digital certificates of well-known companies.

Digital certificates are significant because a file with a digital certificate can be checked to see who authored it and to make sure it was not altered. Moreover, some versions of Windows display a dialog box when a file that has no digital signature is opened. If an attacker signs malware with the stolen private key from a digital certificate, Windows will execute the file in many cases, except if the file is downloaded from the Internet using a Web browser.

How does an...

Read more
Zeus Now Setting its Sights on Japanese Online Banking Customers
Symantec Security Response | 12 Feb 2013 06:05:44 GMT | 0 comments

As we have blogged in the past, Zeus (Trojan.Zbot) and other banking Trojans have been a headache to online banking customers all over the world for years. Certain countries such as Japan have in the past escaped attacks from banking Trojans, perhaps due to the language barrier or some other unknown reason. As the National Police Agency of Japan has reported several times, Japanese online banking customers have now started to fall victim to this type of attack.

Symantec recently came across a new Zeus file targeting five major banks in Japan. Figure 1 shows part of the decrypted configuration file. The...

Read more
Downloader.Ponik Seeks Long Term Relationship
Satnam Narang | 09 Jan 2013 18:52:48 GMT | 0 comments

Contributor: Jeet Morparia

Online dating is big business. In 2012, 40 million people visited or used an online dating site in the United States. According to some statistics, the online dating industry is worth over $1 billion dollars. Others say it is worth over $3 billion globally. The fact is that online dating is a lucrative industry, so it should come as no surprise that it is also on the radar for cybercriminals.
 

Figure 1. Downloader.Ponik spam campaign world map
 

One of the most recent malicious spam campaigns we...

Read more
Chicken or Egg: Where Does W32.Changeup Come From?
Symantec Security Response | 04 Dec 2012 02:12:57 GMT | 0 comments

­Throughout history, philosophers and scientists have pondered the question of which came first: the chicken or the egg. Over the last week, Security Response has seen an increase in the number of W32.Changeup detections. We know that Changeup can download a bevy of other threats onto a compromised computer. But an unanswered question is how does W32.Changeup compromise a computer in the first place?

While other vend­­­­ors have indicated the latest round of Changeup has spread through social networking websites, Symantec Security Response has managed to identify one source of the worm.

In recent malicious spam claiming to contain a secure message from banking...

Read more
MapleSoft Customers Targeted By Attackers Following Data Breach
Satnam Narang | 21 Jul 2012 01:41:03 GMT | 0 comments

Contributor: Jeet Morparia

Over the last few weeks, there have been reports of various websites that have had their databases breached and customer data stolen by attackers through various means. A lot of the focus has been on how password dumps have been appearing online. There has always been the concern that attackers who obtain access to customer information would leverage the information in a malicious campaign.

A few days ago, MapleSoft, makers of mathematical and analytical software such as Maple, reported that they have been investigating a database breach. The breach resulted in the attackers obtaining customer information such as email addresses, first and last names, as well as company and institution names. MapleSoft states that no financial information was compromised in this breach.

Unlike previous database breaches, where password hashes were dumped onto the Web, the attackers in this breach decided to up the stakes. MapleSoft customers...

Read more
Relentless Zbot and Anti-emulations
Anoirel Issa | 03 Jul 2012 16:09:29 GMT | 0 comments

A couple of months ago, Microsoft took out some Trojan.Zbot servers across the world. The impact was short-lived. Even though for a span of about two weeks, we saw virtually no Trojan.Zbot activity, relentless Trojan.Zbot activity has resumed—with some added new social-engineering techniques as well as some new techniques to help Trojan.Zbot avoid antivirus detection.

The following is an example of a recent Trojan.Zbot variant released on June 14, 2012, that implements a new anti-emulation technique in order to avoid detection.

Figure 1. Anti-emulation technique to avoid detection

Prior to executing its malicious code, the Trojan checks whether it is being executed for analysis in an emulated environment...

Read more
Trojan.Tatanarg.B Careful!
Stephen Doherty | 01 Jun 2012 21:35:11 GMT | 0 comments

There was a recent report on the Opera forums that users were encountering strange certificate behavior when visiting particular services over secured network connections, specifically HTTPS. This occurred while using online banking, webmail services, and social networking sites. Upon further investigation, we discovered a Trojan was intercepting the HTTPS connections, namely Trojan.Tatanarg.B.

Trojan.Tatanarg.B works by installing a proxy in the browser to intercept HTTPS connections by providing its own self-signed certificate to users, in effect revealing all the encrypted traffic between the user and the secure service. The Trojan specifically targets Firefox,...

Read more
Ransomware and Silence Locker Control Panel
Peter Coogan | 20 Apr 2012 23:09:08 GMT | 0 comments

Ransomware is a threat that continues to grow in popularity with cybercriminals due to its success rate and monetary potential. In past blogs such as Rampant Ransomware we have discussed some different Ransomware variants and techniques. Now we have encountered yet another new variant identified as Trojan.Ransomlock.K.

While finding a new Ransomware variant is no real surprise, during analysis we found an active command-and-control (C&C) server login used by the threat.

Figure 1. Silence Locker Control Panel login
 

After further analysis and research we then identified a control panel...

Read more
Anonymous Supporters Tricked into Installing Zeus Trojan
Symantec Security Response | 01 Mar 2012 18:52:09 GMT | 0 comments

In 2011, dozens of Anonymous members who participated in distributed denial-of-service (DDoS) attacks in support of Anonymous hacktivism causes were arrested. In these DDoS attacks, supporters using the Low Orbit Ion Cannon denial-of-service (DoS) tool would voluntarily include their computer in a botnet for attacks in support of Anonymous. In the wake Anonymous member arrests this week, it is worth highlighting how Anonymous supporters have been deceived into installing Zeus botnet clients purportedly for the purpose of DoS attacks. The Zeus client does perform DoS attacks, but it doesn’t stop there. It also steals the users' online banking credentials, webmail credentials, and cookies.

The deception of Anonymous supporters began on January 20, 2012, the day of the FBI Megaupload raid. An attacker took a popular PasteBin guide, used by Anonymous members for downloading...

Read more
Playing Cops & Robbers with Banks & Browsers
Fred Gutierrez | 27 Feb 2012 16:27:12 GMT | 0 comments

We are currently tracking a banking Trojan called Trojan.Neloweg. Looking at early infection numbers, we noticed that a small number of users were compromised in the UK and the Netherlands.

Digging into the threat, we saw that the login credentials of these users (including banking credentials) may have been stolen.  A partial list of affected bank pages can be seen below.

In order to see where other infections were occurring, we took a more global look at the infection numbers. Apparently the threat has been localized to Europe.

Trojan.Neloweg operates similar to another banking Trojan known as...

Read more